Hi all,
When installing AD as the Account provider and importing users and groups, the owner:group of the home directories for the users are changed to their LDAP uid:gid.
Before AD:
[root@tchana ~]# cd /var/lib/nethserver/home/
[root@tchana home]#
[root@tchana home]# ls -als
total 0
0 drwxr-xr-x. 5 root root 49 Oct 20 18:02 .
0 drwxr-xr-x. 12 root root 155 Apr 19 2019 ..
0 drwx------ 2 michelandre@micronator-dev.org locals@micronator-dev.org 83 Oct 20 18:02 michelandre
0 drwx------ 2 titi@micronator-dev.org locals@micronator-dev.org 83 Oct 20 18:02 titi
0 drwx------ 2 toto@micronator-dev.org locals@micronator-dev.org 83 Oct 20 18:01 toto
[root@tchana home]#
After AD installation
[root@tchana home]# ls -als
total 0
0 drwxr-xr-x. 5 root root 49 Oct 20 18:02 .
0 drwxr-xr-x. 12 root root 155 Apr 19 2019 ..
0 drwx------ 2 1001 1000 83 Oct 20 18:02 michelandre
0 drwx------ 2 1003 1000 83 Oct 20 18:02 titi
0 drwx------ 2 1002 1000 83 Oct 20 18:01 toto
[root@tchana home]#
-> After enabling “Remote shell (SSH)” of admin -> SUBMIT
-> Change admin password -> SUBMIT
-> su to admin
[root@tchana home]# su - admin
Creating home directory for admin@micronator-dev.org.
[admin@micronator-dev.org@tchana ~]$
[admin@micronator-dev.org@tchana ~]$ exit
logout
[root@tchana home]#
[root@tchana home]# ls -als
total 0
0 drwxr-xr-x. 6 root root 62 Nov 3 09:32 .
0 drwxr-xr-x. 12 root root 155 Apr 19 2019 ..
0 drwx------ 2 admin@micronator-dev.org domain users@micronator-dev.org 83 Nov 3 09:32 admin
0 drwx------ 2 1001 1000 83 Oct 20 18:02 michelandre
0 drwx------ 2 1003 1000 83 Oct 20 18:02 titi
0 drwx------ 2 1002 1000 83 Oct 20 18:01 toto
[root@tchana home]#
Importing users
[root@tchana home]# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_users /var/lib/nethserver/backup/users.tsv
[INFO] imported titi as titi@micronator-dev.org
[ERROR] Account `admin` user-create event failed. ##### normal as admin is already created by AD
[INFO] imported michelandre as michelandre@micronator-dev.org
[INFO] imported toto as toto@micronator-dev.org
[root@tchana home]#
Importing groups
[root@tchana home]# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_groups /var/lib/nethserver/backup/groups.tsv
[INFO] imported 'grp-utilisateurs' with members 'titi toto'
[ERROR] Account `toto` group-create event failed. ##### for a test: group same name as the user "toto" -> this is normal (group name should be different from eveything else)
[ERROR] Account `domain admins` group-create event failed. ##### normal as "domain admin" is already created by AD
[root@tchana home]#
After importing users and groups - home directories: same as before importing.
[root@tchana home]# ls -als
total 0
0 drwxr-xr-x. 6 root root 62 Nov 3 09:32 .
0 drwxr-xr-x. 12 root root 155 Apr 19 2019 ..
0 drwx------ 2 admin@micronator-dev.org domain users@micronator-dev.org 83 Nov 3 09:32 admin
0 drwx------ 2 1001 1000 83 Oct 20 18:02 michelandre
0 drwx------ 2 1003 1000 83 Oct 20 18:02 titi
0 drwx------ 2 1002 1000 83 Oct 20 18:01 toto
[root@tchana home]#
-> After enabling “Remote shell (SSH)” of toto -> SUBMIT
-> Change toto password -> SUBMIT
-> su - to toto
[root@tchana home]# su - toto
Last login: Sun Nov 3 09:41:43 EST 2019 on pts/0
su: warning: cannot change directory to /var/lib/nethserver/home/toto: Permission denied
-bash: /var/lib/nethserver/home/toto/.bash_profile: Permission denied
-bash-4.2$
-bash-4.2$ exit
logout
-bash: /var/lib/nethserver/home/toto/.bash_logout: Permission denied
[root@tchana home]#
su to toto wihtout using "-"
[root@tchana home]# su toto
bash: /var/lib/nethserver/home/toto/.bashrc: Permission denied
bash-4.2$
bash-4.2$ exit
exit
[root@tchana home]#
The uid:gid and the shell are not the same as in LDAP but have been changed by AD
[root@tchana ~]# cd /var/lib/nethserver/home/
[root@tchana home]#
[root@tchana home]# getent passwd *
admin@micronator-dev.org:*:1268801105:1268800513:admin:/var/lib/nethserver/home/admin:/bin/bash
michelandre@micronator-dev.org:*:1268801107:1268800513:michelandre:/var/lib/nethserver/home/michelandre:/usr/libexec/openssh/sftp-server
titi@micronator-dev.org:*:1268801106:1268800513:titi:/var/lib/nethserver/home/titi:/usr/libexec/openssh/sftp-server
toto@micronator-dev.org:*:1268801108:1268800513:toto:/var/lib/nethserver/home/toto:/bin/bash
[root@tchana home]#
-> I can join a Win-8.1 station to AD.
-> I can make a GPO policy for mapping home dir to H:
-> Users admin and toto get their mapped H: to their home directory; admin can get into his H: drive and see his files which toto cannot do with his H: drive.
-> User titi cannot login anywhere…
QUESTIONS:
Is that normal or again, the newbee inside me did something wrong?
If this is normal, do I have to change recursively the uid:gid of the home directory of all the users?
If this is normal, the installation of AD should not touch home directories…
If this is normal, the installation of AD should import “domain admins” group instead of creating it as it drops the previous LDAP members of that group…
All suggestions appreciated,
Michel-André