2.7. Creating User Private Groups Automatically Using SSSD


An SSSD client directly integrated into AD can automatically create a user private group for every AD user retrieved, ensuring that its GID matches the user's UID unless the GID number is already taken. To avoid conflicts, make sure that no groups with the same GIDs as user UIDs exist on the server.
The GID is not stored in AD. This ensures that AD users benefit from group functionality, while the LDAP database does not contain unnecessary empty groups.

2.7.1. Activating the Automatic Creation of User Private Groups for AD users

To activate the automatic creation of user private groups for AD users:
  1. Edit the /etc/sssd/sssd.conf file, adding in the [domain/LDAP] section:
    auto_private_groups = true
  2. Restart the sssd service, removing the sssd database:
    # service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start
After performing this procedure, every AD user has a GID which is identical to the UID:
# id ad_user1
uid=121298(ad_user1) gid=121298(ad_user1) groups=121298(ad_user1),10000(Group1)
# id ad_user2
uid=121299(ad_user2) gid=121299(ad_user2) groups=121299(ad_user2),10000(Group1)

2.7.2. Deactivating the Automatic Creation of User Private Groups for AD users

To deactivate the automatic creation of user private groups for AD users:
  1. Edit the /etc/sssd/sssd.conf file, adding in the [domain/LDAP] section:
    auto_private_groups = false
  2. Restart the sssd service, removing the sssd database:
    # service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start
After performing this procedure, all AD users have an identical, generic GID:
# id ad_user1
uid=121298(ad_user1) gid=10000(group1) groups=10000(Group1)
# id ad_user2
uid=121299(ad_user2) gid=10000(group1) groups=10000(Group1)
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.