<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 04/11/2014 10:37 AM, Fredy Sanchez wrote:<br> </div> <blockquote cite="mid:CAAqiBN7fXgGq-7U39A-Usn6JSwt-8+d4KmxJNDmGdLuRTHvTTg@mail.gmail.com" type="cite"> <div dir="ltr">Hi all, <div><br> </div> <div>We asked this same question at <a moz-do-not-send="true" href="http://discussions.apple.com">discussions.apple.com</a>, but figured we'd have better luck here. I apologize in advance if this is the wrong forum.</div> <div><br> </div> <div>We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. running in Mavericks 10.9.2) for File Sharing. We use a FreeIPA (ipa-server.x86_64 3.0.0-37.el6) backend for SSO, and the Mac server seems correctly bound to it. Unfortunately, although we can add usernames to the shares for the initial config, the usernames transform to UIDs after (only for SSO accounts; local accounts are not affected). That is, when we go to edit the permissions for a share, all we see are UIDs. We can always figure out the username from the UID, but this is an extra step we don't want to have. We've tried reinstalling the Mac server app from scratch, re-binding to the FreeIPA backend, changing mappings in Directory Utility (for example, mapping GeneratedUID to uid, which is the username), recreating the shares and permissions, etc. Here are more details about the binding:</div> <div><br> </div> <div> <div>* The binding happens thru a custom package we created based primarily on <a moz-do-not-send="true" href="http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8">http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8</a></div> <div>* Sys Prefs, Users & Groups, Login Options show the server bound to the FreeIPA backend with the green dot</div> <div>* The following mappings are in place in Directory Utility, Services, LDAPv3, FreeIPA backend</div> <div> </div> <div>Users: inetOrgPerson</div> <div> AuthenticationAuthority: uid</div> <div> GeneratedUID: random number in uppercase</div> <div> HomeDirectory: #/Users/$uid$</div> <div> NFSHomeDirectory: #/Users/$uid$</div> <div> OriginalHomeDirectory: #/Users/$uid$</div> <div> PrimaryGroupID: gidNumber</div> <div> RealName: cn</div> <div> RecordName: uid</div> <div> UniqueID: uidNumber</div> </div> </div> </blockquote> <br> I do not have a clue about such setup but if the UID shows somewhere it should not be and there is a mapping attribute that can be mapped to different unique identifiers and currently points to UID I would start there. Have you tried mapping UniqueID to uid instead of uidNumber?<br> <br> <blockquote cite="mid:CAAqiBN7fXgGq-7U39A-Usn6JSwt-8+d4KmxJNDmGdLuRTHvTTg@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> UserShell: loginShell</div> <div>Groups: posixgroup</div> <div> PrimaryGroupID: gidNumber</div> <div> RecordName: cn</div> <div> </div> <div>The search bases are correct</div> <div> </div> <div>* Directory Utility, Directory Editor shows the right info for the users.</div> <div>* $ id $USERNAME shows the right information for the user</div> </div> <div><br clear="all"> <div>FreeIPA is working beautifully for our Mac / Linux environment. We provide directory services to about 300 hosts, and 200 employees using it; and haven't had any problems LDAP wise until now. So we think we are missing a mapping here. Any ideas?<br> </div> <div><br> </div> <div>-- <br> </div> <div dir="ltr"> <div style="text-align:right"> <div style="text-align:left">Cheers,</div> <div style="text-align:left"><br> </div> <div style="text-align:left">Fredy Sanchez</div> <div style="text-align:left"> IT Manager @ Modernizing Medicine</div> <div style="text-align:left"> <div>(561) 880-2998 x237</div> <div><a moz-do-not-send="true" href="mailto:fredy.sanchez@modmed.com" target="_blank">fredy.sanchez@modmed.com</a></div> </div> <div style="text-align:left"> <div style="color:rgb(0,0,0);font-family:Times;font-size:medium;clear:both;height:10px"><br> </div> </div> <div style="text-align:left"><b>Need IT support?</b> Visit <a moz-do-not-send="true" href="https://mmit.zendesk.com/" style="font-weight:bold" target="_blank">https://mmit.zendesk.com</a><br> </div> <div style="text-align:left"> <div style="width:650px"> <div style="padding-top:10px;float:left"> <ul style="color:rgb(153,153,153);font-family:ubuntu;font-size:8pt;line-height:15px;padding:0px;list-style:none"> <li><br> </li> </ul> </div> </div> </div> <div style="text-align:left"> <div style="color:rgb(0,0,0);font-family:Times;font-size:medium;min-width:650px"> <div style="padding-top:10px;font-family:ubuntu,verdana,arial,sans-serif;font-size:8pt;line-height:15px;float:left;color:rgb(153,153,153)"> <ul style="margin:0px;padding:0px;list-style:none"> <li style="padding:0px;margin:0px"><b style="line-height:normal;font-family:arial,sans-serif;font-size:13px;color:rgb(34,34,34)"><br> </b></li> </ul> </div> </div> </div> </div> </div> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>