[Samba] Kerberized-nfs4 home-dir stopped working

Andrew Bartlett abartlet at samba.org
Tue Jun 21 10:01:51 UTC 2022

On Tue, 2022-06-21 at 11:56 +0200, Kees van Vloten wrote:
>     Hi Andrew,
>     I did set "ms-DS-MachineAccountQuota: 0" and indeed only admins
>       create users. Is that a sufficient mitigation for the Dollar
>       Ticket attack?
Yes.  Thankfully no support for ms-DS-MachineAccountQuota in samba, and
if I have anything to do with it, it will be de-fanged entirely if it
ever comes along.
>     The other thing is I have smb-filesharing for Windows clients and
>       nfs-filesharing for Linux clients, currently on separate sub-
> trees
>       to avoid issues. I would like to consolidate those to one
>       technology, smb-filesharing. 
>       But I do have some questions:
>       Do I need the unix-extensions for Linux clients (I have
>         disabled < smb3, i.e. cannot use unix-extensions at the
>         moment)?
>       Are there any thoughts about sharing a home-dir between
>         Windows and Linux, currently nfs-home is at /home/<user>
>         and smb (windows) home-dir is somewhere else?
>       Is pam_mount the way to go to mount the smb-homedir at login?
>         I could not find much on the Wiki.

I'll let others answer on these. 

There is work ongoing to add back a safe set of unix extensions, but
you can't use them right now.  In the meantime the clients muddle along
as best they can using 'normal' SMB2/3 features.  It might work enough
for you.

Andrew Bartlett
> >     

Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open SourceSolutions

More information about the samba mailing list