I'm running Windows Server 2012 R2 w/ Active Directory and Unix Extensions. I have several linux/bsd hosts already connected to the domain via ldap and mapping the uid/gid/secondary groups properly.
I'm running a few mac's on 10.9 and 10.10 beta, I'm trying to figure out if its possible to map secondary Group IDs to the AD UnixGID and not the GID that AD creates..
for example, if i run id mikedevita
on a linux box it gives me this:
% id mikedevita
uid=40001(mikedevita) gid=30000(Domain Users) groups=30001(Domain Admins),30002(VMWareAdmins)
,30003(VPNUsers),30004(LinuxUsers),30005(media),30006(LinuxAdmins),30000(Domain Users)
if i run the same command, id mikedevita
on my mac it gives this:
base% id mikedevita
uid=40001(mikedevita) gid=30000 groups=30000,701(com.apple.sharepoint.group.2),519395259(DEVITA\media),693256891(DEVITA\MacAdmins),703(com.apple.sharepoint.group.4),501(access_bpf),599473300(DEVITA\VPNUsers),613468898(DEVITA\VMWareAdmins),12(everyone),62(netaccounts),79(_appserverusr),80(admin),81(_appserveradm),1446817776(DEVITA\Domain Admins),401(com.apple.sharepoint.group.1),1873589173(DEVITA\RouterAdmins),416683223(DEVITA\Denied RODC Password Replication Group),206(com.apple.access_loginwindow),702(com.apple.sharepoint.group.3),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),398(com.apple.access_screensharing),399(com.apple.access_ssh)
as you can see, the uid, and gid fields are mapped properly (40001, 30000) but all of the domain level groups which the user belongs to as secondary groups don't use the right group ID.
Is there a way to remap this?
Best Answer
It sounds like you have the user records' gid attribute mapped, but not the group records' gid. You can check this from the command line with
dsconfigad
:Note the "Mapping group GID to attribute = gidNumber" -- that's what I think you're missing. You can set it from the command line with
sudo dsconfigad -ggid gidNumber
, on with the GUI program /System/Library/CoreServices/Directory Utility.app (click the padlock to authenticate as admin, double-click the Active Directory connector, click the triangle to "Show Advanced Options", click the Mappings tab, then enable "Map group HID to attribute" and set it to "gidNumber").