[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Qs re: ActiveDirectory authentication & perms

Kent West wrote:

> I'm not quite sure what questions to ask...
> I have a Debian box used by 10 or 12 people on a university campus;

... snip...

> After considerable hair-pulling, I've managed to get the box to
> authenticate using their AD credentials,

... snip ...

> Since it's just a dozen users or so, I can easily "id" their AD UID
> and "chown -R" their files in their home directory (which have been
> copied over manually from the old Debian box) to their AD UID.
> But that leaves several questions:
> 1) If I just "chown -R", that changes the ownership of all the files,
> regardless how the files may have been set-up on the old box. For
> example, I notice in at least one web directory for one user, the
> files were owned by www-data, with the group ownership set to the
> group name corresponding to the user's name on the old box. Changing that
> ownership from "www-data" to "joe_user" might break things. Is there a way
> to just chown the ownership of files already owned by the old username?

You should be able to use a combination of find and xargs to chown only files
owned by a certain user. This command should be approximately what you want:

find /home/username -user local_user -print0 | xargs -0 chown ad_user

> 2) The group that all the AD-authenticated users are in is "domain users".
> That means that any files formerly owned by suzy:suzy are now owned by
> suzy:"domain users", and if a file is set to 770 (or similar), any one
> of the people logging in can access any other person's files as a
> member of that group. Not good.

In that case, you will have to either change the file permissions to 700
or change the group on the files.

> 2a) What's the best route for dealing with this group ownership issue?
> Can I remap the group for all AD-authenticated users to be their own
> username, like it was in the old Debian setup? Is that even a good idea?

If the files should be accessible only by the user who owns them, then you
could set the permissions to 700. No need to create groups. That is what I
would do. The main thing will be to set up a create mask for new files.
Changing owner on the existing files shouldn't set the group to "domain users"
unless you tell it to.

In order to have groups that match the usernames, you would have to create
them manually. AD setups that I am familiar with do not have a group for
each user like a local Linux system typically does. I would recommend
against this. It will be extra work, extra clutter and not as clear from
an admin point of view since it is not normally done.

> 2b) I'm skittish of having spaces in group names (or files, etc), and
> would rather that "domain users" be something like "domain_users";
> does the AD authentication process have some way of remapping that
> name to one without spaces? (Or this may be a moot question, depending
> on the answer to 2a above.)

You would have to look at the documentation for the AD authentication
process that you are using. I have never seen such a thing. I have been using
sssd to authenticate against AD for a little while now and the only issue I
have run into with the spaces was trying to limit ssh access based on a group
that had a space. For the most part, don't worry about the spaces. If something
doesn't work with a group that has a space, check the documentation for the
particular command. Usually you either enclose it in quotes or use a \ to
escape the space.

> 3) Can I limit logins/file-sharing to just a subset of campus users
> (one department, not just anyone having a campus account)?

It seems based on your next message you figured out a way.

> 4) I haven't even begun to think about how to tie this into their
> samba (or is it "cifs" nowadays?) file shares. Any pointers dealing
> with that would be appreciated.

It all depends on how you set up samba. If you want to know how things
affect your samba configuration, then you need to learn how to configure
samba so that you understand the configuration you are using.

Hope that helps some.

- george

Reply to: