Difference between revisions of "File shares"

From LUG
Jump to navigation Jump to search
(Services no longer exist.)
 
(22 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Using the department fileserver ==
+
=== Mounting Home Directories - CIFS ===
 +
As WUR has moved to a new home directory storage method, the path to finding it is much simpler:
  
=== Finding the location of a share ===
+
Write yourself an /etc/fstab entry that looks like this:
  
In order to use the guides below, you'll have to know on which servers the windows shares reside.
+
<pre style="white-space: pre;">//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/myuser /mnt/mdrive cifs noauto,user,username=myuser,domain=wur,uid=mylocaluser,gid=mylocalgroup 0 0</pre>
The easiest way is to use a Windows PC, start up Explorer, got to the share and look at the Properties.
 
  
Alternatively, you can use smbclient to find all shares on a server:
+
(Replace myuser with your own WUR account name, and mylocaluser/mylocalgroup with the account/group you have locally)
  
* smbclient -I <server>.wurnet.nl -W wurnet.nl -U yourname001 -L <server>
+
Now you can simply:
  
Where <server> is scomp0300 for PSG and scomp0291 for ESG.
+
<code>mount /mnt/mdrive</code>
  
 +
And after entering your password, you have access to your M drive share.
  
=== Using smbmount (normal user) ===
+
==== Caveats ====
  
Suppose the server your personal share is located on is called sdep001 and your username is annie001, your password is annie, and you want to mount this share on ~/mnt If you do not know this information you can get it out of the ActiveDirectoryServer or from the "My Computer" screen of a windows machine.
+
This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.
  
* smbmount '//sdep001/annie001$' ~/mnt/ -o username=annie001,password=annie,workgroup=WUR
+
=== Mounting dfs-root ===
  
if you leave out the password, the program will ask you for your password during the mounting:
+
==== With ntlmssp authentication ====
 +
Please add this line to your /etc/fstab
  
* smbmount '//sdep001/annie001$' ~/mnt/ -o username=annie001,workgroup=WUR
+
<code>//WURNET.NL/dfs-root/  /mnt/dfs-root          cifs    rw,credentials=/<path_to>/.creds,sec=ntlmssp,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_group>    0      0</code>
  
=== Using mount (as root) ====
+
Make sure your credentials file .creds contains your wur-user password.
  
you can also do this using regular mount, as Stephan Verrips writes:
+
username=<wur_user>
 +
password=<wur_password>
 +
domain=WUR
  
* mount -t smbfs -o username=verri001,workgroup=wurnet.nl //sdpw0001.wurnet.nl/verri001$ ~/mnt
+
If you do not specify the paasword you will receive the error:
  
Alternatively, the (newer) CIFS protocol can be used instead of SMB. The following example connects to the 'webdocs' share where web related files can be stored.
+
<code>mount error(13): Permission denied</code>
  
* mkdir /mnt/webdocs
+
==== With kerberos authentication ====
* mount -t cifs -o username=annie001,workgroup=wurnet.nl //skgr0004.wurnet.nl/webdocs$ /mnt/webdocs
+
The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.
  
=== Automatically mounting at boot (/etc/fstab) ===
+
1. Installing the kerberos client
 +
#RedHat/Centos
 +
yum install krb5.libs krb5.workstation
 +
#Ubuntu
 +
sudo apt-get install krb5-user
 +
 
 +
2. Configuration for WURNET
 +
  sudo vim /etc/krb5.conf
 +
 
 +
  includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu
 +
 +
  [logging]
 +
  default = FILE:/var/log/krb5libs.log
 +
  kdc = FILE:/var/log/krb5kdc.log
 +
  admin_server = FILE:/var/log/kadmind.log
 +
 +
  [libdefaults]
 +
  dns_lookup_realm = false
 +
  ticket_lifetime = 24h
 +
  renew_lifetime = 7d
 +
  forwardable = true
 +
  rdns = false
 +
  pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 +
  default_realm = WURNET.NL
 +
  kdc_timesync = 1
 +
  ccache_type = 4
 +
  forwardable = true
 +
  proxiable = true
 +
  default_ccache_name = KEYRING:persistent:%{uid}
 +
 +
  [realms]
 +
  WURNET.NL = {
 +
  kdc = wurdc1.wurnet.nl
 +
  admin_server = wurdc1.wurnet.nl
 +
  kdc = wurdc2.wurnet.nl
 +
  kdc = wurdc1.wurnet.nl
 +
  kdc = wurdc3.wurnet.nl
 +
  }
 +
 +
  [domain_realm]
 +
    wurnet.nl = WURNET.NL
 +
    .wurnet.nl = WURNET.NL
 +
 
 +
3. Configure the Kerberos session keys
 +
sudo vim /etc/request-key.d/cifs.spnego.conf
 +
 
