Difference between revisions of "File shares"
(6 intermediate revisions by one other user not shown) | |||
Line 19: | Line 19: | ||
=== Mounting dfs-root === | === Mounting dfs-root === | ||
− | |||
− | + | ==== With ntlmssp authentication ==== | |
+ | Please add this line to your /etc/fstab | ||
+ | |||
+ | <code>//WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<path_to>/.creds,sec=ntlmssp,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_group> 0 0</code> | ||
+ | |||
+ | Make sure your credentials file .creds contains your wur-user password. | ||
+ | |||
+ | username=<wur_user> | ||
+ | password=<wur_password> | ||
+ | domain=WUR | ||
− | + | If you do not specify the paasword you will receive the error: | |
− | + | <code>mount error(13): Permission denied</code> | |
− | + | ==== With kerberos authentication ==== | |
+ | The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share. | ||
− | + | 1. Installing the kerberos client | |
+ | #RedHat/Centos | ||
+ | yum install krb5.libs krb5.workstation | ||
+ | #Ubuntu | ||
+ | sudo apt-get install krb5-user | ||
2. Configuration for WURNET | 2. Configuration for WURNET | ||
− | + | sudo vim /etc/krb5.conf | |
− | includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu | + | includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu |
− | [logging] | + | [logging] |
− | + | default = FILE:/var/log/krb5libs.log | |
− | + | kdc = FILE:/var/log/krb5kdc.log | |
− | + | admin_server = FILE:/var/log/kadmind.log | |
− | [libdefaults] | + | [libdefaults] |
− | + | dns_lookup_realm = false | |
− | + | ticket_lifetime = 24h | |
− | + | renew_lifetime = 7d | |
− | + | forwardable = true | |
− | + | rdns = false | |
− | + | pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt | |
− | + | default_realm = WURNET.NL | |
− | + | kdc_timesync = 1 | |
− | + | ccache_type = 4 | |
− | + | forwardable = true | |
− | + | proxiable = true | |
− | + | default_ccache_name = KEYRING:persistent:%{uid} | |
− | [realms] | + | [realms] |
− | WURNET.NL = { | + | WURNET.NL = { |
− | + | kdc = wurdc1.wurnet.nl | |
− | + | admin_server = wurdc1.wurnet.nl | |
− | + | kdc = wurdc2.wurnet.nl | |
− | + | kdc = wurdc1.wurnet.nl | |
− | + | kdc = wurdc3.wurnet.nl | |
− | + | } | |
− | [domain_realm] | + | [domain_realm] |
wurnet.nl = WURNET.NL | wurnet.nl = WURNET.NL | ||
.wurnet.nl = WURNET.NL | .wurnet.nl = WURNET.NL | ||
− | |||
− | |||
3. Configure the Kerberos session keys | 3. Configure the Kerberos session keys | ||
− | + | sudo vim /etc/request-key.d/cifs.spnego.conf | |
− | create cifs.spnego * * /usr/sbin/cifs.upcall -t %k | + | |
− | + | create cifs.spnego * * /usr/sbin/cifs.upcall -t %k | |
+ | |||
This file will most probably already exist. Make sure you are using the '-t' flag! | This file will most probably already exist. Make sure you are using the '-t' flag! | ||
4. Edit /etc/fstab | 4. Edit /etc/fstab | ||
− | + | //WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user> 0 0 | |
+ | |||
<local_path> is the path on your local machine to the credential file which we will create in the next step. | <local_path> is the path on your local machine to the credential file which we will create in the next step. | ||
+ | |||
5. Create the Kerberos credential file | 5. Create the Kerberos credential file | ||
− | + | vim /<local_path>/.creds | |
− | username=<WUR_user> | + | username=<WUR_user> |
− | password= | + | password= |
− | domain=WUR | + | domain=WUR |
− | |||
Please leave the field for password really empty! | Please leave the field for password really empty! | ||
− | 6. | + | 6. Acquire a Kerberos key with your credentials |
