Score:0

Server

Active Directory + NFS: Why is domain user's uidNumber, gidNumber not shown by `id` command in Windows?

AveryFreeman

11/22/22, 8:07 AM

I am connecting NFS v3 shares (ZFS datasets) from a Solaris file server owned by domain users to Windows computers, but the concept should apply to basically any POSIX-style server. I'm hoping to find an intuitive way for permissions to persist across platforms, which can also apply to multiple users using the same client.

The Solaris server does not recognize the users' identity when mounting the dataset using mount command in cmd, despite the datasets being set to the same domain user present on the server, but identified using AD LDAP's uidNumber and gidNumber.

I've seen a solution where uid/gid can be set in the registry, allowing the NFS share to be mounted in Windows as an anonymous share with one user's identity. This is not only inconvenient, it would only apply to one user.

I was using MSYS2 (e.g. "Git Bash") and noticed the id command doesn't show anything near to the uidNumber/gidNumber set in ADUC's attribute tab. I'm aware that Windows uses SIDs for identifying users and devices, which is quite dissimilar to the Unix id system - but where is MSYS2 getting this number from?

I'm hoping by shedding light on this it might help me figure out some way to set user attributes so the mount command in cmd will relay my users' identity in a way my Solaris server will understand.

Here's an example of what I'm talking about:

In ADUC, let's review the uid/gid of Administrator:

Active Directory Users and Computers
---------------------------------------------
    [Menu]  View --> Advanced Features -->
+ [Domain] Users --> Administrator --> Properties -->
  + [Tabs] Attribute Editor -->
+ [Tables] uidNumber, gidNumber

uidNumber: 2500
gidNumber: 2512

Ok, then let's check Administrator's id in MSYS2:

└─ ▶ id administrator
uid=1049076(Administrator) gid=1049089(Domain Users) groups=1049089(Domain Users)

Obviously these are very different numbers. Wouldn't it make more sense for the user's Unix uid/gid to be shown?

Where's MSYS2 getting these odd-looking numbers from, and is there any way to utilize a user's AD-specified uid/gid as identity in the command line?

279

1 + 0

active-directory

bash

nfs

identity-management

windows-command-prompt

Score:0

Server

AveryFreeman

11/23/22, 5:42 AM

Well, that was easy - since my users' uidNumber and gidNumber were set already, all I had to do was enable AD identity mapping on the client.

I opened an admin command prompt, started powershell (ver 7), and ran cmdlet:

PS C:\Windows\System32> Set-NfsMappingStore -EnableADLookup $True -ADDomainName "example.com"

To confirm, I retrieved the settings:

PS C:\Windows\System32> Get-NfsMappingStore

UNMServer               :
UNMLookupEnabled        : False
ADDomain                : example.com
ADLookupEnabled         : True
LdapServer              :
LdapNamingContext       :
LdapLookupEnabled       : False
PasswdFileLookupEnabled : False

Now, the moment of truth - mounting the user's NFS share (this was user-level cmd shell in ConEmu):

happyuser@WINSLAVE C:\Users\happyuser
$ mount \\solarisbeast\mnt\hallofzmirrors\trough\happyuser\all-pascal-projects n:

Looks good so far, no identity settings necessary (not that they'd be possible with NFS v3 anyway, but still...)

Left some tracks...

happyuser@WINSLAVE N:\
$ echo 'this is from winslave' > 'test-from-winslave.txt'

Then, checked identity of file creator on server:

admin@solarisbeast:/mnt/hallofzmirrors/trough/happyuser/all-pascal-projects% ls -la
total 88
drwxr-xr-x   6 happyuser    DomainUsers       8 Jul 22 22:19 .
drwxr-x---  35 happyuser    DomainUsers      56 Jul 21 11:37 ..
drwxr-xr-x   2 happyuser    DomainUsers       3 Jul 21 11:37 .$EXTEND
-rw-r--r--   1 happyuser    DomainUsers      25 Jul 21 13:04 test-from-bloatedwharfrat.txt
-rwxr-xr-x   1 happyuser    DomainUsers      25 Jul 22 22:02 test-from-winslave.txt

Looks pretty good on the identity front. Let's hope it's stable!

Mounting NFS exports from a Unix server in Windows

Update: I mentioned it quickly, but for anyone who missed it, the NFS mount should be performed as user who owns share in a non-elevated cmd. This may seem unintuitive to people more familiar with NFS mounts on Posix systems, where only root (i.e. sudo) has permission to invoke mount command.

0 + 2

LeeM

11/23/22, 9:55 AM

I suggest marking this as your answer so it doesn't show up as "unanswered" any more. And might be helpful to others in future.

AveryFreeman

11/26/22, 5:56 AM

Thanks, didn't realize I had neglected to do that.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Active Directory + NFS: Why is domain user's uidNumber, gidNumber not shown by `id` command in Windows?

TH: Active Directory + NFS: เหตุใด uidNumber, gidNumber ของผู้ใช้โดเมนจึงไม่แสดงโดยคำสั่ง `id` ใน Windows

RO: Active Directory + NFS: De ce uidNumber, gidNumber al utilizatorului de domeniu nu este afișat de comanda `id` în Windows?

RU: Active Directory + NFS: почему uidNumber пользователя домена, gidNumber не отображается командой `id` в Windows?

VI: Active Directory + NFS: Tại sao uidNumber, gidNumber của người dùng miền không được hiển thị bởi lệnh `id` trong Windows?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.