I'm currently playing around with the AD provider in SSSD. It works so far, but I'm not able to access the NFS home directories. And I'm not sure, if I have to change the idmapper or the sssd to get this working.
Querying the user on the the RHEL7.2 machine with AD provider:
id foo uid=1143559114(foo) gid=1143400513(domain users) Gruppen=1143494635(mail_admin),1143495559(app.mailin.datacenter.km),1143495849(app.mailin.datacenter.fullaccess),…
The home directory gets mounted to:
rhtest99:/home/AD # ls -aln insgesamt 4 drwxr-xr-x 3 0 0 0 19. Okt 11:49 . drwxr-xr-x. 3 0 0 15 18. Okt 16:40 .. drwx------ 48 1143559114 100 4096 19. Okt 11:28 foo
Looks nice so far. Unfortunately user foo can't access the home directory due to an "Access denied error". This is logical on the other hand. The export on the NFS server looks like:
nfsserver:/srv/export/home/AD # ls -alnd foo/ drwx------ 48 22684 users 4096 19. Okt 11:52 foo/
22684 is the value of the uidNumber attribute from the AD user (uid=1143559114).
[sssd] services = nss, pam, pac config_file_version = 2 domains = example.com debug level = 0 [nss] [domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realm_tags = joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = False fallback_homedir = /home/AD/%u auth_provider = ad chpass_provider = none access_provider = ad
[General] Verbosity = 0 Pipefs-Directory = /var/lib/nfs/rpc_pipefs Domain = example.com [Mapping] Nobody-User = nobody Nobody-Group = nobody [Translation] Method = umich_ldap,nsswitch GSS-Methods = umich_ldap [UMICH_SCHEMA] LDAP_server = dc01.example.com LDAP_base = dc=example,dc=com
So I guess, I should configure sssd to have as uid the uidNumber instead of the AD UID. How do I achieve this? Or what's the best practice to get NFS with Linux UIDs working together with an AD authentication?