[SOLVED] AD as the Account provider - Home directory

Support
,
1

Hi all,

When installing AD as the Account provider and importing users and groups, the owner:group of the home directories for the users are changed to their LDAP uid:gid.

Before AD:

[root@tchana ~]# cd /var/lib/nethserver/home/
[root@tchana home]#

[root@tchana home]# ls -als
total 0
0 drwxr-xr-x.  5 root                           root                       49 Oct 20 18:02 .
0 drwxr-xr-x. 12 root                           root                      155 Apr 19  2019 ..
0 drwx------   2 michelandre@micronator-dev.org locals@micronator-dev.org  83 Oct 20 18:02 michelandre
0 drwx------   2 titi@micronator-dev.org        locals@micronator-dev.org  83 Oct 20 18:02 titi
0 drwx------   2 toto@micronator-dev.org        locals@micronator-dev.org  83 Oct 20 18:01 toto
[root@tchana home]#

After AD installation

[root@tchana home]# ls -als
total 0
0 drwxr-xr-x.  5 root root  49 Oct 20 18:02 .
0 drwxr-xr-x. 12 root root 155 Apr 19  2019 ..
0 drwx------   2 1001 1000  83 Oct 20 18:02 michelandre
0 drwx------   2 1003 1000  83 Oct 20 18:02 titi
0 drwx------   2 1002 1000  83 Oct 20 18:01 toto
[root@tchana home]#

-> After enabling “Remote shell (SSH)” of admin -> SUBMIT
-> Change admin password -> SUBMIT
-> su to admin

[root@tchana home]# su - admin 
Creating home directory for admin@micronator-dev.org.  
[admin@micronator-dev.org@tchana ~]$

[admin@micronator-dev.org@tchana ~]$ exit
logout
[root@tchana home]#

[root@tchana home]# ls -als
total 0
0 drwxr-xr-x.  6 root                     root                             62 Nov  3 09:32 .
0 drwxr-xr-x. 12 root                     root                            155 Apr 19  2019 ..
0 drwx------   2 admin@micronator-dev.org domain users@micronator-dev.org  83 Nov  3 09:32 admin
0 drwx------   2                     1001                            1000  83 Oct 20 18:02 michelandre
0 drwx------   2                     1003                            1000  83 Oct 20 18:02 titi
0 drwx------   2                     1002                            1000  83 Oct 20 18:01 toto
[root@tchana home]#

Importing users

[root@tchana home]# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_users  /var/lib/nethserver/backup/users.tsv
[INFO] imported titi as titi@micronator-dev.org
[ERROR] Account `admin` user-create event failed.    ##### normal as admin is already created by AD
[INFO] imported michelandre as michelandre@micronator-dev.org
[INFO] imported toto as toto@micronator-dev.org
[root@tchana home]#

Importing groups

[root@tchana home]# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_groups  /var/lib/nethserver/backup/groups.tsv
[INFO] imported 'grp-utilisateurs' with members 'titi toto'
[ERROR] Account `toto` group-create event failed.    ##### for a test: group same name as the user "toto" -> this is normal (group name should be different from eveything else)
[ERROR] Account `domain admins` group-create event failed.    ##### normal as "domain admin" is already created by AD
[root@tchana home]#

After importing users and groups - home directories: same as before importing.

[root@tchana home]# ls -als
total 0
0 drwxr-xr-x.  6 root                     root                             62 Nov  3 09:32 .
0 drwxr-xr-x. 12 root                     root                            155 Apr 19  2019 ..
0 drwx------   2 admin@micronator-dev.org domain users@micronator-dev.org  83 Nov  3 09:32 admin
0 drwx------   2                     1001                            1000  83 Oct 20 18:02 michelandre
0 drwx------   2                     1003                            1000  83 Oct 20 18:02 titi
0 drwx------   2                     1002                            1000  83 Oct 20 18:01 toto
[root@tchana home]#

-> After enabling “Remote shell (SSH)” of toto -> SUBMIT
-> Change toto password -> SUBMIT
-> su - to toto

[root@tchana home]# su - toto
Last login: Sun Nov  3 09:41:43 EST 2019 on pts/0
su: warning: cannot change directory to /var/lib/nethserver/home/toto: Permission denied
-bash: /var/lib/nethserver/home/toto/.bash_profile: Permission denied
-bash-4.2$

-bash-4.2$ exit
logout
-bash: /var/lib/nethserver/home/toto/.bash_logout: Permission denied
[root@tchana home]#

su to toto wihtout using "-"

[root@tchana home]# su toto
bash: /var/lib/nethserver/home/toto/.bashrc: Permission denied
bash-4.2$

bash-4.2$ exit
exit
[root@tchana home]#

The uid:gid and the shell are not the same as in LDAP but have been changed by AD

[root@tchana ~]# cd /var/lib/nethserver/home/
[root@tchana home]#

[root@tchana home]# getent passwd *
admin@micronator-dev.org:*:1268801105:1268800513:admin:/var/lib/nethserver/home/admin:/bin/bash
michelandre@micronator-dev.org:*:1268801107:1268800513:michelandre:/var/lib/nethserver/home/michelandre:/usr/libexec/openssh/sftp-server
titi@micronator-dev.org:*:1268801106:1268800513:titi:/var/lib/nethserver/home/titi:/usr/libexec/openssh/sftp-server
toto@micronator-dev.org:*:1268801108:1268800513:toto:/var/lib/nethserver/home/toto:/bin/bash
[root@tchana home]#

-> I can join a Win-8.1 station to AD.
-> I can make a GPO policy for mapping home dir to H:
-> Users admin and toto get their mapped H: to their home directory; admin can get into his H: drive and see his files which toto cannot do with his H: drive.
-> User titi cannot login anywhere…

QUESTIONS:

Is that normal or again, the newbee inside me did something wrong?

