preparing Windows 2012 R2 Active Directory for Linux

This is the second post of a few loosely coupled posts to install and test a nfs4 environment with EMC Isilon. In the first post I covered the steps to install a Windows 2012 R2 active directory server and this post will present the steps to prepare the active directory for linux clients. The next post covers the required steps to configure a RHEL to join the domain and use kerberize NFS.

Windows is using the concept of SIDs (security identifier) to uniquely identify windows users and groups. They look something like this: “S-1-5-32-544” (well-known domain-relative SID of the local Administrators group).
In contrary to windows is linux using UID (user identifier) and GID (group identifier) to uniquely identify a user or group. UID and GID are integers like 32767 (default for nobody).

As we want to use our active directory not only to authenticate a linux host or user but also to resolve user- and group-names to UID and GID, we have to enter these IDs into our active directory database.
Luckily windows supports RFC2307 (An Approach for Using LDAP as a Network Information Service) and therefore no changes to the active directory schema itself is necessary.

The LDAP attributes for groups are:

and for users:

Please note, as we are going to use AD/LDAP to resolve UID/GID from our linux/Isilon system, you don’t need to install the Microsoft Identiy Management for Unix services. This is especially great because Windows Server Core does not support theses services! Only if you want to manage the UID/GID with the active directory users and computers MMC you need these services. They can be installed on a Windows Server 2012 R2 with following command:

Dism.exe /online /enable-feature /featurename:adminui /featurename:nis /all

To add the required attributes to an existing or new user/group you can use the following powershell cmdlets:

Here is an example to create a AD group “linux_user” with a GID of 20000 and a NisDomain “emc”:

New-ADGroup -name linux_user -GroupScope 1 -OtherAttributes @{msSFU30NisDomain='emc';gidNumber=20000}

If you have an existing group you can use following cmdlet to add the attributes:

Set-ADGroup -Instance linux_user -Add @{msSFU30NisDomain='emc';gidNumber=20000}

Next we are creating an user “user1” with a UID of 10000, being member of group 20000 and NisDomain ’emc’. Furthermore the user will use “/bin/bash” as login shell and a home directory located in “/home/EMC/user1”.

New-ADUser -name user1 -OtherAttributes @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'}

And again for adding attributes to an existing user:

Set-ADUser -Instance user1 -Add @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'}

Now you are able to query the active directory by LDAP from you linux client or Isilon system to resolve user and group attributes. Furthermore you have a mapping between windows and linux users which is necessary for a multiprotocol access to Isilon!

For testing in my lab I used follwing powershell command to quickly create 5 users with the appropriate linux attributes, the password “Passw0rd” and also added the user to the ad group “linux_user”:

for ($i=1; $i -le 5; $i++){New-ADUser -name ('user' + $i) -PasswordNeverExpires:$true -AccountPassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -Force) -Enabled:$true -OtherAttributes @{uidNumber=(10000+$i);gidNumber=20000;unixHomeDirectory=('/home/EMC/user'+$i);loginShell='/bin/bash';msSFU30NisDomain='emc'}; Add-ADGroupMember -Identity linux_user -Members ('user'+$i)}

The last steps are configuring and joining the Isilon and linux host to our active directory. This will be covered in one of the next posts.

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

6 thoughts on “preparing Windows 2012 R2 Active Directory for Linux

  • dot

    Thank you.

    (2011) I was able to join Redhat 4.7 under Windows Server 2003 R2 like Database Member Server [Oracle 10g].

    Because IDMU is deprecated in Win 2012 R2, I’ll with your solution.

    (2014) I was able to join CentOS 6.5 under Windows 2012.

  • Bruce

    Do you know how feasible it would be to set the UIDnumber of a user or the GIDnumber of a Security Group in AD based on the formula $baseUID + $RID where $baseUID is set to something like 10,000 or 100,000 (and essentially stands in for the based of the SID) and $RID is the relative identifier of the User or Security Group extracted from the SID?

  • Matt

    Hello Christopher,

    Thank you very much for a great post.

    You wrote “… you don’t need to install the Microsoft Identity Management for Unix services. … Only if you want to manage the UID/GID with the active directory users and computers MMC you need these services. ”
    I’m not sure if I missed something, but on my Server 2012 R2 I didn’t install Microsoft Identity Management for Unix Services, but if in the Active Directory Users and Computers under View menu I select Advanced Features, then in user or group Properties a new tab “Attribute Editor” appears, which allows to manually enter all Unix attributes you listed in your post. Of course, powershell approach is better. I use Windows Server 2012 R2 AD for user and group authentication and management on my Linux systems running Samba 4.1 as members of the AD domain (I don’t use NIS and therefore don’t use msSFU30NISDomain attribute). Could you please clarify. Also, do you know if Microsoft will continue to support RFC2307, or it will drop it as it did it with Identity Management for Unix Services.

    Thanks again,

    • Matt


      I think I got it, you’re using Windows Server 2012 R2 core installation, without GUI, but as I understand Server 2012 R2 still supports RFC2307 out of the box without Identity Management for Unix Services installed, because I never installed it.