Greater AD Integration via NFS and Automounts

Scott,

You dont need to install User Name Mapping or Server for NIS if all your users come from AD.

At step 2 in your ‘Configuring Domain Controllers’ section just check the box labeled “Active Directory Lookup” and specify the name of the Active Directory domain.

Dont bother changing “User Name Mapping Server”

The only time you need the User Name Mapping component is when you have users from a ‘foreign’ NIS domain NFS mounting shares off your Windows boxes. Technically, when you do need it, you also only need one mapping server but you normally install them on your DCs anyway.

I can see you’ve discovered how ‘touchy’ Server for NFS is about permissions/ownership of NFS shared directories. And the mystery of the 4294967294 uids and gids… Somewhere in the mire of papers on my desk in the office, I have some MS docs on the Server for NFS bits (Ok - from MS-SFU days but still relevant) which I can send you the URLs for when I get in. In particular, I’m thinking about one doc which has info about registry settings that you can pull to affect how Server for NFS interprets/sets NTFS permissions.

David,

What is the mystery of the 4294967294 uids and gids…?

I am facing same problem, when users home directorys are mounted on linux and group id is showing 4294967294. Where is it coming from and how do you change this with proper group id?

Thanks
Dand

DandK,
those 4294967294 come out because there is no map between the user/group on linux and the one on the AD server. You have to set a map for each user is going to write on the NFS share. You can this via the ‘Unix Attribute’ on the User Account Property tab or via “simple map”
I’m testing other settings so I’d like to share my (un)knowledge with others, my email:
pink0.pallino (a-t) libero.it

Hello Scott,
I have seen in your once post mentioning about NetApp. As known DataONTAP has an opportunity to give access to resources on NFS.
As you think, whether probably in to use NetApp as NFS server?

Hello
I mounted home folder created with this instruction on the system not configured to AD integration, I created local user with name and UID idenctical whith AD, only password is different. On this system I have access to files on server for nfs Winows 2003. How to configure server for nfs to authenticate with kerberos ?

hi Scott,
thanks for the article, this is very informative. Is it possible to mount user home directories using Samba/AD/LDAP where the home directories reside on a Solaris 10 nfs server (in this example you have a Windows NFS server)? We have a mix of Linux, Solaris, and Windows clients. The Windows clients need to be able to access their unix home directories from the Samba server.

Maria

Anyone has found any way to use the UPG (private groups) also on Active Directory?
I think I need only this step to have a (hopeful) full working NFS share on the windows 2003 server.
I guess the difficult is that on AD there cannot be two object with the same name (user/group), but with openLDAP it works..
thanks

I set NFS and AD integration thrugh LDAP (no NIS).
My doubts are now about permissions: I use the NFS share as home directories for linux clients. Well, I’d like to keep the same permissions capability we have on linux, I mean, on the /home I want any user can list the homes, but can access his and other only if properly shared.
I want this thing also accessible via NTFS.
how should the permission be set under NTFS?
one more question is about chmod: when I chmod a directory it gets the NTFS permissions even if I do not set them. Is this correct?

Question regarding root mapping. Do you have the linux root account mapped to any AD user? I have linux-ads auth via kerberos working (per you previous Linux-AD Integration With Windows Server 2003 R2 instructions–thank BTW), but when I attempt to serve up a NFS share from the ADS, the mount would show a owner of ‘nfsnobody’ or ‘4294967294′

Thanks for the reply Scott

I don’t want to map root either. WRT to (b), there is not data in the NFS share. I created a new NFS share on the AD server and gave a linux mapped group full control (the share is nothing more than a directory that I want to test xwr with from a linux client). I can mount the nfs share as root (and get the nfsnobody owner), however, I am unable to access the share from the linux client (can’t even cd to it). I still need to spend some more time with it and maybe bounce the windows nfs and nis services. Any tips would be appreciated, but I’m also using this as a sounding board and hopefully will be able to contribute the solution to my particular problem.

Thanks for the “hit upside my head”. Changing the owner to the mapped linux user was the missing piece of the puzzle (well that and a typo auto.master). Thanks again for this great resource on linux-ADS integration

hello, great howto, I just wanted to ask you if you know how to automount homes from a nt4 primary domain controller (actually a samba one)

the windows clients automatically mount their home dir with samba as pdc, but the unix clients with winbind setup just see their local (workstation) home directory

In response to Aleandro’s question about mounting windows clients home folders from windows it is possible by using Winbind Kerberos and Samba. When creating the AD user specify their username home directory to be use \samba_server\username. When winbind and samba authenticate the user /home/DOMAIN/username will be mapped on the Windows client as their home directory.

