Combined NFS, Samba server w users from Active Directory

user-management active-directory nfs samba

(Edit for 2017-07-05) I'd generally recommend using sssd now. Leaving the original answer below for historical reference. My current notes for Ubuntu are:

apt-get install openssh-server sssd-ad realmd packagekit
realm -v join example.com --computer-ou="OU=someOU,DC=example,DC=com" --user=someuser
  • In /etc/sssd/sssd.conf, [sssd] section, add default_domain_suffix = example.com and full_name_format = %1$s. In the [domain/example.com] section, edit fallback_homedir = /home/%d/%u and add ignore_group_members = True. For larger domains, add enumerate = false to prevent sssd from traversing all over AD looking for group memberships (and delaying non-cached logins for a minute or two each).
  • Append session required pam_mkhomedir.so skel=/etc/skel/ umask=0076 at end of /etc/pam.d/common-session. (or whatever umask you want to use).
  • Restart sssd service with service sssd restart.
  • Try logging in on a second text or GUI console, or with ssh localhost.

winbind would make up UIDs by default on older versions of Samba, or would have to refer to an LDAP store to keep everything consistent. That hasn't been the case for some time now (November 2004, if my information is correct) -- idmap_rid is a backend that can generate UIDs from the Active Directory RID (relative identifiter, part of the user's SID).

I wrote up my configuration for tying Debian systems into an existing AD here -- it uses Puppet, but if you only read through it for a starting point on Samba and PAM configurations, it should work on any comparable UNIX system.

Note that I'm not using SFU, or modifying the AD schema in any way. All I wanted was a consistent set of UIDs for my users.


The NFS component of Services for Unix is now part of the Services for Network File System role in Server 2003 R2 and above.

There is a great Microsoft blog about SFU - http://blogs.msdn.com/b/sfu/. The relevant blog entry explaining how to set it up and the definitive Technet article is here.

You can use the Identity Management for UNIX Active Directory schema extension to do your mapping allowing NFS clients to connect to your server without having to CIFS first (if they could CIFS, doesn't make much sense to NFS?).


As suggested by Mike Renfro above, idmap_rid is the central component. Below is a list of shell commands that get a box up and running, given a fresh RHEL5.5 box:

client_packages:

yum -y install samba3x-winbind krb5-workstation nfs-utils portmap pam_krb5
chkconfig --add winbind
chkconfig winbind --level 345 on
chkconfig --add rpcidmapd
chkconfig rpcidmapd --level 345 on
chkconfig --add portmap
chkconfig portmap --level 345 on
chkconfig --add nfslock
chkconfig nfslock --level 345 on

client_setup:

umount /cpy/shared || true
umount /cpy/users || true

install samba-winbind.conf /etc/samba/smb.conf
install krb5.conf /etc/krb5.conf
install idmapd.conf /etc/idmapd.conf

if ! net -S ad.example.com ads testjoin ; then
    net -S ad.example.com ads join -UAdministrator
fi

if ! grep -q winbind /etc/nsswitch.conf ; then
    sed -r  -e 's/^(passwd|shadow|group):.*$/& winbind/g' \
        -e 's/^hosts:.*$/& wins/g' -i /etc/nsswitch.conf
fi

( grep -v '172.18.0.2:' /etc/fstab && cat fstab.nfs-client ) \
    > /tmp/fstab.new && mv /tmp/fstab.new /etc/fstab

service winbind restart
service rpcidmapd restart
install -d /cpy/shared
install -d /cpy/users
mount -a
authconfig --enablewinbind --enablewinbindauth --enablekrb5 --update
echo "Make sure that /etc/hosts has an entry with .example.com"

samba-winbind.conf:

[global]
unix charset = LOCALE
workgroup = EXAMPLE
realm = example.com
security = ADS
log level = 2
syslog = 0
log file = /var/log/samba/%m
max log size = 50
idmap backend = idmap_rid:EXAMPLE=10000-20000
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/bash
template homedir = /cpy/users/%u
winbind separator = +
winbind cache time = 60
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes

krb.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 PILOTFISH.SE = {
  kdc = ad.example.com
  admin_server = ad.example.com
  default_domain = example.com
 }

[domain_realm]
 .pilotfish.se = EXAMPLE.COM
 pilotfish.se = EXAMPLE.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

idmapd.conf

[General]

Verbosity = 1
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com

[Mapping]

Nobody-User = nfsnobody
Nobody-Group = nfsnobody

[Translation]
Method = nsswitch

fstab.nfs-client

172.18.0.2:/users       /cpy/users              nfs4    defaults        0 0
172.18.0.2:/shared      /cpy/shared             nfs4    defaults        0 0

Related

Self-host an application or outsource it? [closed]
Can't ping multihomed Linux machine on non-default interface
How to restrict the users' shell allowing to execute shell programs
Cannot remove architecture i386 [duplicate]
Coding on VS code [closed]
mysql-server-8.0 error blocking apt installations
Is Ubuntu itself vulnerable to Log4shell?
How to install python3.8/3.7 on ubuntu 21.04
Completely stuck on install / service stop MYSQL
Restrict access to specific folder on samba
Make Symlink to folder on USB stick to be owned by www-data group
Ubuntu 20.04 does not recognize second monitor