5

My CentOS 7 machine has successfully joined a domain FOOBAR (as verified by realm list) and here's the information about an user coming from the AD (non-local):

[root@centos7 ~]# id [email protected] uid=5631533([email protected]) gid=5600513(domain [email protected]) groups=5600513(domain [email protected]),5631532([email protected])

How are UID and GID assigned? Is it possible to somehow map them to some desired value?

Improve this question
3
  • 1
    I remember vaguelly something about being able to remap users...too long ago. Commented Aug 9, 2018 at 14:18
  • Are you using SSSD or winbind? Commented Aug 9, 2018 at 15:50
  • @ErikF Server is running sssd. Commented Aug 10, 2018 at 7:42

1 Answer 1

Reset to default
8

AD mapping in SSSD is determined using an algorithm (probably a hash function) in the daemon itself: because it's built-in, if you keep the defaults the same, every computer using SSSD should map the IDs to the same value regardless of the computer being used. Here's Red Hat's explanation for the AD mapping:

SSSD can use the SID of an AD user to algorithmically generate POSIX IDs in a process called ID mapping. ID mapping creates a map between SIDs in AD and IDs on Linux.

  • When SSSD detects a new AD domain, it assigns a range of available IDs to the new domain. Therefore, each AD domain has the same ID range on every SSSD client machine.

  • When an AD user logs in to an SSSD client machine for the first time, SSSD creates an entry for the user in the SSSD cache, including a UID based on the user's SID and the ID range for that domain.

  • Because the IDs for an AD user are generated in a consistent way from the same SID, the user has the same UID and GID when logging in to any Red Hat Enterprise Linux system.

You can set the ID minimums and maximums using min_id and max_id in the [domain/name] section of sssd.conf. Look under "Domain Sections" for the description; "Examples" has an example of its use:

[sssd] domains = LDAP services = nss, pam config_file_version = 2 [nss] filter_groups = root filter_users = root [pam] [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com auth_provider = krb5 krb5_server = kerberos.example.com krb5_realm = EXAMPLE.COM cache_credentials = true min_id = 10000 max_id = 20000 enumerate = False

If you override these values, make sure to set the same mappings on any other system using that domain in SSSD if you want to maintain consistent mappings!

Improve this answer
1
  • Thank you for taking time to document this, very useful. Commented Aug 22, 2021 at 20:50

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.