Limitation with Active Directory Lookup feature in Microsoft Services for NFS
The Active Directory Lookup feature that was introduced with Windows Server 2003 R2. This feature greatly simplifies the UNIX identity information management but has its own set of limitation. I thoughy I’ll document them here –
1. If you are using Client for NFS in conjunction with Active Directory lookup, the client will not send the secondary groups information of the user to the server. This is a limitation in the RFC2307 specifications because it doesn’t define a place to store this information with the user object itself. The only way to get this information would be to query all the groups and maintain a cache of this information for future use. This is expensive on the performance side. I have not had exposure to 3rd party NFS servers offering RFC2307 support so not sure how it works with them. You are welcome if you can share some information on this aspect. Please use the comments form to do so.
2. The UIDs and GIDs fetched seems get lost after a while and unless you unmount and remount the share, it doesn’t list the correct user and group names on the file. A user can get his information to be refreshed by doing something as simple as running cat command on the files he owns but it will still show the other files owned by nobody/nogroup which belong to other users. This is being worked on and I hope there’s a fix for this soon.
UPDATE 06/24: The hot fix for the AD Lookup issue mentioned above has been released publicly. The associated knowledgebase article number is 969874 and this can be accessed here. Please note the fix is only required on Windows Server 2008 systems. In Windows Server 2003 R2, this problem can be worked around by changing the domain name to NETBIOS domain name in the NFS configuration.