If this is normal, do I have to change recursively the uid:gid of the home directory of all the users?

If this is normal, the installation of AD should not touch home directories…

If this is normal, the installation of AD should import “domain admins” group instead of creating it as it drops the previous LDAP members of that group…

All suggestions appreciated,

Michel-André

2

Hi all,

Because of:

[root@tchana ~]# cd /var/lib/nethserver/home/
[root@tchana home]#

[root@tchana home]# getent passwd * | cut -f6 -d:
/var/lib/nethserver/home/admin
/var/lib/nethserver/home/dorgee
/var/lib/nethserver/home/michelandre
/var/lib/nethserver/home/titi
/var/lib/nethserver/home/toto
[root@tchana home]#

[root@tchana home]# getent passwd * | cut -f6 -d: | cut -f6 -d/
admin
dorgee
michelandre
titi
toto
[root@tchana home]#

[root@tchana home]# cd
[root@tchana ~]#

Then the only way I can think to adjust the owner: group is with a shell script.

cat > /root/dir.sh <<'EOT'
#!/bin/bash

cd /var/lib/nethserver/home/

getent passwd * | cut -f6 -d: | cut -f6 -d/ > temp.txt

while read p; do
  chown -R $p@micronator-dev.org:"domain users@micronator-dev.org" $p
done <temp.txt

rm -rf temp.txt
EOT

Make the script executable.

[root@tchana ~]#  chmod 700 /root/dir.sh
[root@tchana ~]#

Before running the script.

[root@tchana ~]# ls -ls /var/lib/nethserver/home
total 4
0 drwx------ 2 admin@micronator-dev.org       domain users@micronator-dev.org  62 Nov  2 15:41 admin
4 -rwxr-xr-x 1 root                           root                            246 Nov  3 01:57 dir.sh
0 drwx------ 2 dorgee@micronator-dev.org      domain users@micronator-dev.org  62 Nov  2 19:40 dorgee
0 drwx------ 2 michelandre@micronator-dev.org domain users@micronator-dev.org  83 Oct 20 18:02 michelandre
0 drwx------ 2                           1003                            1000  83 Oct 20 18:02 titi
0 drwx------ 2                           1002                            1000  83 Oct 20 18:01 toto
[root@tchana ~]#

[root@tchana ~]# su - toto
su: warning: cannot change directory to /var/lib/nethserver/home/toto: Permission denied
-bash: /var/lib/nethserver/home/toto/.bash_profile: Permission denied
-bash-4.2$

-bash-4.2$ pwd
/root
-bash-4.2$

-bash-4.2$ exit
logout
-bash: /var/lib/nethserver/home/toto/.bash_logout: Permission denied
[root@tchana ~]#

Run the script

[root@tchana ~]# /root/dir.sh
[root@tchana ~]#

After the script.

[root@tchana ~]# ls -ls /var/lib/nethserver/home
total 4
0 drwx------ 2 admin@micronator-dev.org       domain users@micronator-dev.org  62 Nov  2 15:41 admin
4 -rwxr-xr-x 1 root                           root                            246 Nov  3 01:57 dir.sh
0 drwx------ 2 dorgee@micronator-dev.org      domain users@micronator-dev.org  62 Nov  2 19:40 dorgee
0 drwx------ 2 michelandre@micronator-dev.org domain users@micronator-dev.org  83 Oct 20 18:02 michelandre
0 drwx------ 2 titi@micronator-dev.org        domain users@micronator-dev.org  83 Oct 20 18:02 titi
0 drwx------ 2 toto@micronator-dev.org        domain users@micronator-dev.org  83 Oct 20 18:01 toto
[root@tchana ~]#

su to toto with "-"

[root@tchana ~]# su - toto
Last login: Sun Nov  3 22:19:49 EST 2019 on pts/0
[toto@micronator-dev.org@tchana ~]$

[toto@micronator-dev.org@tchana ~]$ pwd
/var/lib/nethserver/home/toto
[toto@micronator-dev.org@tchana ~]$

[toto@micronator-dev.org@tchana ~]$ ls -als
total 16
0 drwx------  2 toto@micronator-dev.org domain users@micronator-dev.org  83 Oct 20 18:01 .
0 drwxr-xr-x. 7 root                    root                             90 Nov  3 22:20 ..
4 -rw-------  1 toto@micronator-dev.org domain users@micronator-dev.org  17 Oct 20 18:01 .bash_history
4 -rw-------  1 toto@micronator-dev.org domain users@micronator-dev.org  18 Oct 20 18:01 .bash_logout
4 -rw-------  1 toto@micronator-dev.org domain users@micronator-dev.org 193 Oct 20 18:01 .bash_profile
4 -rw-------  1 toto@micronator-dev.org domain users@micronator-dev.org 231 Oct 20 18:01 .bashrc
[toto@micronator-dev.org@tchana ~]$

[toto@micronator-dev.org@tchana ~]$ exit
logout
[root@tchana ~]#

After changing titi password, he can login to the Win-8.1 station, he has his mapped H:, and he can get into his home directory and see his files.

Any comment appreciated,

Michel-André