Thoughts, musings, ramblings, and rants

Synology DiskStation User Mapping

I have a Synology DiskStation providing file services to my home and lab networks. It works great as-is for SMB access, but NFS access was problematic because the automatic UID / GID generation didn't match the IDs used by my Linux systems. Since I already store Unix attributes in Active Directory, I needed the DiskStation to respect those.

The first step to acheive this is to update the Samba configuration (/etc/samba/smb.conf) on your DiskStation. Adding the configuration below will get Samba to use the Active Directory attributes. I use 100000-199999 for my user and group IDs. If you use different values you may need to adjust it a bit. If you don't yet have Unix attributes assigned to your Active Directory users, check out Assigning Unix Attributes to Active Directory Objects for how I've gone about that.

[global]
    idmap config * : backend=tdb
    idmap config * : range=3000-7999
    idmap config DIGITALLOTUS : backend=ad
    idmap config DIGITALLOTUS : range=100000-199999
    idmap config DIGITALLOTUS : schema_mode=rfc2307
    idmap config DIGITALLOTUS : unix_nss_info=yes
    idmap config DIGITALLOTUS : unix_primary_group=yes

Once that is in place, restart your DiskStation. After it's up, you can check the user ID by running id user@corp.example.com and see that... it's still showing the automatically generated ID? That's actually expected at this point because of some of the DiskStation internals. If you run wbinfo -i "user@corp.example.com", which will query Samba directly, you should see the right information.

So, how do we now get the DiskStation to recognize the updated values? We have to clear its cached mappings. You can do that by running the command below.

find /volume1/@accountdb \( -type f -o -type l \) -delete

After running that command, you should be able to rerun id user@corp.example.com and see the right attributes. I did all this prior to setting up my shares and permissions. If you already have shares and permissions setup, you'll likely need to reapply your permissions to get them working with the new ID values.

#activedirectory #diskstation