Mapping AD UIDs to Posix UIDs for NFS

Posted on

I'm currently playing around with the AD provider in SSSD. It works so far, but I'm not able to access the NFS home directories. And I'm not sure, if I have to change the idmapper or the sssd to get this working.

Querying the user on the the RHEL7.2 machine with AD provider:

id foo
uid=1143559114(foo) gid=1143400513(domain users) Gruppen=1143494635(mail_admin),1143495559(app.mailin.datacenter.km),1143495849(app.mailin.datacenter.fullaccess),…

The home directory gets mounted to:

rhtest99:/home/AD # ls -aln
insgesamt 4
drwxr-xr-x   3          0   0    0 19. Okt 11:49 .
drwxr-xr-x.  3          0   0   15 18. Okt 16:40 ..
drwx------  48 1143559114 100 4096 19. Okt 11:28 foo

Looks nice so far. Unfortunately user foo can't access the home directory due to an "Access denied error". This is logical on the other hand. The export on the NFS server looks like:

nfsserver:/srv/export/home/AD # ls -alnd foo/
drwx------ 48 22684 users 4096 19. Okt 11:52 foo/

22684 is the value of the uidNumber attribute from the AD user (uid=1143559114).

/etc/sssd/sssd.conf

[sssd]
services            = nss, pam, pac
config_file_version         = 2
domains             = example.com
debug level             = 0

[nss]

[domain/example.com]
ad_domain                       = example.com
krb5_realm                      = EXAMPLE.COM
realm_tags                      = joined-with-adcli
cache_credentials               = True
id_provider                     = ad
krb5_store_password_if_offline  = True
default_shell                   = /bin/bash
use_fully_qualified_names       = False
fallback_homedir                = /home/AD/%u
auth_provider                   = ad
chpass_provider                 = none
access_provider                 = ad

idmapd.conf

[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = example.com

[Mapping]
Nobody-User = nobody
Nobody-Group = nobody

[Translation]
Method = umich_ldap,nsswitch
GSS-Methods = umich_ldap

[UMICH_SCHEMA]
LDAP_server = dc01.example.com
LDAP_base = dc=example,dc=com

So I guess, I should configure sssd to have as uid the uidNumber instead of the AD UID. How do I achieve this? Or what's the best practice to get NFS with Linux UIDs working together with an AD authentication?