Difference between revisions of "File shares"

From Linux User Group at WUR
Jump to: navigation, search
Line 17: Line 17:
  
 
This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.
 
This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.
 +
 +
=== Mounting dfs-root ===
 +
The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.
 +
 +
1. Installing the kerberos client
 +
 +
(RedHat/Centos)
 +
 +
<code>yum install krb5.libs krb5.workstation</code>
 +
 +
(Ubuntu)
 +
 +
<code>sudo apt-get install krb5-user</code>
 +
 +
2. Configuration for WURNET
 +
  <code>sudo vim /etc/krb5.conf
 +
 +
includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu
 +
 +
[logging]
 +
default = FILE:/var/log/krb5libs.log
 +
kdc = FILE:/var/log/krb5kdc.log
 +
admin_server = FILE:/var/log/kadmind.log
 +
 +
[libdefaults]
 +
dns_lookup_realm = false
 +
ticket_lifetime = 24h
 +
renew_lifetime = 7d
 +
forwardable = true
 +
rdns = false
 +
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 +
default_realm = WURNET.NL
 +
kdc_timesync = 1
 +
ccache_type = 4
 +
forwardable = true
 +
proxiable = true
 +
default_ccache_name = KEYRING:persistent:%{uid}
 +
 +
[realms]
 +
WURNET.NL = {
 +
  kdc = wurdc1.wurnet.nl
 +
  admin_server = wurdc1.wurnet.nl
 +
  kdc = wurdc2.wurnet.nl
 +
  kdc = wurdc1.wurnet.nl
 +
  kdc = wurdc3.wurnet.nl
 +
}
 +
 +
[domain_realm]
 +
    wurnet.nl = WURNET.NL
 +
    .wurnet.nl = WURNET.NL
 +
 +
</code>
 +
 +
3. Configure the Kerberos session keys
 +
<code>sudo vim /etc/request-key.d/cifs.spnego.conf
 +
create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k
 +
</code>
 +
This file will most probably already exist. Make sure you are using the '-t' flag!
 +
 +
4. Edit /etc/fstab
 +
<code>//WURNET.NL/dfs-root/  /mnt/dfs-root          cifs    rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user>    0      0</code>
 +
<local_path> is the path on your local machine to the credential file which we will create in the next step.
 +
5. Create the Kerberos credential file
 +
<code>vim /<local_path>/.creds
 +
 +
username=<WUR_user>
 +
password=
 +
domain=WUR
 +
 +
</code>
 +
Please leave the field for password really empty!
 +
 +
6. Acquirea Kerberos key with your credentials
 +
<code>
 +
sudo kinit sikke025@WURNET.NL
 +
</code>
 +
Now you will be asked to provide your password.
 +
 +
7. Check key properties
 +
<code>
 +
sudo klist
 +
 +
Valid starting    Expires            Service principal
 +
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6133.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6000.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:07:16  11-02-20 22:06:59  cifs/scomp6004.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:06:59  11-02-20 22:06:59  krbtgt/WURNET.NL@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
 +
</code>
 +
 +
8. Now you can mount the drive
 +
 +
<code>
 +
sudo mkdir /mnt/dfs-root/
 +
sudo chmod 755 /mnt/dfs-root
 +
sudo mount /mnt/dfs-root/
 +
</code>
 +
  
 
=== Other Shares ===
 
=== Other Shares ===

Revision as of 11:15, 11 February 2020

Mounting Home Directories - CIFS

As WUR has moved to a new home directory storage method, the path to finding it is much simpler:

Write yourself an /etc/fstab entry that looks like this:

//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/myuser	/mnt/mdrive	cifs	noauto,user,username=myuser,domain=wur,uid=mylocaluser,gid=mylocalgroup	0	0

(Replace myuser with your own WUR account name, and mylocaluser/mylocalgroup with the account/group you have locally)

Now you can simply:

mount /mnt/mdrive

And after entering your password, you have access to your M drive share.

Caveats

This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.

Mounting dfs-root

The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.

