Active Directory – Combined NFS and Samba Server with Users from Active Directory

active-directorynfssambauser-management

I want to build a server that exports user home directories over SMB/CIFS and NFS. This server would be joined to a Win2k3 AD domain controller that holds our user database. As I understand it, winbind will invent UIDs for these users on the fly. This username-UID mapping needs to be available to NFS clients that mount the home directories or file ownership will not be presented correctly.

I assume this can be achieved using SFU, but as far as I can tell SFU is discontinued and will not be supported on recent versions of Windows, so I would prefer not to use it.

How do I best provide this mapping to NFS clients?

(You would think this a common use case, but I fail to find a relevant howto. My Google-fu may be weak.)

EDIT: As an aside, would it be possible in this scenario for a user to connect over NFS without first having connected via SMB/CIFS?

Best Answer

(Edit for 2017-07-05) I'd generally recommend using sssd now. Leaving the original answer below for historical reference. My current notes for Ubuntu are:

apt-get install openssh-server sssd-ad realmd packagekit
realm -v join example.com --computer-ou="OU=someOU,DC=example,DC=com" --user=someuser
  • In /etc/sssd/sssd.conf, [sssd] section, add default_domain_suffix = example.com and full_name_format = %1$s. In the [domain/example.com] section, edit fallback_homedir = /home/%d/%u and add ignore_group_members = True. For larger domains, add enumerate = false to prevent sssd from traversing all over AD looking for group memberships (and delaying non-cached logins for a minute or two each).
  • Append session required pam_mkhomedir.so skel=/etc/skel/ umask=0076 at end of /etc/pam.d/common-session. (or whatever umask you want to use).
  • Restart sssd service with service sssd restart.
  • Try logging in on a second text or GUI console, or with ssh localhost.

winbind would make up UIDs by default on older versions of Samba, or would have to refer to an LDAP store to keep everything consistent. That hasn't been the case for some time now (November 2004, if my information is correct) -- idmap_rid is a backend that can generate UIDs from the Active Directory RID (relative identifiter, part of the user's SID).

I wrote up my configuration for tying Debian systems into an existing AD here -- it uses Puppet, but if you only read through it for a starting point on Samba and PAM configurations, it should work on any comparable UNIX system.

Note that I'm not using SFU, or modifying the AD schema in any way. All I wanted was a consistent set of UIDs for my users.

Related Topic