[Samba] Kerberized-nfs4 home-dir stopped working
Andrew Bartlett
abartlet at samba.org
Tue Jun 21 10:01:51 UTC 2022
On Tue, 2022-06-21 at 11:56 +0200, Kees van Vloten wrote:
> Hi Andrew,
>
> I did set "ms-DS-MachineAccountQuota: 0" and indeed only admins
> create users. Is that a sufficient mitigation for the Dollar
> Ticket attack?
Yes. Thankfully no support for ms-DS-MachineAccountQuota in samba, and
if I have anything to do with it, it will be de-fanged entirely if it
ever comes along.
>
> The other thing is I have smb-filesharing for Windows clients and
> nfs-filesharing for Linux clients, currently on separate sub-
> trees
> to avoid issues. I would like to consolidate those to one
> technology, smb-filesharing.
>
> But I do have some questions:
>
>
>
> Do I need the unix-extensions for Linux clients (I have
> disabled < smb3, i.e. cannot use unix-extensions at the
> moment)?
> Are there any thoughts about sharing a home-dir between
> Windows and Linux, currently nfs-home is at /home/<user>
> and smb (windows) home-dir is somewhere else?
> Is pam_mount the way to go to mount the smb-homedir at login?
> I could not find much on the Wiki.
>
>
>
>
I'll let others answer on these.
There is work ongoing to add back a safe set of unix extensions, but
you can't use them right now. In the meantime the clients muddle along
as best they can using 'normal' SMB2/3 features. It might work enough
for you.
Andrew Bartlett
>
> >
>
>
>
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions
More information about the samba
mailing list