Hi,
To centrally manage all credentials from Active Directory, we configured FreeIPA integration with Active Directory to authenticate users to IPA-joined Linux machines via SSSD using AD credentials.
The Linux machines have NFS shares mounted on their local filesystems which we use to work in a sharable way. We have configured FreeIPA "ID Views" for each user to override the AD-originating generic UID and GID with shorter UID and GID values. This is to preserve IPA-authenticated users' NFS permissions that were inherited from the previous Linux directory management system (NIS) we used and for simplicity. When working locally or remotely (SSH/VNC) on the Linux machines, everything is working as expected with no issues.
Our problem is with SMB - We need to share the NFS shares over SMB for direct File Explorer access for Windows users. For this purpose, we have an Ubuntu machine we use as an SMB server. The server is joined to IPA as a client and has all NFS shares mounted locally on its filesystem. The ideal way is to somehow configure SMB to forward authentication to IPA (as it was a local/SSH authentication to the server) and map the ID views user and group IDs to preserve permissions. We searched all over the internet and didn't find a working solution for this use case.
Is this supported? If yes, how can this be implemented?
On Аўт, 18 чэр 2024, Yossi Hayat via FreeIPA-users wrote:
Hi,
To centrally manage all credentials from Active Directory, we configured FreeIPA integration with Active Directory to authenticate users to IPA-joined Linux machines via SSSD using AD credentials.
The Linux machines have NFS shares mounted on their local filesystems which we use to work in a sharable way. We have configured FreeIPA "ID Views" for each user to override the AD-originating generic UID and GID with shorter UID and GID values. This is to preserve IPA-authenticated users' NFS permissions that were inherited from the previous Linux directory management system (NIS) we used and for simplicity. When working locally or remotely (SSH/VNC) on the Linux machines, everything is working as expected with no issues.
Our problem is with SMB - We need to share the NFS shares over SMB for direct File Explorer access for Windows users. For this purpose, we have an Ubuntu machine we use as an SMB server. The server is joined to IPA as a client and has all NFS shares mounted locally on its filesystem. The ideal way is to somehow configure SMB to forward authentication to IPA (as it was a local/SSH authentication to the server) and map the ID views user and group IDs to preserve permissions. We searched all over the internet and didn't find a working solution for this use case.
Is this supported? If yes, how can this be implemented?
Re-exporting NFS via SMB is not supported.
For normal SMB shares of a non-network disk content, if you set things up as described in [1], access to those shares will be supported from Linux systems enrolled into IPA domain. For access from Windows systems there is currently no support: some operations might work but any attempt to resolve user/group identities and configure permissions from Windows clients will not work/might fail.
[1] https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/usi...
freeipa-users@lists.fedorahosted.org