You can use pam makedir to automate this.

I have a different issue though. I want to use a linux server for my users home directories but seperated into staff and students. /home/staff/usernames and /home/students/2007/usernames The users will need to authenticate onto the linux server through some means of communicating with Active Directory and have their home directories available to them (for mailboxes) and on the windows clients the users again will need thier home drives mapped.

Any help would be appreciated.

When I restart autofs I get the following (CentOS5)

Aug 15 08:57:45 library automount[2051]: create_udp_client: hostname lookup failed: Operation not permitted
Aug 15 08:57:45 library automount[2051]: create_tcp_client: hostname lookup failed: Operation not permitted
Aug 15 08:57:45 library automount[2051]: lookup_mount: exports lookup failed for .directory
Aug 15 08:57:45 library automount[2051]: create_udp_client: hostname lookup failed: Operation not permitted
Aug 15 08:57:45 library automount[2051]: create_tcp_client: hostname lookup failed: Operation not permitted
Aug 15 08:57:45 library automount[2051]: lookup_mount: exports lookup failed for .directory

I’m getting the following message in the log when the user “test” logs in:

Aug 15 15:17:49 library gdm[4085]: gdm_slave_session_start: /home/test is not owned by uid 10001.

I’m sure my problem is a permissions issue on the AD server, but I’m not sure where to go… Do I need to manually make each user the “Owner” of their respective folder? This would take some time with 300 users… Are there other solutions? Right now the user folders are auto created by Windws AD (Home Directory setting) and being mapped from Linux (CentOS 5). Currently, “Administrator” is the owner of the folder.

So, if I want to map a server share to an home directory all I have to do is specify tje home directory option in the smb.com to \server\user ?
Thanks, great article…

Your articles have been a great resource! I do have one issue though… When an AD user logs into an AD domain member linux host the home directory automounts correctly; however, that user cannot use VNC. An input/output error is recorded and the gnome session does not start properly. I am guessing that it is a permissions issue since by moving the password file to a directory other than home solves the problem.

Any thoughts?

As others have said, these are excellent articles and got me up and running in no time. However, something I haven’t seen addressed is annoyingly slow access to shares mounted on a linux client to a Windows host using NFS. I don’t know if it’s just that the MS implementation of NFS is very slow, or what. It can’t be my network hardware, as it’s wall-to-wall GigE, and all other protocols between these boxes are as expected.

Here are some examples from within a user homedir that is mounted via NFS from my Win2003R2 file server:

-bash-3.00$ time ls
1234

real 0m1.504s
user 0m0.001s
sys 0m0.001s
-bash-3.00$ time mkdir 4321

real 0m3.021s
user 0m0.000s
sys 0m0.000s
-bash-3.00$ time cd 4321

real 0m3.009s
user 0m0.000s
sys 0m0.000s

Any ideas?

Scott,

Thanks for the suggestion. I’ve done just that, and I’m sure it will help with other areas. However it doesn’t appear to have much of an affect on this particular source of NFS slowness:

-bash-3.00$ time ls

real 0m5.986s
user 0m0.000s
sys 0m0.002s
-bash-3.00$ time mkdir 1111

real 0m1.494s
user 0m0.000s
sys 0m0.001s
-bash-3.00$ time cd 1111

real 0m1.496s
user 0m0.000s
sys 0m0.000s

One puzzling bit is that I’ve seen quite a few blog/forum posts about this kind of slowness, but no definitive explanation or remedy.

My slowness issue has gone away. Still no idea why. If anybody else ever has this issue, I’ll tell you the steps I took to resolve it:

1) Whine on someone’s well-thought-out blog post.
2) Contact someone at Microsoft for their opinion.
3) Wait a few days, but change nothing.

VOILA, it’s fixed.

Joking aside, did Chris W. ever determine what permissions issue was stopping VNC server from starting? I’m in the same boat now.

it’s not the problem of permission but the fact that VNC is creating a file name with colon (:) in it, and windows won’t allow colon in the filename. Anyone have a fix?