Keeping the same UIDs/GIDs across SoftNAS and Linux Clients

Symptoms

SoftNAS utilizes the winbindd service to integrate with Active Directory (AD), leveraging a specific idmap backend and idmap range. However, customers seeking to maintain consistent UIDs/GIDs across their systems may not always have the option to use winbindd. This is particularly true for those client systems that are already joined to AD using the SSSD service.

Purpose

This article guides our customers on how to maintain consistent UID/GID mappings while continuing to use the winbindd service on their SoftNAS systems and simultaneously leveraging the SSSD service on their Linux client machines. This balance enables seamless integration with Active Directory across diverse environments, ensuring a robust and harmonious infrastructure.

Prerequisites

  1. SoftNAS

  2. AD

  3. SoftNAS is joined to AD

Configuring the linux Clients with SSSD

  1. install the following packages on the Linux client(s) if not already installed
    #. yum -y install oddjob oddjob-mkhomedir adcli sssd realmd krb5-workstation samba-common-tools pam.x86_64  pam_krb5.x86_64

  2. Edit your /etc/resolv.conf file to point to your AD’s IP.
    Example: nameserver 10.0.1.137

  3. Restart realmd and dbus with the commands below:
    # systemctl restart dbus
    # systemctl restart realmd

  4. Join the system to AD with the syntax below. Substitute as needed
    # realm join --user=<domain-admin-user> EXAMPLE.COM

  5. Edit the /etc/sssd/sssd.conf file and add the lines below after the last line of that file.
    ###############################
    ldap_idmap_autorid_compat = True

    use_fully_qualified_names = False

    ldap_idmap_range_min = 4000001

    ldap_idmap_range_max = 357000000

  6. Stop the sssd daemon, flush the cache and restart it again.
    systemctl stop sssd

    sss_cache -E

    rm -rf /var/lib/sss/db/*

    systemctl start sssd

  7. enable to SSSD service to start up at reboot
    # systemctl enable sssd

  8. Now you can test using the command below: NOTE: you’ll need to provide your fqdn together with your username. However, if you don’t want to use that you can proceed to step #9
    # id username@your-domain

  9. Edit your /etc/sssd/sssd.conf file again and change the line below:
    Change this from → use_fully_qualified_names = true to this use_fully_qualified_names = false
    run # id <username>

  10. Run the commands below from SoftNAS and Linux-Client(s) to Compare.
    # wbinfo --group-info SOFTNAS/"domain admins"
    # wbinfo --group-info SOFTNAS/"domain users"
    From SoftNAS


    From Linux Client using SSSD
    # getent group "domain admins"
    # getent group "domain users"