[Samba] Using Samba AD for NFSV4 Kerberos servers and clients
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 5 13:37:58 UTC 2018
I suggest, have a look here :
This is my production setup on debian Stretch.
Now for Ubuntu 16.04 its about the same, i suggest, read through it., you see it and get it ;-)
The order how i install helps preventing error in other steps so take note of that.
I work with AD backend for every server with shares and auth only members can use rid in the mix, like a proxy server.
Why AD backend, very advisable for file servers, see
My only reason : AD Advantage:
IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.
.... I hate corruptions, happend one time... Never again.. .
And see below i commented a bit also inbetween your lines.
> -----Oorspronkelijk bericht-----
> Van: Ken McDonald [mailto:ken at generation.tech]
> Verzonden: maandag 5 februari 2018 14:10
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos
> servers and clients
> Thank you for your insightful response. It's a shame that
> once I figured
> this all out, I got to such a terminal problem. I suppose the
> NFS4 krb5
> remote mount ACL issue works OK with other, non- Samba AD, KDC's? Is
> that the core issue of this problem, the KDC portion?
Its only linux as far i know, but this is only a matter of time to get it fixed.
> My plan was almost done: from a single bare-metal Ubuntu 16.04.3 server,
> setup Samba AD as the user/group directory and make a file server
> sharing to both Windows and Linux Mint clients using SMB and NFS4
> (encrypted) with POSIX & Windows ACLs for each style. I got that
> implementation to work quite well all the way down to the NFS4 Kerberos
> ACL problem in this thread. It all works OK with non-Kerberos NFS4 and I
> suppose I'll have to deploy it that way for now; changing to the
> encrypted style should be no problem in the future.
For that i use : ignore system acls = yes
Man smb.conf for the info about this one.
> Strangely, I did not run into the "Using the Domain
> Controller as a File
> Server" problem "Running shares with POSIX ACLs on a Samba DC is not
> supported" mentioned here:
> I guess this works because my Linux clients connect through
> NFS and get POSIX ACL's that way, (even though those POSIX ACL's are making use of
> Samda AD users/groups through winbindd (with "idmap config DOMAIN:backend = ad")?
> Any other helpful comments by anyone for this particulr Samba AD file
> server implementation would be appreciated. I think I'll make a full
> step-by-step writeup once I get all this working.
See my howtos and change them to Ubuntu, and send me a copy when done. ;-)
Or better put them on github so i can fork them.
More information about the samba