Active Directory Unix Extensions

  • Updated on Dec 1, 2025
  • Published on Jan 16, 2025
  • 5 minute(s) read
  • ED
  • CD
  • CD
 Prev Next

Overview

The first thing to consider is whether you really need Posix, Unix, and NTFS permissions on the same volume. It is always preferable to put objects needing NFS access on separate volumes from those needing CIFS access. If that is not possible, and if the same user or group needs access from both NFS and CIFS clients, then Active Directory Unix Extensions can be implemented.

When you choose to enable support for multiple protocols on a volume through NFS and CIFS (SMB), the user and group identities created through the different protocols do not necessarily match each other. This is because SMB typically maps a user by associating an Active Directory security identifier (SID) with a user identity (UID) or group identity (GID) through a local mapping policy, which is typically a simple algorithm that directly incorporates the relative ID (RID) component of the SID. NFS, on the other hand, uses the local UID or GID on the UNIX/Linux system without much conversion. This can lead to a situation where an Active Directory user "bob" may write files that UNIX user "bob" cannot access.

However, a Nasuni Edge Appliance can be configured in such a way that the Active Directory-mapped UIDs and GIDs match the NFS UIDs and GIDs. Currently, this support relies on the customer using a feature of Active Directory that extends the Active Directory schema to provide UNIX-style UIDs and GIDs. This feature is known by multiple names, including “Identity Management for UNIX”, “UNIX Extensions”, “Server for Network Information Services”, “Services for UNIX”, or “RFC 2307”. On a domain that supports these extensions, a UNIX/Linux-based client can obtain the UID and GID values from the canonical records in the domain.

If your organization requires this functionality:

  • During the initial engagement, inform Nasuni Professional Services of your needs.

  • Configure Active Directory in consultation with Nasuni Professional Services or Nasuni Support.

  • Request Nasuni Support to configure the Edge Appliance for Active Directory Unix Extensions (RFC 2307).

Note: Limits on domains, groups, users, objects, and other items are the same as the limits of Active Directory. See Active Directory Maximum Limits - Scalability for details.

Tip: For Nasuni recommendations for volume configuration, see Nasuni recommendations for configuring volumes on page 6.

Important: Before joining Edge Appliance to Active Directory, contact Nasuni Support.

Considerations

Here are some considerations to keep in mind:

  • To utilize Active Directory’s UNIX extensions, it is necessary to first configure domains and clients.

  • Verification involves writing files and directories to ensure that the user identities match.

  • There are different procedures for configuring the first Nasuni Edge Appliance on the account and for subsequent Nasuni Edge Appliances on the account.

  • If possible, have this configuration done before a Nasuni Edge Appliance joins Active Directory.

  • To avoid Health Monitor directory service errors, you should edit the Nasuni-created Active Directory computer account corresponding to the Edge Appliance. Assign a unique uidNumber and gidNumber for the computer account.

Active Directory Unix Extensions Considerations

Alternatives

Consider whether you need Posix permissions, Unix permissions, and NTFS permissions on the same volume. It is always preferable to locate objects needing NFS access and those needing CIFS access on separate volumes. If that is not possible, and the same user or group needs access from NFS and CIFS clients, then Active Directory Unix Extensions can be implemented.

Note: If possible, avoid multiple protocol volumes, because it is difficult to implement the ID mapping and permissions properly.

Volume and permission type

The volume must be created in the following manner. No other method is supported.

  1. Create the volume as an NFS volume.

  2. Add the CIFS protocol with POSIX/Mixed Mode permissions.

Important: Be aware that Windows experiences degraded capabilities with Posix/Mixed Mode permissions. For example, Modify permissions are switched to Full Control permissions due to those degraded capabilities.

Migrated Data

The nature of the data to migrate must be analyzed:

  • If the data is coming from a Unix system, does the data have Posix permissions as well?

  • If the data is coming from Windows, it must be determined how permissions could be degraded.

Handling UID/GID ranges

Thorough planning is required when setting up domain ranges for your UIDs and GIDs.

  • If you have already configured UID and GID ranges, then inform Nasuni Support about your ranges.

  • If you have not already configured UID and GID ranges, then you should plan and create your UID and GID ranges with the following considerations:

    • All GIDs and UIDs must be greater than 1000.

    • If GID/UID ranges for different domains overlap, communicate this to Support during the domain join, so that Support can use an optional flag during the AD join that allows overlapping ID ranges.

    • Allow headroom in the ranges to allow for future growth.

    • GID and UID ranges should not conflict with the Nasuni native user range: 5000 through 55999 by default. This range is controlled by the NOC.

      Local groups are assigned by the NOC based on the Edge Appliance serial number. These local groups are stored in the license file.

Adjusting the range

If this assigned local range overlaps your domain range, then the local range must be adjusted. This is done by Nasuni Support using the following procedure:

Note: This shift procedure does not change the values in the license file.

  1. Find the minimum and maximum ID numbers for Users by using this command:
    Get-ADUser -Filter "uidNumber -like '*'"
    -Property uidNumber | Measure-Object
    -Minimum -Maximum -Property uidNumber

    Record the values for Users.

  2. Find the minimum and maximum ID numbers for Groups by using this command:
    Get-AdGroup -Filter "gidNumber -like '*'"
    -Property gidNumber | Measure-Object
    -Minimum -Maximum -Property gidNumber

    Record the values for Groups.

  3. Use the lowest ID returned by users or groups for the low end of the range.

  4. Use the highest ID listed for users or groups to define the upper end of the range.

  5. Consider any planned ID growth in order to set headroom at the top of the range for future allocation.

Finding Users and Group IDs lower than 1000

If the minimum returned ID by either query is lower than 1000, this ID mapping does not work.
Nasuni Support uses the following commands to identify the UIDs/GIDs lower than 1000 in order to see if they can be removed from Active Directory:

  1. Find Users under ID 1000 by using this command:
    Get-AdUser -Filter "uidNumber -lt 1000"

  2. Find Groups under ID 1000 by using this command:

    Get-AdGroup -Filter "gidNumber -lt 1000"

Setting up an Edge Appliance IDmap

Important: Setting a new IDmap will affect the entire Edge Appliance and existing volumes.

Nasuni Support performs this procedure.

Checking Posix ACLs

You must check that any files or folders you create have Posix ACLs on them.

This happens typically when created through Windows, but must be done explicitly through NFS.

Nasuni recommendations for configuring volumes

Tip: For Nasuni recommendations for volume configuration, see “Volume Configuration”.

Related articles