Integrating NFS and Samba with Active Directory: UID/GID Mapping Solutions for Shared Home Directories


16 views

When setting up a mixed-protocol file server that serves home directories via both SMB/CIFS (Samba) and NFS while using Active Directory for authentication, the primary technical hurdle is maintaining consistent UID/GID mapping across all clients. Winbind dynamically assigns local UIDs to AD users, but these mappings must be available to NFS clients for proper file ownership presentation.

Here are three viable solutions for maintaining consistent ID mapping:


# Option 1: Using SSSD (Recommended for modern systems)
[sssd]
services = nss, pam
domains = example.com

[domain/example.com]
id_provider = ad
access_provider = ad
enumerate = false
override_homedir = /home/%u
fallback_homedir = /home/%u

# For NFSv4 ID mapping
[nss]
filter_groups = root
filter_users = root

For the NFS server to properly handle AD users, you'll need to configure ID mapping:


# /etc/idmapd.conf
[General]
Domain = example.com
Local-Realms = EXAMPLE.COM

[Translation]
Method = nsswitch

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

Your smb.conf should include these critical parameters:


[global]
   workgroup = EXAMPLE
   security = ads
   realm = EXAMPLE.COM
   idmap config * : backend = tdb
   idmap config * : range = 2000-9999
   idmap config EXAMPLE : backend = rid
   idmap config EXAMPLE : range = 10000-99999
   winbind use default domain = yes
   winbind offline logon = yes
   template homedir = /home/%U
   template shell = /bin/bash

For users accessing via NFS without prior SMB authentication, you'll need to ensure the mapping exists beforehand. This can be achieved by:


# Pre-create mappings for all users
wbinfo --user-info DOMAIN\\username
getent passwd DOMAIN\\username

Verify your setup with these commands:


# Check AD user resolution
getent passwd ADUSERNAME

# Verify NFS ID mapping
nfsidmap -u DOMAIN\\username

# Test Samba resolution
wbinfo -n DOMAIN\\username

Remember to restart all relevant services after configuration changes:


systemctl restart sssd winbind smbd nmbd nfs-server

For large AD environments, consider these optimizations:

  • Enable SSSD caching for faster lookups
  • Adjust the wbclient cache timeout in smb.conf
  • Configure the nfsidmap cache size in /etc/sysconfig/nfs

When integrating NFS and Samba services with Active Directory authentication, the fundamental issue is maintaining consistent UID/GID mappings across protocols. Winbind dynamically assigns Unix UIDs to AD users, but these mappings must be:

  • Identical on server and all NFS clients
  • Persistent across reboots
  • Accessible without prior SMB authentication

The most robust approach combines these components:

# Essential packages for Debian/Ubuntu:
sudo apt-get install winbind libnss-winbind libpam-winbind samba nfs-kernel-server

Modify /etc/samba/smb.conf:

[global]
   workgroup = DOMAIN
   security = ads
   realm = DOMAIN.COM
   idmap config * : backend = tdb
   idmap config * : range = 10000-20000
   idmap config DOMAIN : backend = rid
   idmap config DOMAIN : range = 500000-1000000
   winbind use default domain = yes
   winbind offline logon = yes
   winbind enum users = yes
   winbind enum groups = yes

Configure /etc/exports with these critical parameters:

/home  *(rw,async,no_subtree_check,root_squash,all_squash,anonuid=65534,anongid=65534,sec=sys:krb5p)

Create a synchronization script (/usr/local/bin/sync_ids.sh):

#!/bin/bash
# Generate mapping files for NFS clients
wbinfo -u | while read user; do
  uid=$(wbinfo --name-to-uid $user)
  gid=$(wbinfo --group-to-gid $(wbinfo --user-sid=$user | cut -d- -f1))
  echo "$user:x:$uid:$gid::/home/$user:/bin/bash" >> /etc/passwd.ad
  echo "$(wbinfo -s $user | awk '{print $2}'):x:$gid:" >> /etc/group.ad
done

# Distribute to NFS clients via rsync
rsync -az /etc/{passwd.ad,group.ad} nfs-client:/etc/

Edit /etc/nsswitch.conf to include winbind:

passwd:         compat winbind
group:          compat winbind
shadow:         compat

To enable NFS access without prior SMB login, implement this cron job:

# /etc/cron.daily/aduser-sync
#!/bin/sh
/usr/bin/getent passwd > /var/lib/nfs/passwd
/usr/bin/getent group > /var/lib/nfs/group
/usr/sbin/exportfs -ra

Test the setup with these commands:

# Verify AD user mapping
wbinfo -u
wbinfo --user-info DOMAIN\\user

# Check NFS exports
showmount -e

# Test client access
sudo mount -t nfs4 server:/home /mnt
ls -l /mnt/user
  • Check winbindd logs in /var/log/samba/log.winbindd
  • Verify time synchronization with AD (critical for Kerberos)
  • Test basic winbind functionality with wbinfo -u before NFS setup