2.7. Creating User Private Groups Automatically Using SSSD
An SSSD client directly integrated into AD can automatically create a user private group for every AD user retrieved, ensuring that its GID matches the user's UID unless the GID number is already taken. To avoid conflicts, make sure that no groups with the same GIDs as user UIDs exist on the server.
The GID is not stored in AD. This ensures that AD users benefit from group functionality, while the LDAP database does not contain unnecessary empty groups.
2.7.1. Activating the Automatic Creation of User Private Groups for AD users
To activate the automatic creation of user private groups for AD users:
- Edit the
/etc/sssd/sssd.conffile, adding in the[domain/LDAP]section:auto_private_groups = true
- Restart the sssd service, removing the sssd database:
# service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start
After performing this procedure, every AD user has a GID which is identical to the UID:
# id ad_user1 uid=121298(ad_user1) gid=121298(ad_user1) groups=121298(ad_user1),10000(Group1) # id ad_user2 uid=121299(ad_user2) gid=121299(ad_user2) groups=121299(ad_user2),10000(Group1)
2.7.2. Deactivating the Automatic Creation of User Private Groups for AD users
To deactivate the automatic creation of user private groups for AD users:
- Edit the
/etc/sssd/sssd.conffile, adding in the[domain/LDAP]section:auto_private_groups = false
- Restart the sssd service, removing the sssd database:
# service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start
After performing this procedure, all AD users have an identical, generic GID:
# id ad_user1 uid=121298(ad_user1) gid=10000(group1) groups=10000(Group1) # id ad_user2 uid=121299(ad_user2) gid=10000(group1) groups=10000(Group1)
