[Samba] nfs based shared home dir question
L.P.H. van Belle
belle at bazuin.nl
Mon Sep 7 08:44:27 UTC 2015
Ok, i clarify a bit more.
\\servername.internal.domain.tld\users2\%username% is used in my AD for the home folder of the users. %username% translates to the username.
I tried 2 setups now, windows acl base setup and posix based setup.
Both fail for me.
THE SERVER with the shares ( and is nfs server)
The samba/windows part. ( postix rights setup )
On the server this is /home/samba/users2
Users is shared, owner root , Group root, everyone.
These have all "special" rights, with "only this folder"
ls -al gives :
drwxr-xr-x 3 root root 4096 Sep 7 10:18 users2
# file: home/samba/users2
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
the user :
drwxrwx---+ 2 root root 4096 Sep 7 10:18 someuser
getfacl someuser/
# file: someuser/
# owner: root
# group: root
user::rwx
user:root:rwx
user: someuser:rwx
group::---
group:root:---
group:BUILTIN\134administrators:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user: someuser:rwx
default:group::---
default:group:root:---
default:group:BUILTIN\134administrators:rwx
default:mask::rwx
default:other::---
i mounted the folder on the client server
this is the mount option
# NFS V4 Test
servername.internal.domain.tld:/users2 /home/users2 nfs4 sec=krb5 0 0
In /etc/default/nfs-common: NEED_IDMAPD=yes NEED_GSSD=yes NEED_STATD=no
/etc/idmap.conf ( on both servers )
Domain = internal.domain.tld
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = nsswitch
cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
and i get this as result.
root at print1:/home/users2# whoami
root
root at print1:/home/users2# cd someuser /
-su: cd: someuser /: Permission denied
root at rtd-print1:/home/users2# ls -al
total 16
drwxr-xr-x 3 root root 4096 Sep 7 10:18 .
drwxr-xr-x 8 root root 4096 Sep 7 10:16 ..
drwxrwx--- 2 root root 4096 Sep 7 10:18 someuser
even root cant access the user folder ..
the outpur of nfs4_getfacl someuser
A::OWNER@:rwaDxtTcCy
A::root at rotterdam.bazuin.nl:rwaDxtcy
A:: someuser at rotterdam.bazuin.nl:rwaDxtcy
A::GROUP@:tcy
A:g:root at rotterdam.bazuin.nl:tcy
A:g:BUILTIN\administrators at rotterdam.bazuin.nl:rwaDxtcy
A::EVERYONE@:tcy
A:fdi:OWNER@:rwaDxtTcCy
A:fdi:root at rotterdam.bazuin.nl:rwaDxtcy
A:fdi:someuser at rotterdam.bazuin.nl:rwaDxtcy
A:fdi:GROUP@:tcy
A:fdig:root at rotterdam.bazuin.nl:tcy
A:fdig:BUILTIN\administrators at rotterdam.bazuin.nl:rwaDxtcy
A:fdi:EVERYONE@:tcy
I dont know where i went wrong here..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Ritter, Marcel (RRZE) [mailto:marcel.ritter at fau.de]
> Verzonden: maandag 7 september 2015 10:13
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: AW: [Samba] nfs based shared home dir question
>
> Hi Louis,
>
> I must admit I've never used RATS to create home directories - but
> in the the tool used to create the directories should not make a
> difference.
>
> So back to the basics:
>
> What's the output of nfs4_getfacl (instead of getfacl) on the nfs client?
>
> Keep in mind, that (afaik) there's currently no standard linux filesystem
> supporting NFSv4 style ACLs. So every posix ACL needs to be converted
> to NFSv4 ACL (and back) - and that could cause additional trouble.
>
> What ownership/group does the client report if you create a simple
> home path manually? (-> does idmap work as expected?)
>
> If you can see the correct owner/group - but still get no access to
> the directory (as owner) you might have run into the same trouble
> I'm trying to figure out right now :-(
> In that case the output of "klist" (after trying to access the nfs
> directory)
> would be interesting ...
>
> Bye,
> Marcel
>
> -----Ursprüngliche Nachricht-----
> Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
> van Belle
> Gesendet: Montag, 7. September 2015 09:36
> An: samba at lists.samba.org
> Betreff: Re: [Samba] nfs based shared home dir question
>
> Hai marcel,
>
> Im using nfsv4 kerberos based host/client.
> This is the line of the cat /proc/mounts
> nfs4
> rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,p
> ort=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.xx.xx,local_lock=non
> e,addr=192.168.xxx.xxx 0 0
>
> fstab only contains : nfs4 sec=krb5
>
> Yes, i did see the nfs4-acl-tools, seen that, hoped that helped a bit, But
> i did not get that to work also.
>
> Should i switch back to nfs3, or is it just not possible om the "by RATS"
> created used and homedir to share with nfs?
>
> I cant find anything about this on the wiki.
>
> How are you guys doing thing like this, sharing the user home folder.
> Or am i missing something here?
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Ritter, Marcel (RRZE) [mailto:marcel.ritter at fau.de]
> > Verzonden: maandag 7 september 2015 9:15
> > Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> > Onderwerp: AW: [Samba] nfs based shared home dir question
> >
> > Hi Louis,
> >
> > What NFS version/options are you using?
> > -> cat /proc/mounts
> >
> > If you're using NFS v4 there are no more Posix ACLs, so getfacl won't
> > get you anywhere.
> >
> > NFS v4 comes with different ACL style - and different tools
> > (nfs4-acl-tools):
> > nfs4_getfacl / nfs4_setfacl
> >
> > Bye,
> > Marcel
> >
> > -----Ursprüngliche Nachricht-----
> > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von L.P.H.
> > van Belle
> > Gesendet: Freitag, 4. September 2015 15:53
> > An: samba at lists.samba.org
> > Betreff: [Samba] nfs based shared home dir question
> >
> > Hai..
> >
> >
> >
> > I need to have my home dirs shared over some of my servers.
> >
> > I did setup a nfs4 kerberos base
> >
> > Debian jessie, samba 4.1.17 and sernet samba 4.1.3 on these servers.
> >
> >
> >
> > This works, i can mount without problems.
> >
> >
> >
> > But because verything is created with the windows user tools, the
> > owner/Group is root.
> >
> > Like this
> >
> >
> >
> > Server:
> >
> > ls -al
> >
> > drwxrwx---+ 2 root root 4096 Sep 4 13:17 someuser
> >
> >
> >
> > getfacl someuser
> >
> > # file: someuser
> >
> > # owner: root
> >
> > # group: root
> >
> > user::rwx
> >
> > user:root:rwx
> >
> > user:someuser:rwx
> >
> > group::r-x
> >
> > group:root:r-x
> >
> > group:BUILTIN\134administrators:rwx
> >
> > mask::rwx
> >
> > other::---
> >
> > default:user::rwx
> >
> > default:user:root:rwx
> >
> > default:user:someuser:rwx
> >
> > default:group::r-x
> >
> > default:group:root:r-x
> >
> > default:group:BUILTIN\134administrators:rwx
> >
> > default:mask::rwx
> >
> > default:other::---
> >
> >
> >
> >
> >
> > Client :
> >
> > ls -al
> >
> > drwxrwx--- 2 root root 4096 Sep 4 13:17 someuser
> >
> >
> >
> > getfacl someuser
> >
> > # file: someuser
> >
> > # owner: root
> >
> > # group: root
> >
> > user::rwx
> >
> > group::rwx
> >
> > other::---
> >
> >
> >
> >
> >
> >
> > and because of this i cant use the users homedirs on other servers.
> >
> >
> >
> > Is this because i create user the ?wrong way? or am i missing
> > something else.
> >
> > I cant figure out where i did what ..(wrong)
> >
> >
> >
> > And if this just dont work because of the nfs, how did you guys
> > overcome this.
> >
> >
> >
> > Id someuser, getent passwd someuser, wbinfo ?u /-g etc, all give
> > back my user with uid/gid and homedir.
> >
> >
> >
> > Should i use cifs Mount?
> >
> > Did i set something wrong on the ?user? share so the users home dir is
> > created with wrong rights?
> >
> >
> >
> > Any one any suggestions?
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list