We are trying to setup authentication through Active Directory. We are using Likewise to add uid, gid and other unix attributes to objects in AD.
Our setup is FAS3240 with DataONTAP 8.0.1
Our Active Directory server is running Windows server 2003 R2.
Our use case is volumes which are shared both through cifs and nfs.
We have based most of our configuration on the following documents:
- netapp tr 3458
- "Authenticating network appliances file servers with likewise and ad", from likewise.
So far, we were able to:
- Join the filer to the domain.
- Configure ldap so that the following commands return information
- wcc -s domain\user
- getXXbyYY getpwbyname_r user
- Access a share through cifs and browse and create files.
The issue is that
getXXbyYY getgrlist user
only returns one group, even though the user does have secondary groups.
When we run
wcc -s domain\user
we see one group listed under unix uid and multiple groups listed under nt membership.
So how do we retrieve all group membership from Active Directory?
As a reference, here is our ldap configuration
> options ldap
ldap.ADdomain blabla.net
ldap.base DC=blabla,DC=net
ldap.base.group dc=blabla,dc=net
ldap.base.netgroup
ldap.base.passwd DC=blabla,DC=net
ldap.enable on
ldap.minimum_bind_level simple
ldap.name CN=Last\, First,OU=Users,OU=Some Place,DC=blabla,DC=net
ldap.nssmap.attribute.gecos gecos
ldap.nssmap.attribute.gidNumber gidNumber
ldap.nssmap.attribute.groupname cn
ldap.nssmap.attribute.homeDirectory unixHomeDirectory
ldap.nssmap.attribute.loginShell loginShell
ldap.nssmap.attribute.memberNisNetgroup memberNisNetgroup
ldap.nssmap.attribute.memberUid memberUid
ldap.nssmap.attribute.netgroupname cn
ldap.nssmap.attribute.nisNetgroupTriple nisNetgroupTriple
ldap.nssmap.attribute.uid sAMAccountName
ldap.nssmap.attribute.uidNumber uidNumber
ldap.nssmap.attribute.uniqueMember member
ldap.nssmap.attribute.userPassword userPassword
ldap.nssmap.objectClass.groupOfUniqueNames group
ldap.nssmap.objectClass.nisNetgroup nisNetgroup
ldap.nssmap.objectClass.posixAccount user
ldap.nssmap.objectClass.posixGroup group
ldap.passwd ******
ldap.port 389
ldap.rfc2307bis.enable on
ldap.servers
ldap.servers.preferred
ldap.ssl.enable off
ldap.timeout 20
ldap.usermap.attribute.unixaccount sAMAccountName
ldap.usermap.attribute.windowsaccount sAMAccountName
ldap.usermap.base dc=blabla,dc=net
ldap.usermap.enable off
ldap.usermap.symmetriclookup no
ldap.usermap.windows-to-unix.objectClass User