Red Hat Summit2.7. Creating User Private Groups Automatically Using SSSD
An SSSD client directly integrated into AD can automatically create a user private group for every AD user retrieved, ensuring that its GID matches the user's UID unless the GID number is already taken. To avoid conflicts, make sure that no groups with the same GIDs as user UIDs exist on the server.
The GID is not stored in AD. This ensures that AD users benefit from group functionality, while the LDAP database does not contain unnecessary empty groups.
2.7.1. Activating the Automatic Creation of User Private Groups for AD users
Copy linkLink copied to clipboard!
To activate the automatic creation of user private groups for AD users:
- Edit the
/etc/sssd/sssd.conffile, adding in the[domain/LDAP]section:auto_private_groups = true
auto_private_groups = trueCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Restart the sssd service, removing the sssd database:
service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start
# service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd startCopy to Clipboard Copied! Toggle word wrap Toggle overflow
After performing this procedure, every AD user has a GID which is identical to the UID:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
id ad_user1 id ad_user2
# id ad_user1
uid=121298(ad_user1) gid=121298(ad_user1) groups=121298(ad_user1),10000(Group1)
# id ad_user2
uid=121299(ad_user2) gid=121299(ad_user2) groups=121299(ad_user2),10000(Group1)2.7.2. Deactivating the Automatic Creation of User Private Groups for AD users
Copy linkLink copied to clipboard!
To deactivate the automatic creation of user private groups for AD users:
- Edit the
/etc/sssd/sssd.conffile, adding in the[domain/LDAP]section:auto_private_groups = false
auto_private_groups = falseCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Restart the sssd service, removing the sssd database:
service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd start
# service sssd stop ; rm -rf /var/lib/sss/db/* ; service sssd startCopy to Clipboard Copied! Toggle word wrap Toggle overflow
After performing this procedure, all AD users have an identical, generic GID:
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
id ad_user1 id ad_user2
# id ad_user1
uid=121298(ad_user1) gid=10000(group1) groups=10000(Group1)
# id ad_user2
uid=121299(ad_user2) gid=10000(group1) groups=10000(Group1)
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}