NFS, AD, AutoFS

cjhilinski · April 6, 2015, 4:12pm

Here's my challenge. I have a RedHat7 machine running a statistical software package. It needs to NFS-mount directories from a Windows 2008R2 machine. The RH7 machine uses MSAD (Microsoft Active Directory) to handle authentication of people connecting via SSH. AD is on a separate 2008R2 machine. There are no local users (other than the normal ones) on the RH7 machine...all users are defined in AD. Users can log in and an "id -a username" shows their expected UID/GID/etc. Autofs is set up on the RH7 machine so when a user logs in, it automatically mounts his/her home directory from the 2008R2 machine.

Simple as rain, as the oracle said. However, when a user logs into the RH7 machine, autofs successfully mounts the home directory (no errors with autofs logging set to debugging) but the user and group of the home directory is always set to anonymous (4294967294) instead of the user's ID and GID.

Anyone have any ideas?

jim_mcnamara · April 6, 2015, 4:31pm

Windows nfs users map to anonymous. THis is a Windows feature.

This has a discussion of 'Advanced Mapping' - it shows how to get pete_johnson (windows) mapped to petej on UNIX

I think, but do not know for sure, that this is controllable from the windows side. This article seems to think so.

cjhilinski · April 7, 2015, 8:57am

The problem with that MS link is that it never mentions the use of Active Directory. The Win2008R2 documentation says it can use either mapping or ADDS (or even AD lightweight LDAP).

Interestingly, I have a RH7 machine that uses the same AD stuff for authentication. It mounts NFS shares from a Solaris 10 machine (using NFSv3), and everything works just fine. All of the shares, etc., are given the proper permissions.

jim_mcnamara · April 7, 2015, 2:58pm

UNIX SERVICES for Windows is the cause of the problem. nfs plays fair when you do UNIX->UNIX.

I have had somewhat similar problems with Solaris & Windows before, about 2010. The windows admins eventually found a solution - I was not privy to it. It did involve only windows.

ATLVM · June 4, 2015, 1:08pm

What Jim said, plus there is a mapping correlation between *nix and Windows.

The permissions on the 2008R2\AD needs to be set to allow *nix (probably root access from NFS, or whatever mapping is done) to read\write to that folder.

I had a similar problem a few years ago, I was getting the same thing, once Windows permissions was set to allow *nix to r+w the folder was no longer anon, it was seen correctly..

So this is definitely on the Windows 2008R2\AD side, but every environment is different, so it's difficult to say make sure folder XXX has rights.

You will also run into problems with Windows tech (they don't understand *nix \ windows mapping in NFS) so they may push back and say "permissions are set correctly".. which may be a true.. to a POINT.. but they just need to allow root access or anonymous access (for NFS) to access those folders as well.

This is an EASY fix, just not easy to describe the steps and folders that need to change.

Peasant · June 5, 2015, 12:58am

The solution is probably extending Windows AD schema with UNIX attributes for all the users connecting.

Take a look at this article :

Hope the helps
Regards
Peasant.