Many Cloud environments use a hybrid of Windows and Linux servers for their hosted applications. Keeping proper ownership between Windows Active Directory/NIS and Linux NFS is vital for security and the operation of applications that depend on proper file user and group ownership.
SoftNAS uses Sernet Samba to accomplish CIFS and Active Directory integration. SoftNAS can also sync these permissions and File Ownerships to NFSv4 Clients running Linux based Operating systems.
In the following guide, we will provide step-by-step guidance on how to properly configure an existing Windows 2008/2008R2/2012/2012R2/2016 Active Directory with NIS server to sync users/UID and groups/GID to the SoftNAS Samba CIFS shares. These permissions will also sync to NFSv4 Linux clients that are also joined into the Domain/NIS.
1) The SoftNAS will need to be already joined to the Active Directory by following the instructions provided by the wizard in the SoftNAS UI → Volumes and LUNs→ Active Directory Wizard.
2) The user and group IDs must be within the range configured in the smb.conf for this domain. Our example /etc/samba/smb.conf has added the following two lines:
idmap config SOFTNAS0:backend = ad idmap config SOFTNAS0:range = 10000-70000
3) Users primary group, for example Domain Users, must have the gidNumber attribute set. Otherwise Winbind is not able to list domain users.
4) Users must have at least the uidNumber and the gidNumber attribute set. When using the RFC2307 winbind NSS info mode(SoftNAS Uses this by Default), user accounts must also have the loginShell, unixHomeDirectory and primaryGroupID set.
9) The above command shows that the users information is synced. And that we have the correct GID setting for the domain users. All users in that Group can now Sync to the SoftNAS Once the UID is set, as explained in Step 4.
10) We can now test by changing the ownership of the files:
-rw-r--r-- 1 SOFTNAS0/kash SOFTNAS0/domain users 0 Dec 19 11:49 testfile
The NFSv4 Clients can use AD, or use RPCIDMAPd to sync NFSv4 files however, the /etc/passwd and /etc/group files must contain entries that resemble the ‘getent passwd/getent group” commands used to check UID’s and GID’s in previous steps.