Active Directory – Assign UID and GID

active-directorygiduid

My CentOS 7 machine has successfully joined a domain FOOBAR (as verified by realm list) and here's the information about an user coming from the AD (non-local):

[root@centos7 ~]# id jdoe@FOOBAR.GLOBAL
uid=5631533(jdoe@FOOBAR.GLOBAL) gid=5600513(domain users@FOOBAR.GLOBAL)
groups=5600513(domain users@FOOBAR.GLOBAL),5631532(othergroup@FOOBAR.GLOBAL)

How are UID and GID assigned? Is it possible to somehow map them to some desired value?

Best Answer

AD mapping in SSSD is determined using an algorithm (probably a hash function) in the daemon itself: because it's built-in, if you keep the defaults the same, every computer using SSSD should map the IDs to the same value regardless of the computer being used. Here's Red Hat's explanation for the AD mapping:

SSSD can use the SID of an AD user to algorithmically generate POSIX IDs in a process called ID mapping. ID mapping creates a map between SIDs in AD and IDs on Linux.

When SSSD detects a new AD domain, it assigns a range of available IDs to the new domain. Therefore, each AD domain has the same ID range on every SSSD client machine.

When an AD user logs in to an SSSD client machine for the first time, SSSD creates an entry for the user in the SSSD cache, including a UID based on the user's SID and the ID range for that domain.

Because the IDs for an AD user are generated in a consistent way from the same SID, the user has the same UID and GID when logging in to any Red Hat Enterprise Linux system.

You can set the ID minimums and maximums using min_id and max_id in the [domain/name] section of sssd.conf. Look under "Domain Sections" for the description; "Examples" has an example of its use:

[sssd]
domains = LDAP
services = nss, pam
config_file_version = 2

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com

auth_provider = krb5
krb5_server = kerberos.example.com
krb5_realm = EXAMPLE.COM
cache_credentials = true

min_id = 10000
max_id = 20000
enumerate = False

If you override these values, make sure to set the same mappings on any other system using that domain in SSSD if you want to maintain consistent mappings!

Related Solutions

Centos – sudo is not working on the Centos 7.3

The problem here is that when you joined your CentOS system to the Active Directory domain, the realm command also modified /etc/nsswitch.conf to take over the configuration of sudo:

grep sudo /etc/nsswitch.conf
sudoers:        ldap

If you want to retain local configuration of sudo you need to revert this to its original setting:

sudoers:        files

Interestingly, on my (Debian and Raspbian) systems that have been joined to AD I have a merged configuration:

sudoers:        files sss

Distribution aside, I'm curious to understand why yours isn't also a merged configuration and that yours is configured directly via LDAP whereas mine is through sssd. (I'd be pleased if someone to be able to explain that. But perhaps it's just a distribution difference.)

Best Answer

Related Solutions

Centos – sudo is not working on the Centos 7.3

Related Question