On Fri, 2014-04-11 at 10:37 -0400, Fredy Sanchez wrote: > Hi all, > > We asked this same question at discussions.apple.com, but figured we'd have > better luck here. I apologize in advance if this is the wrong forum. > > We are switching from Synology (DSM 5) to Mavericks server (v3.1.1. running > in Mavericks 10.9.2) for File Sharing. We use a FreeIPA (ipa-server.x86_64 > 3.0.0-37.el6) backend for SSO, and the Mac server seems correctly > bound to it. Unfortunately, although we can add usernames to the shares for > the initial config, the usernames transform to UIDs after (only for SSO > accounts; local accounts are not affected). That is, when we go to edit the > permissions for a share, all we see are UIDs. We can always figure out the > username from the UID, but this is an extra step we don't want to have. > We've tried reinstalling the Mac server app from scratch, re-binding to the > FreeIPA backend, changing mappings in Directory Utility (for example, > mapping GeneratedUID to uid, which is the username), recreating the shares > and permissions, etc. Here are more details about the binding: > > * The binding happens thru a custom package we created based primarily on > http://linsec.ca/Using_FreeIPA_for_User_Authentication#Mac_OS_X_10.7.2F10.8 > * Sys Prefs, Users & Groups, Login Options show the server bound to the > FreeIPA backend with the green dot > * The following mappings are in place in Directory Utility, Services, > LDAPv3, FreeIPA backend > > Users: inetOrgPerson > AuthenticationAuthority: uid > GeneratedUID: random number in uppercase > HomeDirectory: #/Users/$uid$ > NFSHomeDirectory: #/Users/$uid$ > OriginalHomeDirectory: #/Users/$uid$ > PrimaryGroupID: gidNumber > RealName: cn > RecordName: uid > UniqueID: uidNumber > UserShell: loginShell > Groups: posixgroup > PrimaryGroupID: gidNumber > RecordName: cn > > The search bases are correct > > * Directory Utility, Directory Editor shows the right info for the users. > * $ id $USERNAME shows the right information for the user > > FreeIPA is working beautifully for our Mac / Linux environment. We provide > directory services to about 300 hosts, and 200 employees using it; and > haven't had any problems LDAP wise until now. So we think we are missing a > mapping here. Any ideas?
Fredy, I quickly tried to check for some documentation on how to configure this stuff, but found only useless superficial guides on how to find the pointy/clicky buttons to push to enable the service. I am not a Mac expert by a long shot so I cannot help you much here. Is there any guide available on how to use this service with other LDAP servers, like openLDAP or Active Directory ? We can probably draw some conclusions from there. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
