Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: control permissions for Active Directory users on AIX
Top Forums UNIX for Dummies Questions & Answers control permissions for Active Directory users on AIX Post 302404249 by xia777 on Tuesday 16th of March 2010 04:59:35 AM
Old 03-16-2010
control permissions for Active Directory users on AIX
Hello,

I've configured an user authentication against Active Directory (Windows Server 2008 R2) on AIX V6 with LDAP. It works fine.

And here's my problem:

How can I control ldap user permissions on the local AIX machine?
E.g. an AD user should be able to write all files of local sys group.
(You cannot add a LDAP user to a local group)

There is the posibility to create an Active Directory group with UNIX attributes and set the GID with the same number of the local GID on the AIX system.
But:
  1. I'm not sure if this is a good and practicable solution.
  2. You cannot duplicate GIDs in Active Directory but I would need several groups with the same GID (e.g. an user should have different rights on different AIX machines)
Is there a good solution to control permissions of LDAP user?

Thank you for every suggest!
 

7 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Active / Non Active users ?

Hey, I have few Questions : 1. How to Check/Find who all are the users accessing the server using their id ? 2. How to Check who is the active user or non active user (whose id exists but the access privileges has been removed) ? I am presently using AIX5.3 as a server. Please suggest... (3 Replies)
Discussion started by: varungupta
3 Replies

2. UNIX for Advanced & Expert Users

Compiling Samba from Source on AIX, Active Directory, LDAP, Kerberos

Hello, I asked this question in the AIX subforum but never received an answer, probably because the AIX forum is not that heavily trafficked. Anyway, here it is.. I have never had any issues like this when compiling applications from source. When I try to compile samba-3.5.0pre2, configure runs... (9 Replies)
Discussion started by: raidzero
9 Replies

3. AIX

Authenticate AIX users from MS Active Directory

First, let me start off saying this is not spam. This is me trying to help out other AIX Admins with MS AD servers. If it is not applicable to you, someone else will find it useful. As long as the "KDC" service is running on your AD server, these steps should work. There should be no... (3 Replies)
Discussion started by: kah00na
3 Replies

4. Solaris

Directory Permissions for 2 users on 1 directory

we want to allow user to FTP files into a directory, and then the program (PLSQL) will read and process the file, and then move the file to other directory for archiving. the user id: uftp1, group: ftp the program run in oracle database, thus have the user Id: oraprod, group: dba how to... (2 Replies)
Discussion started by: siakhooi
2 Replies

5. UNIX for Advanced & Expert Users

Permissions on a directory in /home for all users

Hi, I have created a shared directory on /home, where all users on a certain group have read, write and execute permissions. I did this using chmod -R g+rwx /home/shared/ The problem is, when a particular user creates a directory within /home/shared, other users are not able to write to... (8 Replies)
Discussion started by: lost.identity
8 Replies

6. AIX

AIX 7.1 - Samba 4 File Shares and Integration with Active Directory Issues

Hi. Ive recently upgraded Samba on an AIX server to Samba 4. The aim is to allow a specific group of Windows AD users to access some AIX file shares (with no requirement to enter passwords) - using AD to authenticate. Currently I have: Samba 4 installed ( and 3 daemons running) Installed... (1 Reply)
Discussion started by: linuxsnake
1 Replies

7. AIX

Samba 3.6 on AIX 7.1 - Windows 10 Access to AIX file shares using Active Directory authentication

I am running AIX 7.1 and currently we have samba 3.6.25 installed on the server. As it stands some AIX folders are shared that can be accessed by certain Windows users. The problem is that since Windows 10 the guest feature no longer works so users have to manually type in their Windows login/pwd... (14 Replies)
Discussion started by: linuxsnake
14 Replies

LEARN ABOUT CENTOS

idmap_rfc2307

IDMAP_RFC2307(8)					    System Administration tools 					  IDMAP_RFC2307(8)

NAME

       idmap_rfc2307 - Samba's idmap_rfc2307 Backend for Winbind

DESCRIPTION

       The idmap_rfc2307 plugin provides a way for winbind to read id mappings from records in an LDAP server as defined in RFC 2307. The LDAP
       server can be stand-alone or the LDAP server provided by the AD server. An AD server is always required to provide the mapping between name
       and SID, and the LDAP server is queried for the mapping between name and uid/gid. This module implements only the "idmap" API, and is
       READONLY.

       Mappings must be provided in advance by the administrator by creating the user accounts in the Active Directory server and the posixAccount
       and posixGroup objects in the LDAP server. The names in the Active Directory server and in the LDAP server have to be the same.

       This id mapping approach allows the reuse of existing LDAP authentication servers that store records in the RFC 2307 format.

IDMAP OPTIONS

       range = low - high
	   Defines the available matching UID and GID range for which the backend is authoritative. Note that the range acts as a filter. If
	   specified any UID or GID stored in AD that fall outside the range is ignored and the corresponding map is discarded. It is intended as
	   a way to avoid accidental UID/GID overlaps between local and remotely defined IDs.

       ldap_server = <ad | stand-alone >
	   Defines the type of LDAP server to use. This can either be the LDAP server provided by the Active Directory server (ad) or a
	   stand-alone LDAP server.

       bind_path_user
	   Specifies the bind path where user objects can be found in the LDAP server.

       bind_path_group
	   Specifies the bind path where group objects can be found in the LDAP server.

       user_cn = <yes | no>
	   Query cn attribute instead of uid attribute for the user name in LDAP. This option is not required, the default is no.

       cn_realm = <yes | no>
	   Append @realm to cn for groups (and users if user_cn is set) in LDAP. This option is not required, the default is no.

       ldap_domain
	   When using the LDAP server in the Active Directory server, this allows to specify the domain where to access the Active Directory
	   server. This allows using trust relationships while keeping all RFC 2307 records in one place. This parameter is optional, the default
	   is to access the AD server in the current domain to query LDAP records.

       ldap_url
	   When using a stand-alone LDAP server, this parameter specifies the ldap URL for accessing the LDAP server.

       ldap_user_dn
	   Defines the user DN to be used for authentication. The secret for authenticating this user should be stored with net idmap secret (see
	   net(8)). If absent, an anonymous bind will be performed.

       ldap_realm
	   Defines the realm to use in the user and group names. This is only required when using cn_realm together with a stand-alone ldap
	   server.

EXAMPLES

       The following example shows how to retrieve id mappings from a stand-alone LDAP server. This example also shows how to leave a small non
       conflicting range for local id allocation that may be used in internal backends like BUILTIN.

		[global]
		idmap config * : backend = tdb
		idmap config * : range = 1000000-1999999

		idmap config DOMAIN : backend = rfc2307
		idmap config DOMAIN : range = 2000000-2999999
		idmap config DOMAIN : ldap_server = stand-alone
		idmap config DOMAIN : ldap_url = ldap://ldap1.example.com
		idmap config DOMAIN : ldap_user_dn = cn=ldapmanager,dc=example,dc=com
		idmap config DOMAIN : bind_path_user = ou=People,dc=example,dc=com
		idmap config DOMAIN : bind_path_group = ou=Group,dc=example,dc=com

AUTHOR

       The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed by the Samba Team as an Open
       Source project similar to the way the Linux kernel is developed.

Samba 4.0							    06/17/2014							  IDMAP_RFC2307(8)
All times are GMT -4. The time now is 06:15 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy