Keeping the same UIDs/GIDs across SoftNAS and Linux Clients
Symptoms
SoftNAS utilizes the winbindd service to integrate with Active Directory (AD), leveraging a specific idmap backend and idmap range. However, customers seeking to maintain consistent UIDs/GIDs across their systems may not always have the option to use winbindd. This is particularly true for those client systems that are already joined to AD using the SSSD service.
Purpose
This article guides our customers on how to maintain consistent UID/GID mappings while continuing to use the winbindd service on their SoftNAS systems and simultaneously leveraging the SSSD service on their Linux client machines. This balance enables seamless integration with Active Directory across diverse environments, ensuring a robust and harmonious infrastructure.
Prerequisites
SoftNAS
AD
SoftNAS is joined to AD
Configuring the linux Clients with SSSD
install the following packages on the Linux client(s) if not already installed
#. yum -y install oddjob oddjob-mkhomedir adcli sssd realmd krb5-workstation samba-common-tools pam.x86_64 pam_krb5.x86_64Edit your /etc/resolv.conf file to point to your AD’s IP.
Example: nameserver 10.0.1.137Restart realmd and dbus with the commands below:
# systemctl restart dbus
# systemctl restart realmdJoin the system to AD with the syntax below. Substitute as needed
# realm join --user=<domain-admin-user> EXAMPLE.COMEdit the /etc/sssd/sssd.conf file and add the lines below after the last line of that file.
###############################
ldap_idmap_autorid_compat = Trueuse_fully_qualified_names = False
ldap_idmap_range_min = 4000001
ldap_idmap_range_max = 357000000
Stop the sssd daemon, flush the cache and restart it again.
systemctl stop sssdsss_cache -E
rm -rf /var/lib/sss/db/*
systemctl start sssd
enable to SSSD service to start up at reboot
# systemctl enable sssdNow you can test using the command below: NOTE: you’ll need to provide your fqdn together with your username. However, if you don’t want to use that you can proceed to step #9
# id username@your-domainEdit your /etc/sssd/sssd.conf file again and change the line below:
Change this from → use_fully_qualified_names = true to this use_fully_qualified_names = false
run # id <username>Run the commands below from SoftNAS and Linux-Client(s) to Compare.
# wbinfo --group-info SOFTNAS/"domain admins"
# wbinfo --group-info SOFTNAS/"domain users"
From SoftNAS
From Linux Client using SSSD
# getent group "domain admins"
# getent group "domain users"