Samba4: The mit list insist that file server and DC must be one and the same

Thu Aug 16 07:01:53 MDT 2012

2012-08-16 10:10 keltezéssel, steve írta:
> On 15/08/12 23:18, Gémes Géza wrote:
>> Hi,
>>> Hi everyone
>>>
>>> I have setup a separate S3 file server for our S4 DC. The problem is
>>> that creating home directoreis for users on an NFS mounted /home share
>>> will not allow root access via krb5 with or without no_root_squash.
>>>
>>> The krb5 gurus say that it can't be done via krb5. I have to use
>>> no_root_squash and sec=sys
>>>
>>> Here is a copy of what seems to be an impossible scenario of having
>>> Kerberised NFS on a separate box to the DC:
>>>
>>> Hi Steve,
>>>
>>> no, thats becouse u need a ticket to get into the user directory.
>>> even if u make an su -  <username> as root, u wont get into his
>>> homedirectory without the right user ticket - that what it is
>>> designded for, to
>>> protect the userdirectories.
>>>
>>> So only solution is to move the Samba Server to the same file server
>>> as the NFS server is.
>>>
>>> greetings
>>>
>>> Am 15.08.12 17:10, schrieb steve:
>>> > Hi
>>> > openSUSE 12.1
>>> >
>>> > Our Samba4 DC has a Kerberised NFS mounted share. I need the root 
>>> user
>>> > to be able to write to the share. I can do this with by mounting it
>>> with:
>>> > no_root_squash,sec=sys
>>> >
>>> > Is there any way I can do it with:
>>> > sec=krb5
>>> >
>>> > root has a ticket in /tmp/krb5cc_0 but he always gets permission 
>>> denied
>>> > when the share is mounted krb5, even with the no_root_squash
>>> >
>>> > Cheers,
>>> > Steve
>>> >
>>> > ________________________________________________
>>> > Kerberos mailing list           Kerberos at mit.edu
>>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> Resharing (via samba) a NFS mounted directory is always a bad idea,
>> primarily because the locking semantics are different, but performance
>> wise is a disaster too (at least it was 7+ years ago when I was younger,
>> more curious and reckless).
>>
>> Regards
>>
>> Geza Gemes
>
> Hi Geza
> If I am to have a S3 file server and a S4 DC on separate boxes, then I 
> need some way of creating the unixHomeDirectory (uHD) for the user.
>
> If I mount the directory holding the uHD on the DC, I can do this. The 
> directory is _not_ reshared by Samba. The Samba shares for m$ clients 
> come from the S3 file server. The NFS share is exported from the S3 
> box for Linux clients simply so that I can create user uHD's there.
>
> Anyway, do you think I'd be able to get kerberized root access if I 
> mounted the uHD sec=krb5?
>
> Cheers,
> Steve
>
I'm no expert on nfs kerberos issues, have migrated away from 
nfs/kerberos (to openafs (that also meant moving away home shares from 
samba to openafs :-( , but it works and the performance is good)) a few 
years ago for stability problems.

Regards

Geza