<div dir="ltr">Can you pull an complete user object via LDAP query? There might be secondary attributes that include a POSIX compliant short name.<div><br></div><div>Ian</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 22, 2016 at 2:37 PM, Michael Talbott <span dir="ltr"><<a href="mailto:mtalbott@lji.org" target="_blank">mtalbott@lji.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">It does have the unix extensions on it which is how I was able to get this far (set uids/gids/etc in AD). But I don't have the old windows NIS service running though, so I don't use the SFU30 or whatever attributes since I believe those are all obsoleted and will soon likely disappear.<div><br><div> <div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">________________________<span class="HOEnZb"><font color="#888888"><br>Michael Talbott<br>Systems Administrator<br>La Jolla Institute</font></span></div> </div><div><div class="h5"> <br><div><blockquote type="cite"><div>On Apr 22, 2016, at 1:18 PM, Ian Kaufman <<a href="mailto:ikaufman@eng.ucsd.edu" target="_blank">ikaufman@eng.ucsd.edu</a>> wrote:</div><br><div><div dir="ltr">Does your AD have SFU (or whatever it is called these days) set up? <div><br></div><div>Ian</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 22, 2016 at 12:58 PM, Michael Talbott <span dir="ltr"><<a href="mailto:mtalbott@lji.org" target="_blank">mtalbott@lji.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You're exactly right. The DN in ad is the full name and if I create a user where the DN and shortname match, then everything works great. Unfortunately, I'm not sure if updating all the DNs to match the short name will break other dependancies of it deployed in existing software elsewhere. One day when I'm feeling brave and have a little downtime scheduled, I'll batch update all the entries and see if anything breaks. But, I suppose I'm stuck with winbind for the time being. But thank you for all the help.<br> <div><div><br> <br> <br> > On Apr 22, 2016, at 11:27 AM, Paul B. Henson <<a href="mailto:henson@acm.org" target="_blank">henson@acm.org</a>> wrote:<br> ><br> > On Thu, Apr 21, 2016 at 11:35:56PM -0700, Michael Talbott wrote:<br> ><br> >> all the group members are listed as "John Doe" rather than jdoe which<br> >> means that when jdoe logs in, he can't access his groups due to the<br> >> naming disconnect. Any ideas of how to fix that? Somehow map the group<br> >> members to samAccountName rather than the DN?<br> ><br> > How is your AD structured? It sounds like it's using full names for DN's<br> > rather than usernames? If so, that's not going to work.<br> ><br> > Our AD uses usernames for DN's; for example, I'm:<br> ><br> > dn: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu<br> > cn: henson<br> > sn: Henson<br> > givenName: Paul<br> > initials: B.<br> > distinguishedName: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu<br> > displayName: Paul B. Henson<br> > sAMAccountName: henson<br> ><br> > and if you look at a group I'm in:<br> ><br> > dn: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu<br> > cn: netadmin<br> > description: Network admins<br> > member: CN=henson,OU=user,DC=ad,DC=cpp,DC=edu<br> > distinguishedName: CN=netadmin,OU=group,DC=ad,DC=cpp,DC=edu<br> > sAMAccountName: netadmin<br> ><br> > So the RDN for both users and groups is the short name that a unix box<br> > expects to see, and the long name is in the displayName or description.<br> > I'm guessing you're using the full name as the CN and your users look<br> > like:<br> ><br> > dn: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu<br> ><br> > so your group members look like:<br> ><br> > member: CN=Paul B. Henson,OU=user,DC=ad,DC=cpp,DC=edu<br> ><br> > If that's the case, I don't think there's any way you can get it to<br> > work. The rfc2307bis group support expects the RDN to be the username,<br> > there's no way to get it to look up some other attribute of the entry<br> > and use it instead.<br> <br> _______________________________________________<br> OmniOS-discuss mailing list<br> <a href="mailto:OmniOS-discuss@lists.omniti.com" target="_blank">OmniOS-discuss@lists.omniti.com</a><br> <a href="http://lists.omniti.com/mailman/listinfo/omnios-discuss" rel="noreferrer" target="_blank">http://lists.omniti.com/mailman/listinfo/omnios-discuss</a><br> </div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>Ian Kaufman<br>Research Systems Administrator<br>UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu <br></div> </div> </div></blockquote></div><br></div></div></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Ian Kaufman<br>Research Systems Administrator<br>UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu <br></div> </div>