CURRENT STATUS
The authentication part of the problem has been solved using LDAP, Kerberos and PAM. A user is now able to logon to a Linux server with no local account existing. getent passwd shows all users including users on the AD server, and getent group shows all groups, including groups on the AD server.

CURRENT PROBLEM
For the rest of this, I will use an AD user named waynep that is part of two groups on the AD server named waynep_unixgroup and testgroup respectively.

My current problem is viewing which members belong to which groups on the AD server. Using LDAP, all I see is the group name and the group ID that I assigned in the Unix attributes tab in the group management section on Windows. I do not see any of the group members.

So for example, getent group (with LDAP as the lookup tool) will produce the following
waynep_unixgroup:x:10002:
testgroup:x:10011:

If I bring winbind into the setup, things progress slightly, but still have one major limitation - group numbers are not static.
If I change my nsswitch.conf group entry to read
group: files winbind ldap

getent group will show groups with users as follows

waynep_unixgroup:x:10007:waynep
testgroup:x:10008:testuser,waynep

This is the desired result, BUT the problem here is that the group ID's being shown are not the group ID's that have been configured in the UNIX attributes tab when creating a group. In addition, when I create a new group, there is no way to predict what will happen to the existing groups or how things will change.

Using LDAP the group ID's are correct, but I cannot see group members.

This leads me to believe that this information can be retrieved in a useful way somehow, but I'm failing to make the leap as to how Also, if anyone could point me towards any mailing lists that may be of assistance, or Windows forums where this information would be available, I would greatly appreciate it.

I have some thoughts...

As soon as I get done moving (whatta way to spend the holiday weekend, eh?), I'll try to offer some assistance.

How exactly are you looking to leverage this information? Are you looking to strictly view it? My opinion, is that I would probably leverage an ldapsearch against the msSFU30posixMember (I think that's the attribute) by doing something like

ldapsearch -D "cn=dirsearch,cn=Users,dc=lanrx,dc=com" -b "cn=Users,dc=lanrx,dc=com" msSFU30posixMember=(group id)

The above syntax is probably wrong, but you get the general idea. If your only problem is acessing the information from the LDAP source, that should take care of it, while not giving you the problem with the winbind inconsistency of uid/gid.

I'm looking to use the group membership information as I normally would on Unix. So for file permissions, giving groups of people sudo access, etc.

So have you tried assigning more than one group to the user, and then trying the filesystem access?

I guess, where I'm going with this,is to try to discover if it's a problem within nss_ldap, or if it's a problem in getent, or if it's a problem elsewhere.

I have a user in multiple groups, with Unix GID's.

I have a file which one of these groups can write to.

When using LDAP, when getent doesn't show the user as a group member, logging in as this user and attempting to touch the file fails with a permission denied (ERR 13).

When using winbind, and changing the group that owns the file to match the GID that the group currently has, then logging in as this user and touching the file succeeds.

So the problem is that the system does not believe that this user is part of the group when using LDAP. This is shown in getent and by running id as the user.

when using winbind, the user does belong to the group, but the ID always changes.

I think I'm _very_ close to solving my groups issue with using LDAP to authenticate against AD. I have added the following line to my ldap.conf:

nss_map_attribute memberUid msSFU30PosixMember

Once I've done this, getent group shows users with groups, but the groups are in the dn format, not their sAMAccountName that I need. Is there any way to map these ?

For example, getent testgroup now gives me
testgroup:x:10011:CN=Wayne P,CN=Users,DC=my,DC=domain,DC=com,CN=Test User,CN=Users,DC=my,DC=domain,DC=com

What I actually want to see here is
testgroup:x:10011:waynep,testuser

In my Unix attributes tab in Active Directories Users and Computers, I add users to the groups by clicking Add, selecting NIS users and clicking the add button.

Doing
ldapsearch -H ldap://my.ad.server.com -x -D -cn=padl,cn=Users,dc=my,dc=domain,dc=com -wMyPassword -b cn=Users,dc=my,dc=domain,dc=com -s sub "sAMAccountName=testgroup"

I see the members that I've added as msSFU30PosixMember attributes in their CN=blah format. I also see this information in the member attribute, in exactly the same format. I don't see their sAMAccountName anywhere here.

Knowing their CN=blah data, is there any way to replace this in my ldap config using an nss_map_attribute so that I can set memberUid to be the UID of the user ?

At the moment, if I login as a user and do id, I still only see their primary group, not any additional groups that they belong to.

I did every thing as per Lanrx document to get AD user authenticate on linux server.
I am getting userlist by getent passwd but not able to login

it says login incorrect
in ssh login it says Access Denied

Pl. help

Not sure if you go this working. But you can do it with samba and winbindd. Linux magazine had an artical on it last month. I am in the process of writing a how-to for it. If you would like me to email it to you let me know.

The problem with the Winbindd solution is that you can't guarantee UIDs and GIDs will stay the same long term. This can be a HUGE problem. We've already seen one incident where a change to Samba added machine accounts, which threw out UIDs and GIDs in a big way!

I finally got all of this working. I'll try and document it tonight / tomorrow and I'll post here when it's done. I've not used the LANRX stuff for this, but a combination of stuff I found the experts exchange, Security focus and a conversation with someone from Red Hat Global Professional Services.

The final solution I've arrived at uses the following:

Kerberos for authentication
LDAP for directory information (UID, GID, etc.)
pam for gluing stuff together and
pam_limit to control which users can login to a machine.

I'm working on the same problem and can't find the solution regarding the group membership problem. Can you point me in the right direction ?