Samba4: The mit list insist that file server and DC must be one and the same

Stefan (metze) Metzmacher metze at samba.org
Fri Aug 17 03:40:59 MDT 2012 

Am 17.08.2012 11:37, schrieb steve:
> On 17/08/12 11:24, Andrew Bartlett wrote:
>> On Fri, 2012-08-17 at 08:54 +0200, steve wrote:
>>> On 17/08/12 04:50, Andrew Bartlett wrote:
>>>> On Thu, 2012-08-16 at 10:10 +0200, steve wrote:
>>>>> On 15/08/12 23:18, Gémes Géza wrote:
>>>>>> Hi,
>>>>>>> Hi everyone
>>>>>>>
>>>>>>> I have setup a separate S3 file server for our S4 DC. The problem is
>>>>>>> that creating home directoreis for users on an NFS mounted /home
>>>>>>> share
>>>>>>> will not allow root access via krb5 with or without no_root_squash.
>>>>>>>
>>>>>>> The krb5 gurus say that it can't be done via krb5. I have to use
>>>>>>> no_root_squash and sec=sys
>>>>>>>
>>>>>>> Here is a copy of what seems to be an impossible scenario of having
>>>>>>> Kerberised NFS on a separate box to the DC:
>>>>>>>
>>>>>>> Hi Steve,
>>>>>>>
>>>>>>> no, thats becouse u need a ticket to get into the user directory.
>>>>>>> even if u make an su -  <username> as root, u wont get into his
>>>>>>> homedirectory without the right user ticket - that what it is
>>>>>>> designded for, to
>>>>>>> protect the userdirectories.
>>>>>>>
>>>>>>> So only solution is to move the Samba Server to the same file server
>>>>>>> as the NFS server is.
>>>>>>>
>>>>>>> greetings
>>>>>>>
>>>>>>> Am 15.08.12 17:10, schrieb steve:
>>>>>>>> Hi
>>>>>>>> openSUSE 12.1
>>>>>>>>
>>>>>>>> Our Samba4 DC has a Kerberised NFS mounted share. I need the
>>>>>>>> root user
>>>>>>>> to be able to write to the share. I can do this with by mounting it
>>>>>>> with:
>>>>>>>> no_root_squash,sec=sys
>>>>>>>>
>>>>>>>> Is there any way I can do it with:
>>>>>>>> sec=krb5
>>>>>>>>
>>>>>>>> root has a ticket in /tmp/krb5cc_0 but he always gets permission
>>>>>>>> denied
>>>>>>>> when the share is mounted krb5, even with the no_root_squash
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Steve
>>>>>>>>
>>>>>>>> ________________________________________________
>>>>>>>> Kerberos mailing list           Kerberos at mit.edu
>>>>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>> Resharing (via samba) a NFS mounted directory is always a bad idea,
>>>>>> primarily because the locking semantics are different, but
>>>>>> performance
>>>>>> wise is a disaster too (at least it was 7+ years ago when I was
>>>>>> younger,
>>>>>> more curious and reckless).
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Geza Gemes
>>>>>
>>>>> Hi Geza
>>>>> If I am to have a S3 file server and a S4 DC on separate boxes, then I
>>>>> need some way of creating the unixHomeDirectory (uHD) for the user.
>>>>
>>>> Why can't the unix home directory only exist on the s3 file server for
>>>> all clients on all protocols?
>>>>
>>>> That is, have a DC that just does that, be a DC?
>>>>
>>>> Andrew Bartlett
>>>>
>>>
>>> Hi
>>> I'd like to create new users and their home directories on the DC
>>> because:
>>> 1. samba-tool prompts for a password, net ads doesn't
>>> 2. net ads password does not prompt either
>>> 3. net ads password needs the Administrator password including in the
>>> script we use:
>>> .
>>> samba-tool user add
>>> (this is what we want)
>>>
>>> net ads user add $1
>>> net ads password $1 some-pwb -UAdministrator%admin-pwd
>>> (this is the workaround on the S3 file server box)
>>
>> That explains why you want to run samba-tool on the DC, but why do you
>> want to have the unix home directories on the DC?  There does not need
>> to be a connection between the two.
>>
>> Andrew Bartlett
>>
> 
> Hi
> 
> My script creates not only the user himseld but also sendible values in
> AD for unixHomeDirectory. I want to be able to create unixHomeDirectory.
> If I do that on the DC then I must mount the real home directory from
> the filesever otherwise I double the work for myself in having to:
> 1. Create the user on the DC
> 2. Go over to the file server and create his unixHomeDirectory

Can't you use:

ssh fileserver mkdir /some/path
with a ssh-key without a passphrase?

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120817/9e8d335e/attachment.pgp>

More information about the samba-technical mailing list