 +
create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k
 +
 +
This file will most probably already exist. Make sure you are using the '-t' flag!
 +
 +
4. Edit /etc/fstab
 +
  //WURNET.NL/dfs-root/  /mnt/dfs-root          cifs    rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user>    0      0
 +
 
 +
<local_path> is the path on your local machine to the credential file which we will create in the next step.
 +
 
 +
5. Create the Kerberos credential file
 +
vim /<local_path>/.creds
 +
 
 +
username=<WUR_user>
 +
password=
 +
domain=WUR
 +
 
 +
Please leave the field for password really empty!
 +
 
 +
6. Acquire a Kerberos key with your credentials
 +
sudo kinit <WUR_user>@WURNET.NL
 +
 
 +
Now you will be asked to provide your password.
 +
 
 +
7. Check key properties
 +
sudo klist
 +
 
 +
Valid starting    Expires            Service principal
 +
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6133.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6000.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:07:16  11-02-20 22:06:59  cifs/scomp6004.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:06:59  11-02-20 22:06:59  krbtgt/WURNET.NL@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
 
 +
8. Now you can mount the drive
 +
sudo mkdir /mnt/dfs-root/
 +
sudo chmod 755 /mnt/dfs-root
 +
sudo mount /mnt/dfs-root/
 +
 
 +
 
 +
=== Other Shares ===
 +
 
 +
The easiest way to gather information about available CIFS shares is using smbclient. On Ubuntu, you need the pacakge 'smbclient' to provide this.
 +
 
 +
Usage:
  
Add the following line to the file <b>/etc/fstab</b>
+
<code>smbclient -L <server> -U username</code>
  
  //sdep001/annie001$ /mnt/wur smbfs username=annie001,password=annie,workgroup=WUR,uid=502 0 0
+
This will show you all the mounts available to you on that machine.
 +
 +
To test the mount:
  
or a really working example for a shared network drive (for DPW - note the odd spaces in the name using \040):
+
<code>sudo mount //server/share -ousername=username,domain=wur /tmp/smb</code>
  
//scomp0300/PSG~DPW\040Laboratory\040of\040Nematology$ /mnt/wur smbfs username=annie001,password=annie,workgroup=WUR,uid=501 0 0
+
This will hold until you unmount it.
  
or try
+
=== Automatically mounting at boot (/etc/fstab) ===
  
//scomp0300/PSG~DPW\040Laboratory\040of\040Nematology$ /mnt/wur smbfs //username=annie001,password=annie,workgroup=WUR,uid=501 0 0
+
The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this:
  
The uid represents the user id you use - check your id with the id command:
+
<pre style="white-space: pre;">//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/username /mnt/mdrive cifs credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser 0 0</pre>
  
  id
+
Then you can make the credential file. Set it 600 so that only you or root may read or write.
  
it is also possible to use a gid (group id) to share the mounted drive with multiple users on one system.
+
<code>echo username=username > ~/.smbpassword</code>
  
Note: since it contains your password this option is not so secure!
+
<code>echo password=mypassword >> ~/.smbpassword</code>
  
  Safer is to use a separate password file:
+
<code>chmod 600 ~/.smbpassword</code>
 
+
 
* cd ~
+
=== Automatically mounting when users login (pam_mount) ===
* echo username=annie001 > .smbpassword
+
 
* echo password=annie >> .smbpassword 
+
<code>apt-get install libpam-mount cifs-utils</code>
* chmod 600 .smbpassword
 
  
  This created a hidden password file that can only be read by you or the root
+
Create or edit pam_mount.conf.xml in /etc/security
 +
<pre>
 +
<nowiki>
 +
<?xml version="1.0" encoding="utf-8" ?>
 +
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
 +
<!--
 +
See pam_mount.conf(5) for a description.
 +
-->
  
Change the line in the <b>/etc/fstab</b> into
+
<pam_mount>
  
* //sdep001/annie001$ /mnt/wur smbfs credentials=/home/annie/.smbpassword,workgroup=WUR,uid=502 0 0
+
<!-- debug should come before everything else,
 +
since this file is still processed in a single pass
 +
from top-to-bottom -->
  
Note: you set the uid to your user id (see 'man id') so you can write/read from your normal account.
+
<debug enable="0" />
  
Another example, again using the CIFS protocol instead of SMB, to automatically connect to the 'webdocs' share:
+
<!-- Volume definitions -->
  
* //skgr0004.wurnet.nl/webdocs$ /mnt/webdocs cifs credentials=/home/annie/.smbpassword,workgroup=wurnet.nl,uid=502 0 0
 
  
=== Using Konqueror ===
+
<!-- pam_mount parameters: General tunables -->
  
Windows shares can also be accessed, without any mounting, with the SMB kio slave (KDE).
+
<luserconf name=".pam_mount.conf.xml" />
The SMB kio slave can be used in Konqueror but also in other KDE applications.
 
