This section describes how the nss_ad module resolves naming service requests for the passwd, shadow, and group files by retrieving corresponding data from AD.
Use the following syntax for the passwd entry:
username:password:uid:gid:gecos:home-directory:login-shell
For more information, see the passwd(5) man page.
The nss_ad module retrieves passwd information from AD as follows:
username – Uses the value of the samAccountName AD attribute and is qualified by the domain name in which the object resides, for example, johnd@example.com.
password – Uses the value of x because the user password is not available in the AD object.
uid – Uses the Windows user's SID from the objectSID AD attribute, which is mapped to the UID by using the idmap service.
gid – Uses the Windows user's primary group SID, which is mapped to the GID by using the idmap service. The group SID is obtained by appending the value of the primaryGroupID AD attribute to the domain SID. Because for users in AD the primaryGroupID attribute is an optional attribute, it might not exist. If the attribute does not exist, nss_ad uses the idmap diagonal mapping facility to map the user SID from the objectSID attribute.
gecos – Value of the CN AD attribute.
home-directory – Uses the value of the homeDirectory AD attribute if a value exists. Otherwise, the field is left empty.
login-shell – The field is left empty because the native AD schema has no login shell attribute.
Use the following syntax for the shadow entry:
username:password:lastchg:min:max:warn:inactive:expire:flag
For more information, see the shadow(5) man page.
The nss_ad module retrieves shadow information from AD as follows:
username – Uses the value of the samAccountName AD attribute and is qualified by the domain name in which the object resides, for example, johnd@example.com.
password – Uses the value of *NP* because the user password is not available in the AD object.
The rest of the shadow fields are left empty because shadow fields are irrelevant with AD and Kerberos v5.
Use the following syntax for the group entry:
groupname:password:gid:user-list
For more information, see the group(5) for man page.
The nss_ad module retrieves information from AD as follows:
groupname – Uses the value of the samAccountName AD attribute and is qualified by the domain name in which the object resides, for example, admins@example.com.
password – Field is left empty because the Windows groups do not have passwords.
gid – Uses the Windows group's SID from the objectSID AD attribute, which is mapped to the GID by using the idmap service.
user-list – Field is left empty.