[Cialug] smb & AD authentication for CentOS during domain functional level raise

[Mike Hughes]

Hi Linux users,

Our AD domain is currently hosted by a couple '08SP2 (not R2) and 12R2 domain controllers running at domain functional level '03 and it's about time we upgrade. We have a little over twenty CentOS (vers. 5, 6 & 7) development servers which use AD authentication and share samba mounts.
The best info I found regarding this upgrade's impact on Linux shares & authentication is this article from Centrify [1] which mentions that the smb service might have to be restarted.

I also have not found a working reliable source for the best method to join additional CentOS servers to the domain. Right now we're using a mix of samba and winbind for centos 5/6 [2] and sssd for centos 7 [3]. My ignorance around Kerberos is vast and wonder if/how that might play a role in this.

We did notice that with the standard sssd setup, our UID and GIDs were different so we set:

--automatic-id-mapping=no
and then set  the values for each user object manually within ADUC --> Attribute Editor --> gidNumber and uidNumber to match what they reported from a CentOS 6 machine's "id user" command.

I'm increasingly anxious about raising the functional level since it is a one-way process with no rollback option. Does anyone have more definitive sources of information for the best way to manage this, or know a local vendor who is well-versed in AD integration?

Thank you!
Mike

[1] https://community.centrify.com/t5/TechBlog/Basics-Understanding-how-Active-Directory-Functional-Levels/ba-p/22077
[2] https://www.server-world.info/en/note?os=CentOS_6&p=samba&f=7
[3] https://www.server-world.info/en/note?os=CentOS_7&p=realmd