<div dir="auto">Allen<div dir="auto"><br></div><div dir="auto">I think when there is a will there is a way around something.</div><div dir="auto"><br></div><div dir="auto">Since you are re running SUSE.</div><div dir="auto"><br></div><div dir="auto">Likely the best option would be to use a different product to merge the 389 with active directory using a product like </div><div dir="auto"><br></div><div dir="auto"><a href="https://www.manageengine.com/products/self-service-password/">https://www.manageengine.com/products/self-service-password/</a></div><div dir="auto"><br></div><div dir="auto">ADSelfServicePlus.</div><div dir="auto"><br></div><div dir="auto">That allows AD to manage the password change and then sync to 389 and other projects and products</div><div dir="auto">Google, MS365, Apple Mac, HPC, and Others </div><div dir="auto"><br></div><div dir="auto">AD => ADSelfService => 389, MS365, Zoho, VOIP, Google, etc.</div><div dir="auto"><br></div><div dir="auto">According to their website one of their customers is Kubota</div><div dir="auto"><br></div><div dir="auto">Cheers from Justin.</div><div dir="auto"><br><div data-smartmail="gmail_signature" dir="auto"><br>--<br>-------------------------------------<br>Justin W Elam<br><br><br> </div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 31 Aug 2023, 12:59 Allen Beddingfield via Ale, <<a href="mailto:ale@ale.org">ale@ale.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So, we currently have our Linux systems using an old 389 Directory for authentication, and have to switch to AD authentication to retire that system. I don't have any say in that matter, so authenticating to AD is the mandated solution that I have to get working. Most of these systems are SUSE Linux Enterprise 15, with a few 12.x systems.<br>
I got the old sssd.conf and nsswitch.conf working for LDAP 10+ years ago, and really just haven't looked at it since, as it has worked without any issue. I'm not wanting to go through the process of adding everything to AD, doing kerberos, etc.... so this will be SSSD using AD as an LDAP source for authentication. I've got that part working well. However, I've got one annoyance. With the LDAP setup, the users would just kind of look like local users, in that their primary group would be the local "users" group. (This is SUSE, so all users get the same primary group of "users", instead of an individual group that corresponds to their username). <br>
However, when configured against AD, the users' primary group is "Domain Users". I'm trying to find some way to either duplicate the old behavior, or at least have "Domain Users" be something like "adusers" without the capital letters and space. I saw a suggestion for functionality to implement the Red Hat style individual user groups, but that isn't really what I'm trying to accomplish.<br>
<br>
Anyone ever done this, or have any idea how to accomplish something like this?<br>
I asked ChatGPT, and got suggested some parameters for the config file that I think it just made up haha<br>
Allen B.<br>
<br>
--<br>
Allen Beddingfield<br>
Systems Engineer<br>
Office of Information Technology<br>
The University of Alabama<br>
Office 205-348-2251<br>
<a href="mailto:allen@ua.edu" target="_blank" rel="noreferrer">allen@ua.edu</a><br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank" rel="noreferrer">Ale@ale.org</a><br>
<a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>