− | < | + | sudo kinit <WUR_user>@WURNET.NL |
− | + | ||
− | |||
Now you will be asked to provide your password. | Now you will be asked to provide your password. | ||
7. Check key properties | 7. Check key properties | ||
− | + | sudo klist | |
− | sudo klist | ||
− | Valid starting Expires Service principal | + | Valid starting Expires Service principal |
− | 11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6133.wurnet.nl@WURNET.NL | + | 11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6133.wurnet.nl@WURNET.NL |
− | + | renew until 18-02-20 12:06:55 | |
− | 11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6000.wurnet.nl@WURNET.NL | + | 11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6000.wurnet.nl@WURNET.NL |
renew until 18-02-20 12:06:55 | renew until 18-02-20 12:06:55 | ||
− | 11-02-20 12:07:16 11-02-20 22:06:59 cifs/scomp6004.wurnet.nl@WURNET.NL | + | 11-02-20 12:07:16 11-02-20 22:06:59 cifs/scomp6004.wurnet.nl@WURNET.NL |
renew until 18-02-20 12:06:55 | renew until 18-02-20 12:06:55 | ||
− | 11-02-20 12:06:59 11-02-20 22:06:59 krbtgt/WURNET.NL@WURNET.NL | + | 11-02-20 12:06:59 11-02-20 22:06:59 krbtgt/WURNET.NL@WURNET.NL |
renew until 18-02-20 12:06:55 | renew until 18-02-20 12:06:55 | ||
− | |||
− | |||
8. Now you can mount the drive | 8. Now you can mount the drive | ||
− | + | sudo mkdir /mnt/dfs-root/ | |
− | + | sudo chmod 755 /mnt/dfs-root | |
− | sudo mkdir /mnt/dfs-root/ | + | sudo mount /mnt/dfs-root/ |
− | sudo chmod 755 /mnt/dfs-root | ||
− | sudo mount /mnt/dfs-root/ | ||
− | |||
Line 140: | Line 146: | ||
The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this: | The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this: | ||
− | <pre style="white-space: pre;">//fs01mixedsmb.wurnet.nl/ | + | <pre style="white-space: pre;">//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/username /mnt/mdrive cifs credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser 0 0</pre> |
Then you can make the credential file. Set it 600 so that only you or root may read or write. | Then you can make the credential file. Set it 600 so that only you or root may read or write. | ||
Line 149: | Line 155: | ||
<code>chmod 600 ~/.smbpassword</code> | <code>chmod 600 ~/.smbpassword</code> | ||
− | |||
=== Automatically mounting when users login (pam_mount) === | === Automatically mounting when users login (pam_mount) === |
Latest revision as of 14:31, 25 February 2020
Contents
Mounting Home Directories - CIFS
As WUR has moved to a new home directory storage method, the path to finding it is much simpler:
Write yourself an /etc/fstab entry that looks like this:
//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/myuser /mnt/mdrive cifs noauto,user,username=myuser,domain=wur,uid=mylocaluser,gid=mylocalgroup 0 0
(Replace myuser with your own WUR account name, and mylocaluser/mylocalgroup with the account/group you have locally)
Now you can simply:
mount /mnt/mdrive
And after entering your password, you have access to your M drive share.
Caveats
This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.
Mounting dfs-root
With ntlmssp authentication
Please add this line to your /etc/fstab
//WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<path_to>/.creds,sec=ntlmssp,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_group> 0 0
Make sure your credentials file .creds contains your wur-user password.
username=<wur_user> password=<wur_password> domain=WUR
If you do not specify the paasword you will receive the error:
mount error(13): Permission denied
With kerberos authentication
The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.