1. Installing the kerberos client

(RedHat/Centos) 
yum install krb5.libs krb5.workstation
(Ubuntu) 
sudo apt-get install krb5-user

2. Configuration for WURNET

 sudo vim /etc/krb5.conf

includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu

[logging]

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]

dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = WURNET.NL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_ccache_name = KEYRING:persistent:%{uid}

[realms] WURNET.NL = {

 kdc = wurdc1.wurnet.nl
 admin_server = wurdc1.wurnet.nl
 kdc = wurdc2.wurnet.nl
 kdc = wurdc1.wurnet.nl
 kdc = wurdc3.wurnet.nl
}

[domain_realm]

   wurnet.nl = WURNET.NL
   .wurnet.nl = WURNET.NL

3. Configure the Kerberos session keys sudo vim /etc/request-key.d/cifs.spnego.conf create cifs.spnego * * /usr/sbin/cifs.upcall -t %k This file will most probably already exist. Make sure you are using the '-t' flag!

4. Edit /etc/fstab //WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user> 0 0 <local_path> is the path on your local machine to the credential file which we will create in the next step. 5. Create the Kerberos credential file vim /<local_path>/.creds

username=<WUR_user> password= domain=WUR

Please leave the field for password really empty!

6. Acquirea Kerberos key with your credentials sudo kinit sikke025@WURNET.NL Now you will be asked to provide your password.

7. Check key properties sudo klist

Valid starting Expires Service principal 11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6133.wurnet.nl@WURNET.NL renew until 18-02-20 12:06:55 11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6000.wurnet.nl@WURNET.NL renew until 18-02-20 12:06:55 11-02-20 12:07:16 11-02-20 22:06:59 cifs/scomp6004.wurnet.nl@WURNET.NL renew until 18-02-20 12:06:55 11-02-20 12:06:59 11-02-20 22:06:59 krbtgt/WURNET.NL@WURNET.NL renew until 18-02-20 12:06:55

8. Now you can mount the drive

sudo mkdir /mnt/dfs-root/ sudo chmod 755 /mnt/dfs-root sudo mount /mnt/dfs-root/


Other Shares

The easiest way to gather information about available CIFS shares is using smbclient. On Ubuntu, you need the pacakge 'smbclient' to provide this.

Usage:

smbclient -L <server> -U username

This will show you all the mounts available to you on that machine.

To test the mount:

sudo mount //server/share -ousername=username,domain=wur /tmp/smb

This will hold until you unmount it.

Automatically mounting at boot (/etc/fstab)

The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this:

//fs01mixedsmb.wurnet.nl/Homes/username	/mnt/mdrive	cifs	credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser	0	0

Then you can make the credential file. Set it 600 so that only you or root may read or write.

echo username=username > ~/.smbpassword

echo password=mypassword >> ~/.smbpassword

chmod 600 ~/.smbpassword


Automatically mounting when users login (pam_mount)

apt-get install libpam-mount cifs-utils

Create or edit pam_mount.conf.xml in /etc/security


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->

<pam_mount>

		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->

<debug enable="0" />

		<!-- Volume definitions -->


		<!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="*" />
<!--
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />

<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

</pam_mount>

Create a .pam_mount.conf.xml file in each users home directory.

 
<pam_mount>
	<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/M" path="Homes/%(USER)" server="WURNET.NL" fstype="cifs" />
	<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/W" path="DFS-Root" server="WURNET.NL" fstype="cifs" />
</pam_mount>

And then create the directories in the users homedir.

mkdir ~/M

mkdir ~/W

You can use skel to automatically put it in users home dir when creating a new user. If you want this then place the .pam_mount.conf.xml file in /etc/skel/ and create the M and W directory in /etc/skel

What is the DFS-Root

DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.

Most modern CIFS implementations are able to handle DFS properly, thus a config like:

//WURNET.NL/DFS-Root	/mnt/wdrive	cifs	noauto,user,username=username,domain=wur	0	0

Should work.

With newer versions of smbclient it could happen that it needs a version specified in the mount options because the default version is not working. Then try it with version 1.0

//WURNET.NL/DFS-Root	/mnt/wdrive	cifs	noauto,user,username=username,domain=wur,vers=1.0	0	0