  
The format of the url is:
+
<!-- Note that commenting out mntoptions will give you the defaults.
 +
    You will need to explicitly initialize it with the empty string
 +
    to reset the defaults to nothing. -->
 +
<mntoptions allow="*" />
 +
<!--
 +
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
 +
<mntoptions deny="suid,dev" />
 +
<mntoptions allow="*" />
 +
<mntoptions deny="*" />
 +
-->
 +
<mntoptions require="nosuid,nodev" />
  
  smb://<username>@<hostname>/<sharename>
+
<logout wait="0" hup="0" term="0" kill="0" />
  
where e.g.:
+
<!-- pam_mount parameters: Volume-related -->
  
* username: wur\annie001
+
<mkmountpoint enable="1" remove="true" />
* hostname: sdep001.wur.nl
 
* sharename: annie001$
 
  
=== Troubleshooting ===
+
</pam_mount>
 +
</nowiki>
 +
</pre>
  
If you get the error "Connection to .... failed" and you are sure you typed the server name correctly, you have to manually set the wins server in /etc/samba/smb.conf. Find the line that reads like:
+
Create a .pam_mount.conf.xml file in each users home directory.  
* ; wins server = <something>
 
Remove the ; and change the <something>:
 
* wins server = 10.110.10.3
 
  
== Accessing files on the DFS-Root ==
+
<pre>
 +
<nowiki>
 +
<pam_mount>
 +
<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/M" path="Homes/%(USER)" server="WURNET.NL" fstype="cifs" />
 +
<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/W" path="DFS-Root" server="WURNET.NL" fstype="cifs" />
 +
</pam_mount>
 +
</nowiki>
 +
</pre>
  
=== What is the DFS-Root ===
+
And then create the directories in the users homedir.
  
DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.
+
<code>mkdir ~/M</code>
  
In WURNET there is one wur-wide DFS-Root \\wur\dfs-root usually mapped to the W:-drive in windows.
+
<code>mkdir ~/W</code>
  
The samba client is unable to directly access files in the DFS-Root, instead you have to connect to the actual underlying shares.
+
You can use skel to automatically put it in users home dir when creating a new user. If you want this then place the .pam_mount.conf.xml file in /etc/skel/ and create the M and W directory in /etc/skel
  
=== DFS-Root directory mappings ===
+
=== What is the DFS-Root ===
  
If you have access a file or directory in the format:
+
DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.
  
\\wur\dfs-root\dir\rest\of\path or W:\dir\rest\of\path
+
Most modern CIFS implementations are able to handle DFS properly, thus a config like:
  
then you must substitute \\wur\dfs-root\dir or W:\dir according the following table
+
<nowiki>//WURNET.NL/DFS-Root /mnt/wdrive cifs noauto,user,username=username,domain=wur 0 0</nowiki>
(Dir -> share):
 
  
 +
Should work.
  
* AFSG  =  //ATO0001C/AFSG$
+
With newer versions of smbclient it could happen that it needs a version specified in the mount options because the default version is not working. Then try it with version 1.0
* APPS  =  //SCOMP0025/apps
 
* ASG  =  //LD010s/ASG$
 
* ATV  =  //SATVF0001/shares
 
* BC    =  //SCOMP0064/BC
 
* DPT-DIER  =    //SCOMP0064/DIER
 
* DPT-MAATSCHAPPIJ    =    //SCOMP0063/MAATSCHAPPIJ
 
* FB    =  //SCOMP0064/FB
 
* LEI  =  //LEIDH017S/SHARES
 
* PLANT PROJECTS = //SPRI0010/PLANTPROJECTS$
 
* RIKILT = //SCOMP0063/RIKILT
 
* STUDENT = //SCOMP0064/STUDENT
 
  
The spaces in the names have to be escaped, using \040.
+
<nowiki>//WURNET.NL/DFS-Root /mnt/wdrive cifs noauto,user,username=username,domain=wur,vers=1.0 0 0</nowiki>

Latest revision as of 14:31, 25 February 2020

Mounting Home Directories - CIFS

As WUR has moved to a new home directory storage method, the path to finding it is much simpler:

Write yourself an /etc/fstab entry that looks like this: 

//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/myuser	/mnt/mdrive	cifs	noauto,user,username=myuser,domain=wur,uid=mylocaluser,gid=mylocalgroup	0	0

(Replace myuser with your own WUR account name, and mylocaluser/mylocalgroup with the account/group you have locally)

Now you can simply:

mount /mnt/mdrive

And after entering your password, you have access to your M drive share.

Caveats

This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.

