Difference between revisions of "File shares"

From LUG
Jump to navigation Jump to search
 
(5 intermediate revisions by one other user not shown)
Line 19: Line 19:
  
 
=== Mounting dfs-root ===
 
=== Mounting dfs-root ===
 +
 +
==== With ntlmssp authentication ====
 +
Please add this line to your /etc/fstab
 +
 +
<code>//WURNET.NL/dfs-root/  /mnt/dfs-root          cifs    rw,credentials=/<path_to>/.creds,sec=ntlmssp,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_group>    0      0</code>
 +
 +
Make sure your credentials file .creds contains your wur-user password.
 +
 +
username=<wur_user>
 +
password=<wur_password>
 +
domain=WUR
 +
 +
If you do not specify the paasword you will receive the error:
 +
 +
<code>mount error(13): Permission denied</code>
 +
 +
==== With kerberos authentication ====
 
The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.
 
The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.
  
 
1. Installing the kerberos client
 
1. Installing the kerberos client
  RedHat/Centos  
+
  #RedHat/Centos  
  <code>yum install krb5.libs krb5.workstation</code>
+
  yum install krb5.libs krb5.workstation
  Ubuntu  
+
  #Ubuntu  
  <code>sudo apt-get install krb5-user</code>
+
  sudo apt-get install krb5-user
  
 
2. Configuration for WURNET
 
2. Configuration for WURNET
   <code>sudo vim /etc/krb5.conf
+
   sudo vim /etc/krb5.conf
  
includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu
+
  includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu
 
   
 
   
[logging]
+
  [logging]
default = FILE:/var/log/krb5libs.log
+
  default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
+
  kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
+
  admin_server = FILE:/var/log/kadmind.log
 
   
 
   
[libdefaults]
+
  [libdefaults]
dns_lookup_realm = false
+
  dns_lookup_realm = false
ticket_lifetime = 24h
+
  ticket_lifetime = 24h
renew_lifetime = 7d
+
  renew_lifetime = 7d
forwardable = true
+
  forwardable = true
rdns = false
+
  rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
+
  pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = WURNET.NL
+
  default_realm = WURNET.NL
kdc_timesync = 1
+
  kdc_timesync = 1
ccache_type = 4
+
  ccache_type = 4
forwardable = true
+
  forwardable = true
proxiable = true
+
  proxiable = true
default_ccache_name = KEYRING:persistent:%{uid}
+
  default_ccache_name = KEYRING:persistent:%{uid}
 
   
 
   
[realms]
+
  [realms]
WURNET.NL = {
+
  WURNET.NL = {
  kdc = wurdc1.wurnet.nl
+
  kdc = wurdc1.wurnet.nl
  admin_server = wurdc1.wurnet.nl
+
  admin_server = wurdc1.wurnet.nl
  kdc = wurdc2.wurnet.nl
+
  kdc = wurdc2.wurnet.nl
  kdc = wurdc1.wurnet.nl
+
  kdc = wurdc1.wurnet.nl
  kdc = wurdc3.wurnet.nl
+
  kdc = wurdc3.wurnet.nl
}
+
  }
 
   
 
   
[domain_realm]
+
  [domain_realm]
 
     wurnet.nl = WURNET.NL
 
     wurnet.nl = WURNET.NL
 
     .wurnet.nl = WURNET.NL
 
     .wurnet.nl = WURNET.NL
 
</code>
 
  
 
3. Configure the Kerberos session keys
 
3. Configure the Kerberos session keys
<code>sudo vim /etc/request-key.d/cifs.spnego.conf
+
sudo vim /etc/request-key.d/cifs.spnego.conf
create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k
+
 
</code>
+
create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k
 +
 
This file will most probably already exist. Make sure you are using the '-t' flag!
 
This file will most probably already exist. Make sure you are using the '-t' flag!
 
   
 
   
 
4. Edit /etc/fstab
 
4. Edit /etc/fstab
<code>//WURNET.NL/dfs-root/  /mnt/dfs-root          cifs    rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user>    0      0</code>
+
  //WURNET.NL/dfs-root/  /mnt/dfs-root          cifs    rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user>    0      0
 +
 
 
<local_path> is the path on your local machine to the credential file which we will create in the next step.
 
