Linux, Microsoft Active Directory and Home folders
Solution 1:
You can do what you're asking, but you REALLY should not -- Unix users should always have a dedicated home directory, owned by that user's UID.
This is what Unix expects, and the reason you're giving above is a poor justification for Doing It Wrong.
To briefly summarize the problems:
Permissions
If your users have different UIDs and are sharing a home directory LOTS of things break.
SSH won't work properly (because ~/.ssh will have the wrong owner/permissions)
Shell history may not work (and will almost certainly throw errors).
Your users will invariably make files nobody else can read/manage, or step on each other's files.Security and Auditing
Unix relies on the numeric UID for pretty much everything. If you get around the permissions problem by assigning everyone the same UID you wind up losing the ability to audit who did what.
If John Doe and Jane Smith are both logged in to the system and someone deletes the Apache configuration (out of malice or by accident) it becomes very difficult to track down the responsible person.Principle of Least Astonishment
Generally you should set up systems that behave as the majority of the world expects them to.
This means every user has a distinct username, User ID, and Home Directory (and in the general case that the user's home directory name matches their username).
Setting up a system that violates the Principle of Least Astonishment should only be done with extremely good reason (and as I mentioned above you seem to lack a good reason).
Given the above, if you still want to do this then based on the fact that you've told us that Centrify Express is RFC 2307 compliant, the best possible solution would be to assign all your users the same User and Group ID (uidNumber
/gidNumber
), and Home Directory (homeDirectory
).
This minimizes the chance of breaking things (SSH, shell history, file permissions, etc. will all be fine because the numeric UID is the same) at the expense of security/accountability.
This also means that you can't use these accounts as "normal" unix accounts on any other system -- the accounts are effectively aliases to one account (UID) with different passwords.
A better solution to this situation would be to create a local admin account on your Unix systems and allow your users to access it using their SSH keys. This still breaks accountability to some extent, but leaves you with LDAP/AD accounts that can still be used as "normal" unix logins.