We’re in the process of setting up Windows machines to authenticate against IPA and use home directories from our NFS servers with Kerberized NFS.
The process is not easy, but possible. One thing I’ve found frustrating is that documentation on Windows NFS is terrible. In particular, when you do a mount, it’s critical to get it mounted with the right UID and GID. The procedure most people are using is to set the UID and GID in the registry. That’s fine if the same person always uses the system, but it won’t work for us.
In older versions of windows, you could set up /windows/system32/drivers/etc/passwd. But in Windows 10 they no longer seem to pay attention. The only real way to do it is with active directory lookup. Fortunately, IPA can handle that. The query is
GSSAPI authenticate as machine$
ldapsearch -Y GSSAPI -b dc=cs,dc=rutgers,dc=edu '(sAMAccountName=clh)’ uidnumber gidnumber
To get the GSSAPI authentication to work, you need MACHINE$ set as an alias for the host. And you need to configure Windows to use principal canonicalization. Otherwise Kerberos ignores the alias. That means doing "ksetup /setrealmflags DOMAIN ncsupported” on Windows.
You also need to add samaccountname as an attribute for users, populate it, and make it readable and searchable.
With this, mapping works.
Off course this assumes that Windows Kerberos is set up pointing to IPA as the KDC, but there are plenty of other instructions on how to do that.