<local_path> is the path on your local machine to the credential file which we will create in the next step.
 +
 
5. Create the Kerberos credential file  
 
5. Create the Kerberos credential file  
<code>vim /<local_path>/.creds
+
vim /<local_path>/.creds
  
username=<WUR_user>
+
username=<WUR_user>
password=
+
password=
domain=WUR
+
domain=WUR
  
</code>
 
 
Please leave the field for password really empty!
 
Please leave the field for password really empty!
  
6. Acquirea Kerberos key with your credentials
+
6. Acquire a Kerberos key with your credentials
<code>
+
sudo kinit <WUR_user>@WURNET.NL
sudo kinit sikke025@WURNET.NL
+
 
</code>
 
 
Now you will be asked to provide your password.
 
Now you will be asked to provide your password.
  
 
7. Check key properties
 
7. Check key properties
<code>
+
sudo klist
sudo klist
 
  
Valid starting    Expires            Service principal
+
Valid starting    Expires            Service principal
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6133.wurnet.nl@WURNET.NL
+
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6133.wurnet.nl@WURNET.NL
renew until 18-02-20 12:06:55
+
renew until 18-02-20 12:06:55
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6000.wurnet.nl@WURNET.NL
+
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6000.wurnet.nl@WURNET.NL
 
renew until 18-02-20 12:06:55
 
renew until 18-02-20 12:06:55
11-02-20 12:07:16  11-02-20 22:06:59  cifs/scomp6004.wurnet.nl@WURNET.NL
+
11-02-20 12:07:16  11-02-20 22:06:59  cifs/scomp6004.wurnet.nl@WURNET.NL
 
renew until 18-02-20 12:06:55
 
renew until 18-02-20 12:06:55
11-02-20 12:06:59  11-02-20 22:06:59  krbtgt/WURNET.NL@WURNET.NL
+
11-02-20 12:06:59  11-02-20 22:06:59  krbtgt/WURNET.NL@WURNET.NL
 
renew until 18-02-20 12:06:55
 
renew until 18-02-20 12:06:55
 
</code>
 
  
 
8. Now you can mount the drive
 
8. Now you can mount the drive
 
+
sudo mkdir /mnt/dfs-root/
<code>
+
sudo chmod 755 /mnt/dfs-root
sudo mkdir /mnt/dfs-root/
+
sudo mount /mnt/dfs-root/
sudo chmod 755 /mnt/dfs-root
 
sudo mount /mnt/dfs-root/
 
</code>
 
  
  
Line 136: Line 146:
 
The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this:
 
The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this:
  
  <pre style="white-space: pre;">//fs01mixedsmb.wurnet.nl/Homes/username /mnt/mdrive cifs credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser 0 0</pre>
+
  <pre style="white-space: pre;">//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/username /mnt/mdrive cifs credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser 0 0</pre>
  
 
Then you can make the credential file. Set it 600 so that only you or root may read or write.
 
Then you can make the credential file. Set it 600 so that only you or root may read or write.
Line 145: Line 155:
  
 
<code>chmod 600 ~/.smbpassword</code>
 
<code>chmod 600 ~/.smbpassword</code>
 
  
 
=== Automatically mounting when users login (pam_mount) ===
 
=== Automatically mounting when users login (pam_mount) ===

Latest revision as of 14:31, 25 February 2020

Mounting Home Directories - CIFS

As WUR has moved to a new home directory storage method, the path to finding it is much simpler:

Write yourself an /etc/fstab entry that looks like this:

//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/myuser	/mnt/mdrive	cifs	noauto,user,username=myuser,domain=wur,uid=mylocaluser,gid=mylocalgroup	0	0

(Replace myuser with your own WUR account name, and mylocaluser/mylocalgroup with the account/group you have locally)

Now you can simply:

mount /mnt/mdrive

And after entering your password, you have access to your M drive share.

Caveats

This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.

Mounting dfs-root

With ntlmssp authentication

Please add this line to your /etc/fstab

//WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<path_to>/.creds,sec=ntlmssp,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_group> 0 0

Make sure your credentials file .creds contains your wur-user password.

username=<wur_user>
password=<wur_password>
domain=WUR

If you do not specify the paasword you will receive the error:

mount error(13): Permission denied

With kerberos authentication

The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.

