Samba4: The mit list insist that file server and DC must be one and the same

Thu Aug 16 20:50:37 MDT 2012

On Thu, 2012-08-16 at 10:10 +0200, steve wrote:
> On 15/08/12 23:18, Gémes Géza wrote:
> > Hi,
> >> Hi everyone
> >>
> >> I have setup a separate S3 file server for our S4 DC. The problem is
> >> that creating home directoreis for users on an NFS mounted /home share
> >> will not allow root access via krb5 with or without no_root_squash.
> >>
> >> The krb5 gurus say that it can't be done via krb5. I have to use
> >> no_root_squash and sec=sys
> >>
> >> Here is a copy of what seems to be an impossible scenario of having
> >> Kerberised NFS on a separate box to the DC:
> >>
> >> Hi Steve,
> >>
> >> no, thats becouse u need a ticket to get into the user directory.
> >> even if u make an su -  <username> as root, u wont get into his
> >> homedirectory without the right user ticket - that what it is
> >> designded for, to
> >> protect the userdirectories.
> >>
> >> So only solution is to move the Samba Server to the same file server
> >> as the NFS server is.
> >>
> >> greetings
> >>
> >> Am 15.08.12 17:10, schrieb steve:
> >> > Hi
> >> > openSUSE 12.1
> >> >
> >> > Our Samba4 DC has a Kerberised NFS mounted share. I need the root user
> >> > to be able to write to the share. I can do this with by mounting it
> >> with:
> >> > no_root_squash,sec=sys
> >> >
> >> > Is there any way I can do it with:
> >> > sec=krb5
> >> >
> >> > root has a ticket in /tmp/krb5cc_0 but he always gets permission denied
> >> > when the share is mounted krb5, even with the no_root_squash
> >> >
> >> > Cheers,
> >> > Steve
> >> >
> >> > ________________________________________________
> >> > Kerberos mailing list           Kerberos at mit.edu
> >> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > Resharing (via samba) a NFS mounted directory is always a bad idea,
> > primarily because the locking semantics are different, but performance
> > wise is a disaster too (at least it was 7+ years ago when I was younger,
> > more curious and reckless).
> >
> > Regards
> >
> > Geza Gemes
> 
> Hi Geza
> If I am to have a S3 file server and a S4 DC on separate boxes, then I 
> need some way of creating the unixHomeDirectory (uHD) for the user.

Why can't the unix home directory only exist on the s3 file server for
all clients on all protocols?

That is, have a DC that just does that, be a DC?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org