Samba4: The mit list insist that file server and DC must be one and the same

steve steve at steve-ss.com
Fri Aug 17 03:37:28 MDT 2012


On 17/08/12 11:24, Andrew Bartlett wrote:
> On Fri, 2012-08-17 at 08:54 +0200, steve wrote:
>> On 17/08/12 04:50, Andrew Bartlett wrote:
>>> On Thu, 2012-08-16 at 10:10 +0200, steve wrote:
>>>> On 15/08/12 23:18, Gémes Géza wrote:
>>>>> Hi,
>>>>>> Hi everyone
>>>>>>
>>>>>> I have setup a separate S3 file server for our S4 DC. The problem is
>>>>>> that creating home directoreis for users on an NFS mounted /home share
>>>>>> will not allow root access via krb5 with or without no_root_squash.
>>>>>>
>>>>>> The krb5 gurus say that it can't be done via krb5. I have to use
>>>>>> no_root_squash and sec=sys
>>>>>>
>>>>>> Here is a copy of what seems to be an impossible scenario of having
>>>>>> Kerberised NFS on a separate box to the DC:
>>>>>>
>>>>>> Hi Steve,
>>>>>>
>>>>>> no, thats becouse u need a ticket to get into the user directory.
>>>>>> even if u make an su -  <username> as root, u wont get into his
>>>>>> homedirectory without the right user ticket - that what it is
>>>>>> designded for, to
>>>>>> protect the userdirectories.
>>>>>>
>>>>>> So only solution is to move the Samba Server to the same file server
>>>>>> as the NFS server is.
>>>>>>
>>>>>> greetings
>>>>>>
>>>>>> Am 15.08.12 17:10, schrieb steve:
>>>>>>> Hi
>>>>>>> openSUSE 12.1
>>>>>>>
>>>>>>> Our Samba4 DC has a Kerberised NFS mounted share. I need the root user
>>>>>>> to be able to write to the share. I can do this with by mounting it
>>>>>> with:
>>>>>>> no_root_squash,sec=sys
>>>>>>>
>>>>>>> Is there any way I can do it with:
>>>>>>> sec=krb5
>>>>>>>
>>>>>>> root has a ticket in /tmp/krb5cc_0 but he always gets permission denied
>>>>>>> when the share is mounted krb5, even with the no_root_squash
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Steve
>>>>>>>
>>>>>>> ________________________________________________
>>>>>>> Kerberos mailing list           Kerberos at mit.edu
>>>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>> Resharing (via samba) a NFS mounted directory is always a bad idea,
>>>>> primarily because the locking semantics are different, but performance
>>>>> wise is a disaster too (at least it was 7+ years ago when I was younger,
>>>>> more curious and reckless).
>>>>>
>>>>> Regards
>>>>>
>>>>> Geza Gemes
>>>>
>>>> Hi Geza
>>>> If I am to have a S3 file server and a S4 DC on separate boxes, then I
>>>> need some way of creating the unixHomeDirectory (uHD) for the user.
>>>
>>> Why can't the unix home directory only exist on the s3 file server for
>>> all clients on all protocols?
>>>
>>> That is, have a DC that just does that, be a DC?
>>>
>>> Andrew Bartlett
>>>
>>
>> Hi
>> I'd like to create new users and their home directories on the DC because:
>> 1. samba-tool prompts for a password, net ads doesn't
>> 2. net ads password does not prompt either
>> 3. net ads password needs the Administrator password including in the
>> script we use:
>> .
>> samba-tool user add
>> (this is what we want)
>>
>> net ads user add $1
>> net ads password $1 some-pwb -UAdministrator%admin-pwd
>> (this is the workaround on the S3 file server box)
>
> That explains why you want to run samba-tool on the DC, but why do you
> want to have the unix home directories on the DC?  There does not need
> to be a connection between the two.
>
> Andrew Bartlett
>

Hi

My script creates not only the user himseld but also sendible values in 
AD for unixHomeDirectory. I want to be able to create unixHomeDirectory. 
If I do that on the DC then I must mount the real home directory from 
the filesever otherwise I double the work for myself in having to:
1. Create the user on the DC
2. Go over to the file server and create his unixHomeDirectory

Cheers,
Steve


More information about the samba-technical mailing list