Samba4: The mit list insist that file server and DC must be one and the same

Fri Aug 17 05:20:42 MDT 2012

2012-08-17 11:40 keltezéssel, Stefan (metze) Metzmacher írta:
> Am 17.08.2012 11:37, schrieb steve:
>> On 17/08/12 11:24, Andrew Bartlett wrote:
>>> On Fri, 2012-08-17 at 08:54 +0200, steve wrote:
>>>> On 17/08/12 04:50, Andrew Bartlett wrote:
>>>>> On Thu, 2012-08-16 at 10:10 +0200, steve wrote:
>>>>>> On 15/08/12 23:18, Gémes Géza wrote:
>>>>>>> Hi,
>>>>>>>> Hi everyone
>>>>>>>>
>>>>>>>> I have setup a separate S3 file server for our S4 DC. The problem is
>>>>>>>> that creating home directoreis for users on an NFS mounted /home
>>>>>>>> share
>>>>>>>> will not allow root access via krb5 with or without no_root_squash.
>>>>>>>>
>>>>>>>> The krb5 gurus say that it can't be done via krb5. I have to use
>>>>>>>> no_root_squash and sec=sys
>>>>>>>>
>>>>>>>> Here is a copy of what seems to be an impossible scenario of having
>>>>>>>> Kerberised NFS on a separate box to the DC:
>>>>>>>>
>>>>>>>> Hi Steve,
>>>>>>>>
>>>>>>>> no, thats becouse u need a ticket to get into the user directory.
>>>>>>>> even if u make an su -  <username> as root, u wont get into his
>>>>>>>> homedirectory without the right user ticket - that what it is
>>>>>>>> designded for, to
>>>>>>>> protect the userdirectories.
>>>>>>>>
>>>>>>>> So only solution is to move the Samba Server to the same file server
>>>>>>>> as the NFS server is.
>>>>>>>>
>>>>>>>> greetings
>>>>>>>>
>>>>>>>> Am 15.08.12 17:10, schrieb steve:
>>>>>>>>> Hi
>>>>>>>>> openSUSE 12.1
>>>>>>>>>
>>>>>>>>> Our Samba4 DC has a Kerberised NFS mounted share. I need the
>>>>>>>>> root user
>>>>>>>>> to be able to write to the share. I can do this with by mounting it
>>>>>>>> with:
>>>>>>>>> no_root_squash,sec=sys
>>>>>>>>>
>>>>>>>>> Is there any way I can do it with:
>>>>>>>>> sec=krb5
>>>>>>>>>
>>>>>>>>> root has a ticket in /tmp/krb5cc_0 but he always gets permission
>>>>>>>>> denied
>>>>>>>>> when the share is mounted krb5, even with the no_root_squash
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Steve
>>>>>>>>>
>>>>>>>>> ________________________________________________
>>>>>>>>> Kerberos mailing list           Kerberos at mit.edu
>>>>>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>>> Resharing (via samba) a NFS mounted directory is always a bad idea,
>>>>>>> primarily because the locking semantics are different, but
>>>>>>> performance
>>>>>>> wise is a disaster too (at least it was 7+ years ago when I was
>>>>>>> younger,
>>>>>>> more curious and reckless).
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Geza Gemes
>>>>>> Hi Geza
>>>>>> If I am to have a S3 file server and a S4 DC on separate boxes, then I
>>>>>> need some way of creating the unixHomeDirectory (uHD) for the user.
>>>>> Why can't the unix home directory only exist on the s3 file server for
>>>>> all clients on all protocols?
>>>>>
>>>>> That is, have a DC that just does that, be a DC?
>>>>>
>>>>> Andrew Bartlett
>>>>>
>>>> Hi
>>>> I'd like to create new users and their home directories on the DC
>>>> because:
>>>> 1. samba-tool prompts for a password, net ads doesn't
>>>> 2. net ads password does not prompt either
>>>> 3. net ads password needs the Administrator password including in the
>>>> script we use:
>>>> .
>>>> samba-tool user add
>>>> (this is what we want)
>>>>
>>>> net ads user add $1
>>>> net ads password $1 some-pwb -UAdministrator%admin-pwd
>>>> (this is the workaround on the S3 file server box)
>>> That explains why you want to run samba-tool on the DC, but why do you
>>> want to have the unix home directories on the DC?  There does not need
>>> to be a connection between the two.
>>>
>>> Andrew Bartlett
>>>
>> Hi
>>
>> My script creates not only the user himseld but also sendible values in
>> AD for unixHomeDirectory. I want to be able to create unixHomeDirectory.
>> If I do that on the DC then I must mount the real home directory from
>> the filesever otherwise I double the work for myself in having to:
>> 1. Create the user on the DC
>> 2. Go over to the file server and create his unixHomeDirectory
> Can't you use:
>
> ssh fileserver mkdir /some/path
> with a ssh-key without a passphrase?
>
> metze
>
Or via GSSAPI using a keytab?

Geza Gemes