1. Installing the kerberos client

#RedHat/Centos 
yum install krb5.libs krb5.workstation
#Ubuntu 
sudo apt-get install krb5-user

2. Configuration for WURNET

 sudo vim /etc/krb5.conf
 includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu

 [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = WURNET.NL
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 default_ccache_name = KEYRING:persistent:%{uid}

 [realms]
 WURNET.NL = {
  kdc = wurdc1.wurnet.nl
  admin_server = wurdc1.wurnet.nl
  kdc = wurdc2.wurnet.nl
  kdc = wurdc1.wurnet.nl
  kdc = wurdc3.wurnet.nl
 }

 [domain_realm]
   wurnet.nl = WURNET.NL
   .wurnet.nl = WURNET.NL

3. Configure the Kerberos session keys

sudo vim /etc/request-key.d/cifs.spnego.conf
 
create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k

This file will most probably already exist. Make sure you are using the '-t' flag!

4. Edit /etc/fstab

 //WURNET.NL/dfs-root/   /mnt/dfs-root           cifs    rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user>    0       0

<local_path> is the path on your local machine to the credential file which we will create in the next step.

5. Create the Kerberos credential file

vim /<local_path>/.creds
username=<WUR_user>
password=
domain=WUR

Please leave the field for password really empty!

6. Acquire a Kerberos key with your credentials

sudo kinit <WUR_user>@WURNET.NL

Now you will be asked to provide your password.

7. Check key properties

sudo klist
Valid starting     Expires            Service principal
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6133.wurnet.nl@WURNET.NL
	renew until 18-02-20 12:06:55
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6000.wurnet.nl@WURNET.NL

renew until 18-02-20 12:06:55

11-02-20 12:07:16  11-02-20 22:06:59  cifs/scomp6004.wurnet.nl@WURNET.NL

renew until 18-02-20 12:06:55

11-02-20 12:06:59  11-02-20 22:06:59  krbtgt/WURNET.NL@WURNET.NL

renew until 18-02-20 12:06:55

8. Now you can mount the drive

sudo mkdir /mnt/dfs-root/
sudo chmod 755 /mnt/dfs-root
sudo mount /mnt/dfs-root/


Other Shares

The easiest way to gather information about available CIFS shares is using smbclient. On Ubuntu, you need the pacakge 'smbclient' to provide this.

Usage:

smbclient -L <server> -U username

This will show you all the mounts available to you on that machine.

To test the mount:

sudo mount //server/share -ousername=username,domain=wur /tmp/smb

This will hold until you unmount it.

Automatically mounting at boot (/etc/fstab)

The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this:

//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/username	/mnt/mdrive	cifs	credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser	0	0

Then you can make the credential file. Set it 600 so that only you or root may read or write.

echo username=username > ~/.smbpassword

echo password=mypassword >> ~/.smbpassword

chmod 600 ~/.smbpassword

Automatically mounting when users login (pam_mount)

apt-get install libpam-mount cifs-utils

Create or edit pam_mount.conf.xml in /etc/security


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->

<pam_mount>

		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->

<debug enable="0" />

		<!-- Volume definitions -->


		<!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="*" />
<!--
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />

<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

</pam_mount>

Create a .pam_mount.conf.xml file in each users home directory.

 
<pam_mount>
	<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/M" path="Homes/%(USER)" server="WURNET.NL" fstype="cifs" />
	<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/W" path="DFS-Root" server="WURNET.NL" fstype="cifs" />
</pam_mount>

And then create the directories in the users homedir.

mkdir ~/M

mkdir ~/W

You can use skel to automatically put it in users home dir when creating a new user. If you want this then place the .pam_mount.conf.xml file in /etc/skel/ and create the M and W directory in /etc/skel

What is the DFS-Root

DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.

Most modern CIFS implementations are able to handle DFS properly, thus a config like:

//WURNET.NL/DFS-Root	/mnt/wdrive	cifs	noauto,user,username=username,domain=wur	0	0

Should work.

With newer versions of smbclient it could happen that it needs a version specified in the mount options because the default version is not working. Then try it with version 1.0

//WURNET.NL/DFS-Root	/mnt/wdrive	cifs	noauto,user,username=username,domain=wur,vers=1.0	0	0