Samba4: The mit list insist that file server and DC must be one and the same

Fri Aug 17 00:54:22 MDT 2012

On 17/08/12 04:50, Andrew Bartlett wrote:
> On Thu, 2012-08-16 at 10:10 +0200, steve wrote:
>> On 15/08/12 23:18, Gémes Géza wrote:
>>> Hi,
>>>> Hi everyone
>>>>
>>>> I have setup a separate S3 file server for our S4 DC. The problem is
>>>> that creating home directoreis for users on an NFS mounted /home share
>>>> will not allow root access via krb5 with or without no_root_squash.
>>>>
>>>> The krb5 gurus say that it can't be done via krb5. I have to use
>>>> no_root_squash and sec=sys
>>>>
>>>> Here is a copy of what seems to be an impossible scenario of having
>>>> Kerberised NFS on a separate box to the DC:
>>>>
>>>> Hi Steve,
>>>>
>>>> no, thats becouse u need a ticket to get into the user directory.
>>>> even if u make an su -  <username> as root, u wont get into his
>>>> homedirectory without the right user ticket - that what it is
>>>> designded for, to
>>>> protect the userdirectories.
>>>>
>>>> So only solution is to move the Samba Server to the same file server
>>>> as the NFS server is.
>>>>
>>>> greetings
>>>>
>>>> Am 15.08.12 17:10, schrieb steve:
>>>>> Hi
>>>>> openSUSE 12.1
>>>>>
>>>>> Our Samba4 DC has a Kerberised NFS mounted share. I need the root user
>>>>> to be able to write to the share. I can do this with by mounting it
>>>> with:
>>>>> no_root_squash,sec=sys
>>>>>
>>>>> Is there any way I can do it with:
>>>>> sec=krb5
>>>>>
>>>>> root has a ticket in /tmp/krb5cc_0 but he always gets permission denied
>>>>> when the share is mounted krb5, even with the no_root_squash
>>>>>
>>>>> Cheers,
>>>>> Steve
>>>>>
>>>>> ________________________________________________
>>>>> Kerberos mailing list           Kerberos at mit.edu
>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>> Resharing (via samba) a NFS mounted directory is always a bad idea,
>>> primarily because the locking semantics are different, but performance
>>> wise is a disaster too (at least it was 7+ years ago when I was younger,
>>> more curious and reckless).
>>>
>>> Regards
>>>
>>> Geza Gemes
>>
>> Hi Geza
>> If I am to have a S3 file server and a S4 DC on separate boxes, then I
>> need some way of creating the unixHomeDirectory (uHD) for the user.
>
> Why can't the unix home directory only exist on the s3 file server for
> all clients on all protocols?
>
> That is, have a DC that just does that, be a DC?
>
> Andrew Bartlett
>

Hi
I'd like to create new users and their home directories on the DC because:
1. samba-tool prompts for a password, net ads doesn't
2. net ads password does not prompt either
3. net ads password needs the Administrator password including in the 
script we use:
.
samba-tool user add
(this is what we want)

net ads user add $1
net ads password $1 some-pwb -UAdministrator%admin-pwd
(this is the workaround on the S3 file server box)

Cheers,
Steve