Mounting dfs-root

With ntlmssp authentication

Please add this line to your /etc/fstab

//WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<path_to>/.creds,sec=ntlmssp,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_group> 0 0

Make sure your credentials file .creds contains your wur-user password. 

username=<wur_user>
password=<wur_password>
domain=WUR

If you do not specify the paasword you will receive the error:

mount error(13): Permission denied

With kerberos authentication

The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.

1. Installing the kerberos client 

#RedHat/Centos 
yum install krb5.libs krb5.workstation
#Ubuntu 
sudo apt-get install krb5-user

2. Configuration for WURNET 

 sudo vim /etc/krb5.conf

 includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu

 [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = WURNET.NL
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 default_ccache_name = KEYRING:persistent:%{uid}

 [realms]
 WURNET.NL = {
  kdc = wurdc1.wurnet.nl
  admin_server = wurdc1.wurnet.nl
  kdc = wurdc2.wurnet.nl
  kdc = wurdc1.wurnet.nl
  kdc = wurdc3.wurnet.nl
 }

 [domain_realm]
   wurnet.nl = WURNET.NL
   .wurnet.nl = WURNET.NL

3. Configure the Kerberos session keys 

sudo vim /etc/request-key.d/cifs.spnego.conf
 
create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k

This file will most probably already exist. Make sure you are using the '-t' flag!

4. Edit /etc/fstab 

 //WURNET.NL/dfs-root/   /mnt/dfs-root           cifs    rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user>    0       0

<local_path> is the path on your local machine to the credential file which we will create in the next step.

5. Create the Kerberos credential file 

vim /<local_path>/.creds

username=<WUR_user>
password=
domain=WUR

Please leave the field for password really empty!

6. Acquire a Kerberos key with your credentials 

sudo kinit <WUR_user>@WURNET.NL

Now you will be asked to provide your password.

7. Check key properties 

sudo klist

Valid starting     Expires            Service principal
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6133.wurnet.nl@WURNET.NL
	renew until 18-02-20 12:06:55
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6000.wurnet.nl@WURNET.NL

renew until 18-02-20 12:06:55 

11-02-20 12:07:16  11-02-20 22:06:59  cifs/scomp6004.wurnet.nl@WURNET.NL

renew until 18-02-20 12:06:55 

11-02-20 12:06:59  11-02-20 22:06:59  krbtgt/WURNET.NL@WURNET.NL

renew until 18-02-20 12:06:55

8. Now you can mount the drive 

sudo mkdir /mnt/dfs-root/
sudo chmod 755 /mnt/dfs-root
sudo mount /mnt/dfs-root/


Other Shares

The easiest way to gather information about available CIFS shares is using smbclient. On Ubuntu, you need the pacakge 'smbclient' to provide this.

Usage:

smbclient -L <server> -U username

This will show you all the mounts available to you on that machine.

To test the mount:

sudo mount //server/share -ousername=username,domain=wur /tmp/smb

This will hold until you unmount it.

Automatically mounting at boot (/etc/fstab)

The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this: 

//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/username	/mnt/mdrive	cifs	credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser	0	0

Then you can make the credential file. Set it 600 so that only you or root may read or write.

echo username=username > ~/.smbpassword

echo password=mypassword >> ~/.smbpassword

chmod 600 ~/.smbpassword

Automatically mounting when users login (pam_mount)

apt-get install libpam-mount cifs-utils

Create or edit pam_mount.conf.xml in /etc/security 


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->

<pam_mount>

		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->

<debug enable="0" />

		<!-- Volume definitions -->


		<!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="*" />
<!--
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />

<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

</pam_mount>

Create a .pam_mount.conf.xml file in each users home directory. 

 
<pam_mount>
	<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/M" path="Homes/%(USER)" server="WURNET.NL" fstype="cifs" />
	<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/W" path="DFS-Root" server="WURNET.NL" fstype="cifs" />
</pam_mount>

And then create the directories in the users homedir.

mkdir ~/M

mkdir ~/W

You can use skel to automatically put it in users home dir when creating a new user. If you want this then place the .pam_mount.conf.xml file in /etc/skel/ and create the M and W directory in /etc/skel

What is the DFS-Root

DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.

Most modern CIFS implementations are able to handle DFS properly, thus a config like: 

//WURNET.NL/DFS-Root	/mnt/wdrive	cifs	noauto,user,username=username,domain=wur	0	0

Should work.

With newer versions of smbclient it could happen that it needs a version specified in the mount options because the default version is not working. Then try it with version 1.0 

//WURNET.NL/DFS-Root	/mnt/wdrive	cifs	noauto,user,username=username,domain=wur,vers=1.0	0	0
Retrieved from "https://lug.wur.nl/index.php?title=File_shares&oldid=467"