[Samba] Using GPO to mount shares on Linux
L.P.H. van Belle
belle at bazuin.nl
Wed Oct 11 14:52:29 UTC 2017
Wohoo, finaly i could help Rowland :-p ;-)
I follow this as guidance:
1 server ( all in one ) use RID, easy to setup etc, but .. If you go to ... Or have plans to..
2 servers ( DC + a member )
use backend RID if you dont need access with a windows account to a shared home folder. ( cifs or nfs )
you use a dedicated local "linuxAdmin" for maintanace. ( often the first created user in linux )
use backend AD if you do need access with ssh for example or shared homefolders.
3 server or more, all server where ssh or access to a server with a shared folder is needed, use backend AD.
adviced is all servers with file shares.
Optional, mix this with RID, for example for a dedicated print server, or proxy server (auth).
I use setup 3.
Multiple servers with AD and RID mixed on the members, based on function.
A NFS pointer is.
Make sure you set you home folder 755, kerberos ( MIT ), lookf or .klogin in the home dir.
If the setup is to tight this fails. ( workaround: disable .klogin checking in krb5.conf )
And nfs/hostname.FQDN needs to be added to HOSTNAME$ where its needed.
For Cifs. You may need to add these lines in krb5.conf cifs uses them nfs not.
; for Windows 2008 with AES
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
Now here, if you see, Required keys not available, no matter what you do
Then you probley are missing these line in krb5.conf.
The source i use for above info :
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/mount_ms_cifs_using_ad_krb.html
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html
Its a .nl domain but its in english ;-) and contains still good info.
Just beware its based on debian squeeze.
And a handy to know.
https://support.microsoft.com/en-us/help/977321/kdc-event-id-16-or-27-is-logged-if-des-for-kerberos-is-disabled
Greetz,
Louis
More information about the samba
mailing list