[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Qs re: ActiveDirectory authentication & perms

I'm not quite sure what questions to ask...

I have a Debian box used by 10 or 12 people on a university campus; most of them are using it just as file-storage via Samba from their Windows/Macs boxes; a few are ssh'ing into it, etc, for other usages; some have web sites on it.

For years their accounts have been maintained as local accounts on that Debian box, but as we're swapping out hardware, I'm also thinking it's time to swap out account management to let our campus-wide Active Directory provide their accounts instead of them (and me) having to maintain two separate sets of account credentials (three, if you include the samba file-sharing account on the old Debian setup).

After considerable hair-pulling, I've managed to get the box to authenticate using their AD credentials, so that a user can simply ssh in without having an account on the box, using their AD credentials. But of course, their User IDs in AD are different than they were on the old Debian box, so their file permissions are different.

Since it's just a dozen users or so, I can easily "id" their AD UID and "chown -R" their files in their home directory (which have been copied over manually from the old Debian box) to their AD UID.

But that leaves several questions:

1) If I just "chown -R", that changes the ownership of all the files, regardless how the files may have been set-up on the old box. For example, I notice in at least one web directory for one user, the files were owned by www-data, with the group ownership set to the group name corresponding to the user's name on the old box. Changing that ownership from "www-data" to "joe_user" might break things. Is there a way to just chown the ownership of files already owned by the old username?

2) The group that all the AD-authenticated users are in is "domain users". That means that any files formerly owned by suzy:suzy are now owned by suzy:"domain users", and if a file is set to 770 (or similar), any one of the people logging in can access any other person's files as a member of that group. Not good.

2a) What's the best route for dealing with this group ownership issue? Can I remap the group for all AD-authenticated users to be their own username, like it was in the old Debian setup? Is that even a good idea?

2b) I'm skittish of having spaces in group names (or files, etc), and would rather that "domain users" be something like "domain_users"; does the AD authentication process have some way of remapping that name to one without spaces? (Or this may be a moot question, depending on the answer to 2a above.)

3) Can I limit logins/file-sharing to just a subset of campus users (one department, not just anyone having a campus account)?

4) I haven't even begun to think about how to tie this into their samba (or is it "cifs" nowadays?) file shares. Any pointers dealing with that would be appreciated.



Kent West                    <")))><
Westing Peacefully - http://kentwest.blogspot.com

Reply to: