Combined NFS, Samba server w users from Active Directory
Solution 1:
(Edit for 2017-07-05) I'd generally recommend using sssd now. Leaving the original answer below for historical reference. My current notes for Ubuntu are:
apt-get install openssh-server sssd-ad realmd packagekit
realm -v join example.com --computer-ou="OU=someOU,DC=example,DC=com" --user=someuser
- In
/etc/sssd/sssd.conf,[sssd]section, adddefault_domain_suffix = example.comandfull_name_format = %1$s. In the[domain/example.com]section, editfallback_homedir = /home/%d/%uand addignore_group_members = True. For larger domains, addenumerate = falseto prevent sssd from traversing all over AD looking for group memberships (and delaying non-cached logins for a minute or two each). - Append
session required pam_mkhomedir.so skel=/etc/skel/ umask=0076at end of/etc/pam.d/common-session. (or whatever umask you want to use). - Restart
sssdservice withservice sssd restart. - Try logging in on a second text or GUI console, or with
ssh localhost.
winbind would make up UIDs by default on older versions of Samba, or would have to refer to an LDAP store to keep everything consistent. That hasn't been the case for some time now (November 2004, if my information is correct) -- idmap_rid is a backend that can generate UIDs from the Active Directory RID (relative identifiter, part of the user's SID).
I wrote up my configuration for tying Debian systems into an existing AD here -- it uses Puppet, but if you only read through it for a starting point on Samba and PAM configurations, it should work on any comparable UNIX system.
Note that I'm not using SFU, or modifying the AD schema in any way. All I wanted was a consistent set of UIDs for my users.
Solution 2:
The NFS component of Services for Unix is now part of the Services for Network File System role in Server 2003 R2 and above.
There is a great Microsoft blog about SFU - http://blogs.msdn.com/b/sfu/. The relevant blog entry explaining how to set it up and the definitive Technet article is here.
You can use the Identity Management for UNIX Active Directory schema extension to do your mapping allowing NFS clients to connect to your server without having to CIFS first (if they could CIFS, doesn't make much sense to NFS?).