Samba4: The mit list insist that file server and DC must be one and the same
steve
steve at steve-ss.com
Thu Aug 16 02:10:44 MDT 2012
On 15/08/12 23:18, Gémes Géza wrote:
> Hi,
>> Hi everyone
>>
>> I have setup a separate S3 file server for our S4 DC. The problem is
>> that creating home directoreis for users on an NFS mounted /home share
>> will not allow root access via krb5 with or without no_root_squash.
>>
>> The krb5 gurus say that it can't be done via krb5. I have to use
>> no_root_squash and sec=sys
>>
>> Here is a copy of what seems to be an impossible scenario of having
>> Kerberised NFS on a separate box to the DC:
>>
>> Hi Steve,
>>
>> no, thats becouse u need a ticket to get into the user directory.
>> even if u make an su - <username> as root, u wont get into his
>> homedirectory without the right user ticket - that what it is
>> designded for, to
>> protect the userdirectories.
>>
>> So only solution is to move the Samba Server to the same file server
>> as the NFS server is.
>>
>> greetings
>>
>> Am 15.08.12 17:10, schrieb steve:
>> > Hi
>> > openSUSE 12.1
>> >
>> > Our Samba4 DC has a Kerberised NFS mounted share. I need the root user
>> > to be able to write to the share. I can do this with by mounting it
>> with:
>> > no_root_squash,sec=sys
>> >
>> > Is there any way I can do it with:
>> > sec=krb5
>> >
>> > root has a ticket in /tmp/krb5cc_0 but he always gets permission denied
>> > when the share is mounted krb5, even with the no_root_squash
>> >
>> > Cheers,
>> > Steve
>> >
>> > ________________________________________________
>> > Kerberos mailing list Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
> Resharing (via samba) a NFS mounted directory is always a bad idea,
> primarily because the locking semantics are different, but performance
> wise is a disaster too (at least it was 7+ years ago when I was younger,
> more curious and reckless).
>
> Regards
>
> Geza Gemes
Hi Geza
If I am to have a S3 file server and a S4 DC on separate boxes, then I
need some way of creating the unixHomeDirectory (uHD) for the user.
If I mount the directory holding the uHD on the DC, I can do this. The
directory is _not_ reshared by Samba. The Samba shares for m$ clients
come from the S3 file server. The NFS share is exported from the S3 box
for Linux clients simply so that I can create user uHD's there.
Anyway, do you think I'd be able to get kerberized root access if I
mounted the uHD sec=krb5?
Cheers,
Steve
More information about the samba-technical
mailing list