Samba4: The mit list insist that file server and DC must be one and the same

Gémes Géza geza at kzsdabas.hu
Wed Aug 15 15:18:47 MDT 2012


Hi,
> Hi everyone
>
> I have setup a separate S3 file server for our S4 DC. The problem is 
> that creating home directoreis for users on an NFS mounted /home share 
> will not allow root access via krb5 with or without no_root_squash.
>
> The krb5 gurus say that it can't be done via krb5. I have to use 
> no_root_squash and sec=sys
>
> Here is a copy of what seems to be an impossible scenario of having 
> Kerberised NFS on a separate box to the DC:
>
> Hi Steve,
>
> no, thats becouse u need a ticket to get into the user directory.
> even if u make an su -  <username> as root, u wont get into his
> homedirectory without the right user ticket - that what it is 
> designded for, to
> protect the userdirectories.
>
> So only solution is to move the Samba Server to the same file server 
> as the NFS server is.
>
> greetings
>
> Am 15.08.12 17:10, schrieb steve:
> > Hi
> > openSUSE 12.1
> >
> > Our Samba4 DC has a Kerberised NFS mounted share. I need the root user
> > to be able to write to the share. I can do this with by mounting it 
> with:
> > no_root_squash,sec=sys
> >
> > Is there any way I can do it with:
> > sec=krb5
> >
> > root has a ticket in /tmp/krb5cc_0 but he always gets permission denied
> > when the share is mounted krb5, even with the no_root_squash
> >
> > Cheers,
> > Steve
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
Resharing (via samba) a NFS mounted directory is always a bad idea, 
primarily because the locking semantics are different, but performance 
wise is a disaster too (at least it was 7+ years ago when I was younger, 
more curious and reckless).

Regards

Geza Gemes


More information about the samba-technical mailing list