NFS home and Active Directory authentication malfunction

Asked by Baan Bapat on 2008-01-09

I am trying to setup a network of Ubuntu 7.10 (Linux Ubuntu 2.6.22-14-generic #1 SMP Tue Dec 18 08:02:57 UTC 2007 i686 GNU/Linux) machines in a predominantly Windows environment. So we decided to have Active Directory authentication. Another objective is to make the machines user independent (so that users can sit on any of the Linux machines and access the same home directory). In order to achieve this we decided to use an NFS server to work as home directory for all the users.

We followed ActiveDirectoryWinbindHowto - Community Ubuntu Documentation for setting up ADS authentication on both the server and the client machines. It works smoothly, no issues there.

Next we setup the server for NFS. The server is Edubuntu 7.10 - since we need this machine to act as a LTSP server for some other users as well. The NFS sharing has been done in the usual NFS3 manner:

/etc/exports has the entry:
/home/domain <iprange>(rw,sec=krb5,async,no_subtree_check,no_root_squash)

And on the client side the /etc/fstab reads:
server:/home/domain /home/domain defaults 0 0

The mounting happens correctly, with no issues. However, two things happen:

(a) Not all domain users succeed in logging into the clients. Some get an error of .dmrc ownership etc. while others can login correctly. However, if the users who cannot login on the clients can correctly log into the server directly without any .dmrc or home directory ownership errors.
(b) On checking the directory listing of the /home/domain on the client, the home directory of the users who cannot login, appears to be owned by some strange user names like "krbtgt, iuser_002, administrator". But the same directory listing on the server shows correct ownership.

Can someone guide me?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Dennis Krul
Solved:
2008-01-15
Last query:
2008-01-15
Last reply:
2008-01-11

It probably has something to do with UID conflicts. You should make sure every user has a unique UID that doesn't exist on the local system, because it should grab the UID from the AD tree: /etc/nsswitch.conf (on both the client and the server) should be configured to use winbind (or optionally ldap, but that requires a more complex setup and doesn't support nested groups).

AD doesn't have support for POSIX accounts by default. So I'm wondering:

- Did you extend the AD schema to provide for POSIX account support? And if so: Do all users have a unique UID and a correct homedirectory and shell in their AD account?
- Or do you use the RID mapping 'hack' to determine a unique ID based on the AD UUID? And if so: How did you configure the UID range (the lowest one should be higher than the highest possible UID on the local system, I recommend at least 65536). You should be aware that with such a setup it is not possible to authenticate to more than one AD domain, because of the way Samba determines the UID's they might potentially not be unique. Domain trusts will not work if you take this route.
- If you use a different setup please give more details.

Good luck.

Baan Bapat (baanbapat) said : #2

I am sorry, I am not quite sure of the POSIX part but I understand that the AD schema has not been extended. Neither do I really understand the UUID mapping you have referred. I tried increasing the UID range to no benefit.

Could you guide me on RID mapping hack? Is there any way I could export the UUID-User name mapping from AD? I can see the UIDs & GIDs from the getent passwd output. Then I could compare the two.

Your understanding of our requirement is correct; we have only one ADS (no domain trust).

You have the POSIX schema extension if you have a POSIX tab in the account properties window.

If you don't have that I suggest you use RID mapping, you should have something like this in your smb.conf:

idmap backend = idmap_rid:YOURDOMAIN=70000-1000000
idmap uid = 70000-1000000
idmap gid = 70000-1000000
winbind use default domain = yes
security = ADS

This configuration needs to be the same at both the server and the client.

If you configured winbind correctly the output from 'getent passwd' should be the same on both sides.

If you still can't figure it out, please post your smb.conf and nsswitch.conf (without the commented sections), so I can help debugging your problem.

Baan Bapat (baanbapat) said : #4

Thanks Dennis Krul, that solved my question.

Baan Bapat (baanbapat) said : #5

I checked. We do not have POSIX schema extension enabled.

The problem was with the way different machines/installations were mapping UUIDs to UIDs. Adding the line

idmap backend = idmap_rid:YOURDOMAIN=70000-1000000

to smb.conf worked. I have tested logging in between 1 server and 1 PC. It is working. I have compared the output of getent passwd from the two machines and they are identical, so that should be it.

Thanks Dennis for your support.

Baan Bapat (baanbapat) said : #6

I checked. We do not have POSIX schema extension enabled.

The problem was with the way different machines/installations were mapping UUIDs to UIDs. Adding the line

idmap backend = idmap_rid:YOURDOMAIN=70000-1000000

to smb.conf worked. I have tested logging in between 1 server and 1 PC. It is working. I have compared the output of getent passwd from the two machines and they are identical, so that should be it.

Thanks Dennis for your support.

By the way, can the community page https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto be updated for this?

You're welcome ;)

Feel free to update the community page, I'm not going to do it.

stratok (stratoka) said : #8

hi,
i have some problems in server side configuration. The client works well and associates the uid from 70000.
I added these lines:
idmap backend = idmap_rid:YOURDOMAIN=70000-1000000
idmap uid = 70000-1000000
idmap gid = 70000-1000000
winbind use default domain = yes
security = ADS
 in the smb.conf server side but all the old users (i tried to add a new user with no result) are mapped from 1000.
Can someone help me?