I am configuring a NFS Server on openSUSE LEAP 42.3. The machine has joined a Windows Domain and the shared directory will be shared with two computers, which are also in the Windows Domain.
If the AD users have different UID in those machines (different login order), then the permissions in NFS directory are compromised (or maybe I’m wrong).
How can I use AD user permissions, so the same AD user with different UID can only acces to their files? Do I need to configure Kerberos or use Samba?
I do not understand what “Windows domains” and/or Samba (interfaces between MS Windows systems and Unix/Linux systems) have to to with NFS (a remote mount facility of Unix/Linux), but is was just yesterday that I poted this in a thread of somebody who also forgot to administer his users on all of the involved systems instead of separate (and thus conflicting on each system.
You conclusion that the file system is mounted ro is wrong as you found out later. Next time please post why you think things and not only post your conclusions.
As you have found, the ownership (by user and group) and permissions work for all files. Regardless if they are in an NFS mounted (or any other mounted) file system.
You can of course, as root, change the ownership of files from 2000 to 1000. When they are all in one directory and further in sub-directories you can use
chown -R …
BTW, using NFS requires a consistent administration of users on all involved systems. Togeter with NFS, NIS (yellow pages) was designed for that. But I would use that only for a larger shop. For only a few systems a bit of administration of users (user names and user-ids) and groups (group names and group-ids) is needed. Remark that the ids (UID and GID) are the ones that should be the same on the NFS servers and their clients. The names may differ, but that is of course confusing.
In fact, I am configuring an openSUSE cluster, which will use OpenMPI (PoC). I need to create a shared memory, so I read that NFS was the best choice.
But I need to use the Windows AD users (IT policy). That’s why I need to ensure UID does not generate any permission conflict.
Microsoft’s Active Directory uses LDAP versions 2 and 3, DNS and Microsoft’s version of Kerberos …
You could take a look at OpenLDAP and, in particular, the translucent overlay capability, to extend the entries in the Microsoft AD server(s) with additional attributes stored in a local database …
That’s one possibility. Another is, each openSUSE machine has the openLDAP Client package installed by default – you could ensure that each openSUSE LDAP client has the translucent overlay capability enabled and also, that each instance of the capability is correctly configured …
Do you mean “shared memory” in the sense of “shared memory” or, do you mean “shared disk space” (a NAS)?
[HR][/HR] If you really mean “shared memory” then, you’ll need to come up to speed with the POSIX Shared Memory API; cross-platform support is provided by: