[Samba] Using Samba AD for NFSV4 Kerberos servers and clients
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 5 13:37:58 UTC 2018
Hai Ken,
I suggest, have a look here :
https://github.com/thctlo/samba4/tree/master/howtos
This is my production setup on debian Stretch.
Now for Ubuntu 16.04 its about the same, i suggest, read through it., you see it and get it ;-)
The order how i install helps preventing error in other steps so take note of that.
I work with AD backend for every server with shares and auth only members can use rid in the mix, like a proxy server.
Why AD backend, very advisable for file servers, see
https://wiki.samba.org/index.php/Idmap_config_ad
And
https://wiki.samba.org/index.php/Idmap_config_rid
My only reason : AD Advantage:
IDs are not stored in a local database that can corrupt and thus file ownerships are not lost.
.... I hate corruptions, happend one time... Never again.. .
And see below i commented a bit also inbetween your lines.
> -----Oorspronkelijk bericht-----
> Van: Ken McDonald [mailto:ken at generation.tech]
> Verzonden: maandag 5 februari 2018 14:10
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Using Samba AD for NFSV4 Kerberos
> servers and clients
>
> Louis,
>
> Thank you for your insightful response. It's a shame that
> once I figured
> this all out, I got to such a terminal problem. I suppose the
> NFS4 krb5
> remote mount ACL issue works OK with other, non- Samba AD, KDC's? Is
> that the core issue of this problem, the KDC portion?
Its only linux as far i know, but this is only a matter of time to get it fixed.
>
> My plan was almost done: from a single bare-metal Ubuntu 16.04.3 server,
> setup Samba AD as the user/group directory and make a file server
> sharing to both Windows and Linux Mint clients using SMB and NFS4
> (encrypted) with POSIX & Windows ACLs for each style. I got that
> implementation to work quite well all the way down to the NFS4 Kerberos
> ACL problem in this thread. It all works OK with non-Kerberos NFS4 and I
> suppose I'll have to deploy it that way for now; changing to the
> encrypted style should be no problem in the future.
For that i use : ignore system acls = yes
Man smb.conf for the info about this one.
>
> Strangely, I did not run into the "Using the Domain
> Controller as a File
> Server" problem "Running shares with POSIX ACLs on a Samba DC is not
> supported" mentioned here:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
>
> I guess this works because my Linux clients connect through
> NFS and get POSIX ACL's that way, (even though those POSIX ACL's are making use of
> Samda AD users/groups through winbindd (with "idmap config DOMAIN:backend = ad")?
>
> Any other helpful comments by anyone for this particulr Samba AD file
> server implementation would be appreciated. I think I'll make a full
> step-by-step writeup once I get all this working.
See my howtos and change them to Ubuntu, and send me a copy when done. ;-)
Or better put them on github so i can fork them.
>
> -Ken
>
>
Good luck.
Louis
More information about the samba
mailing list