1. Installing the kerberos client
#RedHat/Centos yum install krb5.libs krb5.workstation #Ubuntu sudo apt-get install krb5-user
2. Configuration for WURNET
sudo vim /etc/krb5.conf
includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_realm = WURNET.NL kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true default_ccache_name = KEYRING:persistent:%{uid} [realms] WURNET.NL = { kdc = wurdc1.wurnet.nl admin_server = wurdc1.wurnet.nl kdc = wurdc2.wurnet.nl kdc = wurdc1.wurnet.nl kdc = wurdc3.wurnet.nl } [domain_realm] wurnet.nl = WURNET.NL .wurnet.nl = WURNET.NL
3. Configure the Kerberos session keys
sudo vim /etc/request-key.d/cifs.spnego.conf create cifs.spnego * * /usr/sbin/cifs.upcall -t %k
This file will most probably already exist. Make sure you are using the '-t' flag!
4. Edit /etc/fstab
//WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user> 0 0
<local_path> is the path on your local machine to the credential file which we will create in the next step.
5. Create the Kerberos credential file
vim /<local_path>/.creds
username=<WUR_user> password= domain=WUR
Please leave the field for password really empty!
6. Acquire a Kerberos key with your credentials
sudo kinit <WUR_user>@WURNET.NL
Now you will be asked to provide your password.
7. Check key properties
sudo klist
Valid starting Expires Service principal 11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6133.wurnet.nl@WURNET.NL renew until 18-02-20 12:06:55 11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6000.wurnet.nl@WURNET.NL
renew until 18-02-20 12:06:55
11-02-20 12:07:16 11-02-20 22:06:59 cifs/scomp6004.wurnet.nl@WURNET.NL
renew until 18-02-20 12:06:55
11-02-20 12:06:59 11-02-20 22:06:59 krbtgt/WURNET.NL@WURNET.NL
renew until 18-02-20 12:06:55
8. Now you can mount the drive
sudo mkdir /mnt/dfs-root/ sudo chmod 755 /mnt/dfs-root sudo mount /mnt/dfs-root/
The easiest way to gather information about available CIFS shares is using smbclient. On Ubuntu, you need the pacakge 'smbclient' to provide this.
Usage:
smbclient -L <server> -U username
This will show you all the mounts available to you on that machine.
To test the mount:
sudo mount //server/share -ousername=username,domain=wur /tmp/smb
This will hold until you unmount it.
Automatically mounting at boot (/etc/fstab)
The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this:
//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/username /mnt/mdrive cifs credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser 0 0
Then you can make the credential file. Set it 600 so that only you or root may read or write.
echo username=username > ~/.smbpassword
echo password=mypassword >> ~/.smbpassword
chmod 600 ~/.smbpassword
Automatically mounting when users login (pam_mount)
apt-get install libpam-mount cifs-utils
Create or edit pam_mount.conf.xml in /etc/security
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="0" /> <!-- Volume definitions --> <!-- pam_mount parameters: General tunables --> <luserconf name=".pam_mount.conf.xml" /> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="*" /> <!-- <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev" /> <logout wait="0" hup="0" term="0" kill="0" /> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true" /> </pam_mount>
Create a .pam_mount.conf.xml file in each users home directory.
<pam_mount> <volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/M" path="Homes/%(USER)" server="WURNET.NL" fstype="cifs" /> <volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/W" path="DFS-Root" server="WURNET.NL" fstype="cifs" /> </pam_mount>
And then create the directories in the users homedir.
mkdir ~/M
mkdir ~/W
You can use skel to automatically put it in users home dir when creating a new user. If you want this then place the .pam_mount.conf.xml file in /etc/skel/ and create the M and W directory in /etc/skel
What is the DFS-Root
DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.
Most modern CIFS implementations are able to handle DFS properly, thus a config like:
//WURNET.NL/DFS-Root /mnt/wdrive cifs noauto,user,username=username,domain=wur 0 0
Should work.
With newer versions of smbclient it could happen that it needs a version specified in the mount options because the default version is not working. Then try it with version 1.0
//WURNET.NL/DFS-Root /mnt/wdrive cifs noauto,user,username=username,domain=wur,vers=1.0 0 0