I want to build a server that exports user home directories over SMB/CIFS and NFS. This server would be joined to a Win2k3 AD domain controller that holds our user database. As I understand it, winbind will invent UIDs for these users on the fly. This username-UID mapping needs to be available to NFS clients that mount the home directories or file ownership will not be presented correctly.
I assume this can be achieved using SFU, but as far as I can tell SFU is discontinued and will not be supported on recent versions of Windows, so I would prefer not to use it.
How do I best provide this mapping to NFS clients?
(You would think this a common use case, but I fail to find a relevant howto. My Google-fu may be weak.)
EDIT: As an aside, would it be possible in this scenario for a user to connect over NFS without first having connected via SMB/CIFS?
(Edit for 2017-07-05) I'd generally recommend using sssd now. Leaving the original answer below for historical reference. My current notes for Ubuntu are:
/etc/sssd/sssd.conf
,[sssd]
section, adddefault_domain_suffix = example.com
andfull_name_format = %1$s
. In the[domain/example.com]
section, editfallback_homedir = /home/%d/%u
and addignore_group_members = True
. For larger domains, addenumerate = false
to prevent sssd from traversing all over AD looking for group memberships (and delaying non-cached logins for a minute or two each).session required pam_mkhomedir.so skel=/etc/skel/ umask=0076
at end of/etc/pam.d/common-session
. (or whatever umask you want to use).sssd
service withservice sssd restart
.ssh localhost
.winbind
would make up UIDs by default on older versions of Samba, or would have to refer to an LDAP store to keep everything consistent. That hasn't been the case for some time now (November 2004, if my information is correct) --idmap_rid
is a backend that can generate UIDs from the Active Directory RID (relative identifiter, part of the user's SID).I wrote up my configuration for tying Debian systems into an existing AD here -- it uses Puppet, but if you only read through it for a starting point on Samba and PAM configurations, it should work on any comparable UNIX system.
Note that I'm not using SFU, or modifying the AD schema in any way. All I wanted was a consistent set of UIDs for my users.
The NFS component of Services for Unix is now part of the Services for Network File System role in Server 2003 R2 and above.
There is a great Microsoft blog about SFU - http://blogs.msdn.com/b/sfu/. The relevant blog entry explaining how to set it up and the definitive Technet article is here.
You can use the Identity Management for UNIX Active Directory schema extension to do your mapping allowing NFS clients to connect to your server without having to CIFS first (if they could CIFS, doesn't make much sense to NFS?).
As suggested by Mike Renfro above, idmap_rid is the central component. Below is a list of shell commands that get a box up and running, given a fresh RHEL5.5 box:
client_packages:
client_setup:
samba-winbind.conf:
krb.conf:
idmapd.conf
fstab.nfs-client