Confused about samba4 & s3fs

Gémes Géza geza at kzsdabas.hu
Mon Aug 20 23:52:32 MDT 2012


2012-08-20 22:19 keltezéssel, Rowland Penny írta:
> On 20/08/12 20:26, Gémes Géza wrote:
>> 2012-08-20 12:48 keltezéssel, Rowland Penny írta:
>>> On 20/08/12 10:52, steve wrote:
>>>> On 20/08/12 11:13, Marc Muehlfeld wrote:
>>>>> Am 20.08.2012 10:04, schrieb Gémes Géza:
>>>>>> I would suggest to set up a separate server running samba3 (or smbd,
>>>>>> nmbd,
>>>>>> winbind from samba4) for sharing home directories. Reasons:
>>>>>> 1. samba/s3fs doesn't support the [homes] share which (in case of 
>>>>>> smbd)
>>>>>> automatically maps to the users home folder
>>>>>
>>>>> If it's recommended or good to have the homes on an s4 server, I 
>>>>> don't
>>>>> know, but you can have [homes] on a s4 server (i tried it with 
>>>>> s3fs on
>>>>> beta4). Simply add
>>>>>     [homes]
>>>>>        read only = No
>>>>> (nothing else is required) to your s4 smb.conf and restart samba.
>>>>>
>>>>> BUT: The users need to have a value in their "homeDirectory" 
>>>>> attribute,
>>>>> pointing to the path (like "/home/muehlfeld"). I had to fill this
>>>>> manually, because on migration, the attribute is not transferred from
>>>>> LDAP. But for new users you have to add this anyway manually.
>>>>>
>>>>
>>>> Hi Marc
>>>> The problem is that on S4/s3fs, winbind expects _all_ home 
>>>> directories to be in /home/DOMAIN/user format. It cannot pull the 
>>>> actual home directory from AD as can S3 winbind. The workaround 
>>>> (which I see as a solution and real alternative to winbind) is to 
>>>> use nss-pam-ldapd which just works. S3 or S4.
>>>> Cheers and thanks for the input,
>>>> Steve
>>>>
>>>>
>>>>
>>>>
>>>
>>> Hi Steve, yes you are right but wrong, here is a list of users from 
>>> my test server:
>>>
>>> HOME\Administrator:*:0:100::/home/HOME/Administrator:/bin/bash
>>> HOME\Guest:*:3000001:3000002::/home/HOME/Guest:/bin/bash
>>> HOME\krbtgt:*:3000006:100::/home/HOME/krbtgt:/bin/bash
>>> HOME\dns-adserver:*:3000007:100::/home/HOME/dns-adserver:/bin/bash
>>> HOME\rowland:*:3000013:3000012::/home/HOME/rowland:/bin/bash
>>> HOME\fred:*:3000022:3000012::/home/HOME/fred:/bin/bash
>>> HOME\george:*:3000023:3000012::/home/HOME/george:/bin/bash
>>> HOME\staff1:*:3000038:3000035::/home/HOME/staff1:/bin/bash
>>> HOME\student1:*:3000039:3000036::/home/HOME/student1:/bin/bash
>>> HOME\student2:*:3000040:3000037::/home/HOME/student2:/bin/bash
>>> HOME\dhcpduser:*:3000041:100::/home/HOME/dhcpduser:/bin/bash
>>>
>>> compare it with this from my test client (Xubuntu 12.04, Samba 3.6.3):
>>>
>>> getent passwd
>>> root:x:0:0:root:/root:/bin/bash
>>> ............
>>> student1:*:3000039:3000036:student1:/home2/students/7a/student1:/bin/bash 
>>>
>>> student2:*:3000040:3000037:student2:/home2/students/7b/student2:/bin/bash 
>>>
>>> rowland:*:3000013:3000012:rowland:/home/HOME/rowland:/bin/bash
>>> george:*:3000023:3000012:george:/home/HOME/users/george:/bin/bash
>>> staff1:*:3000038:3000035:staff1:/home2/staff/staff1:/bin/bash
>>> fred:*:3000022:3000012:fred:/home/HOME/fred:/bin/bash
>>>
>>> Now if your users were to log into the server directly they would 
>>> get a home directory in /home/HOME but I am sure that you would 
>>> never let them log into the server only into a client.
>>> So when they log into the client they use the unixhomedirectory as 
>>> below
>>>
>>> rowland at Notebook ~ $ ssh rowland at 192.168.0.162
>>> rowland at 192.168.0.162's password:
>>> rowland at vmclient:~$ pwd
>>> /home/HOME/rowland
>>> rowland at vmclient:~$ echo $HOME
>>> /home/HOME/rowland
>>> rowland at vmclient:~$ exit
>>> rowland at Notebook ~ $ ssh student1 at 192.168.0.162
>>> student1 at 192.168.0.162's password:
>>> student1 at vmclient:~$ pwd
>>> /home2/students/7a/student1
>>> student1 at vmclient:~$ echo $HOME
>>> /home2/students/7a/student1
>>>
>>> If you examine an ldif of student1 you find:
>>>
>>> unixHomeDirectory: /home2/students/7a/student1
>>> profilePath: \\adserver\profiles\student1
>>> homeDirectory: \\adserver\home\student1
>>>
>>> I think that what is happening is that S4 winbind is taking the 
>>> homeDirectory setting, loosing the first part, taking the second 
>>> part, adding the domain name, taking the username (last part) and 
>>> coming up with: /home/HOME/student1.
>>> This may be what you want if you are using the [homes] directive, 
>>> but can be ignored if you export the home directories as normal 
>>> shares i.e. export /home2/students/7a as [7a]
>>>
>>> Rowland
>>>
>> Hi Rowland!
>>
>> You are wrong about the samba4 winbind implementation, it simply gets 
>> what the template homedir paramater dictates. Its default value is 
>> /home/${DOMAINNAME}/${USERNAME}. And thus if you want you can put it 
>> elsewhere by setting template homedir, but cannot have e.g.
>> /home/staff/rowland and /home/students/student1 at the same time 
>> (without some ugly and tricky symlinks) shared as [homes] by samba4. 
>> The same works like charm on a Samba3 member server joined to the 
>> Samba4 domain.
>>
>> Regards
>>
>> Geza Gemes
>>
>>
> Ok, so S4 winbind sets /home/${DOMAINNAME}/${USERNAME}, why? winbind 
> on samba 3.6.3 does not do this, it uses unixHomeDirectory.
Because that part hasn't been implemented yet in samba4.
>
> The [homes] share is just that, a share, but with the path set 
> automatically from the username, so if you do not use it, there should 
> be no problem.
> So, on a samba 3.6.3 client, to use the unixHomeDirectory, just create 
> shares that use the path to the directory that holds the users, as in 
> /home2/students/7a, for users that are member of group 7a, no symlinks 
> involved . This works for me, as shown in my last post.
> Using libpam-mount, I can mount the users unixHomeDirectory (where 
> ever that may be) on the client.
>
> So what is the problem with this setup?
>
> Rowland
>
>
>
>
There is no problem I just warned you, that sharing homes from a Samba4 
DC could be problematic.

Regards

Geza Gemes


More information about the samba-technical mailing list