Samba4: The mit list insist that file server and DC must be one and the same
Andrew Bartlett
abartlet at samba.org
Fri Aug 17 03:24:43 MDT 2012
On Fri, 2012-08-17 at 08:54 +0200, steve wrote:
> On 17/08/12 04:50, Andrew Bartlett wrote:
> > On Thu, 2012-08-16 at 10:10 +0200, steve wrote:
> >> On 15/08/12 23:18, Gémes Géza wrote:
> >>> Hi,
> >>>> Hi everyone
> >>>>
> >>>> I have setup a separate S3 file server for our S4 DC. The problem is
> >>>> that creating home directoreis for users on an NFS mounted /home share
> >>>> will not allow root access via krb5 with or without no_root_squash.
> >>>>
> >>>> The krb5 gurus say that it can't be done via krb5. I have to use
> >>>> no_root_squash and sec=sys
> >>>>
> >>>> Here is a copy of what seems to be an impossible scenario of having
> >>>> Kerberised NFS on a separate box to the DC:
> >>>>
> >>>> Hi Steve,
> >>>>
> >>>> no, thats becouse u need a ticket to get into the user directory.
> >>>> even if u make an su - <username> as root, u wont get into his
> >>>> homedirectory without the right user ticket - that what it is
> >>>> designded for, to
> >>>> protect the userdirectories.
> >>>>
> >>>> So only solution is to move the Samba Server to the same file server
> >>>> as the NFS server is.
> >>>>
> >>>> greetings
> >>>>
> >>>> Am 15.08.12 17:10, schrieb steve:
> >>>>> Hi
> >>>>> openSUSE 12.1
> >>>>>
> >>>>> Our Samba4 DC has a Kerberised NFS mounted share. I need the root user
> >>>>> to be able to write to the share. I can do this with by mounting it
> >>>> with:
> >>>>> no_root_squash,sec=sys
> >>>>>
> >>>>> Is there any way I can do it with:
> >>>>> sec=krb5
> >>>>>
> >>>>> root has a ticket in /tmp/krb5cc_0 but he always gets permission denied
> >>>>> when the share is mounted krb5, even with the no_root_squash
> >>>>>
> >>>>> Cheers,
> >>>>> Steve
> >>>>>
> >>>>> ________________________________________________
> >>>>> Kerberos mailing list Kerberos at mit.edu
> >>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>> Resharing (via samba) a NFS mounted directory is always a bad idea,
> >>> primarily because the locking semantics are different, but performance
> >>> wise is a disaster too (at least it was 7+ years ago when I was younger,
> >>> more curious and reckless).
> >>>
> >>> Regards
> >>>
> >>> Geza Gemes
> >>
> >> Hi Geza
> >> If I am to have a S3 file server and a S4 DC on separate boxes, then I
> >> need some way of creating the unixHomeDirectory (uHD) for the user.
> >
> > Why can't the unix home directory only exist on the s3 file server for
> > all clients on all protocols?
> >
> > That is, have a DC that just does that, be a DC?
> >
> > Andrew Bartlett
> >
>
> Hi
> I'd like to create new users and their home directories on the DC because:
> 1. samba-tool prompts for a password, net ads doesn't
> 2. net ads password does not prompt either
> 3. net ads password needs the Administrator password including in the
> script we use:
> .
> samba-tool user add
> (this is what we want)
>
> net ads user add $1
> net ads password $1 some-pwb -UAdministrator%admin-pwd
> (this is the workaround on the S3 file server box)
That explains why you want to run samba-tool on the DC, but why do you
want to have the unix home directories on the DC? There does not need
to be a connection between the two.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list