Difference between revisions of "File shares"

From LUG
Jump to navigation Jump to search
(Splitting up the enormous Linux@WUR page.)
 
 
(24 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== Using the department fileserver ==
+
=== Mounting Home Directories - CIFS ===
 +
As WUR has moved to a new home directory storage method, the path to finding it is much simpler:
  
=== Finding the location of a share ===
+
Write yourself an /etc/fstab entry that looks like this:
  
In order to use the guides below, you'll have to know on which servers the windows shares reside.
+
<pre style="white-space: pre;">//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/myuser /mnt/mdrive cifs noauto,user,username=myuser,domain=wur,uid=mylocaluser,gid=mylocalgroup 0 0</pre>
The easiest way is to use a Windows PC, start up Explorer, got to the share and look at the Properties.
 
  
Alternatively, you can use smbclient to find all shares on a server:
+
(Replace myuser with your own WUR account name, and mylocaluser/mylocalgroup with the account/group you have locally)
  
* smbclient -I <server>.wurnet.nl -W wurnet.nl -U yourname001 -L <server>
+
Now you can simply:
  
Where <server> is scomp0300 for PSG and scomp0291 for ESG.
+
<code>mount /mnt/mdrive</code>
  
 +
And after entering your password, you have access to your M drive share.
  
=== Using smbmount (normal user) ===
+
==== Caveats ====
  
Suppose the server your personal share is located on is called sdep001 and your username is annie001, your password is annie, and you want to mount this share on ~/mnt If you do not know this information you can get it out of the ActiveDirectoryServer or from the "My Computer" screen of a windows machine.
+
This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.
  
* smbmount '//sdep001/annie001$' ~/mnt/ -o username=annie001,password=annie,workgroup=WUR
+
=== Mounting dfs-root ===
  
if you leave out the password, the program will ask you for your password during the mounting:
+
==== With ntlmssp authentication ====
 +
Please add this line to your /etc/fstab
  
* smbmount '//sdep001/annie001$' ~/mnt/ -o username=annie001,workgroup=WUR
+
<code>//WURNET.NL/dfs-root/  /mnt/dfs-root          cifs    rw,credentials=/<path_to>/.creds,sec=ntlmssp,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_group>    0      0</code>
  
=== Using mount (as root) ====
+
Make sure your credentials file .creds contains your wur-user password.
  
you can also do this using regular mount, as Stephan Verrips writes:
+
username=<wur_user>
 +
password=<wur_password>
 +
domain=WUR
  
* mount -t smbfs -o username=verri001,workgroup=wurnet.nl //sdpw0001.wurnet.nl/verri001$ ~/mnt
+
If you do not specify the paasword you will receive the error:
  
Alternatively, the (newer) CIFS protocol can be used instead of SMB. The following example connects to the 'webdocs' share where web related files can be stored.
+
<code>mount error(13): Permission denied</code>
  
* mkdir /mnt/webdocs
+
==== With kerberos authentication ====
* mount -t cifs -o username=annie001,workgroup=wurnet.nl //skgr0004.wurnet.nl/webdocs$ /mnt/webdocs
+
The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.
 +
 
 +
1. Installing the kerberos client
 +
#RedHat/Centos
 +
yum install krb5.libs krb5.workstation
 +
#Ubuntu
 +
sudo apt-get install krb5-user
 +
 
 +
2. Configuration for WURNET
 +
  sudo vim /etc/krb5.conf
 +
 
 +
  includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu
 +
 +
  [logging]
 +
  default = FILE:/var/log/krb5libs.log
 +
  kdc = FILE:/var/log/krb5kdc.log
 +
  admin_server = FILE:/var/log/kadmind.log
 +
 +
  [libdefaults]
 +
  dns_lookup_realm = false
 +
  ticket_lifetime = 24h
 +
  renew_lifetime = 7d
 +
  forwardable = true
 +
  rdns = false
 +
  pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 +
  default_realm = WURNET.NL
 +
  kdc_timesync = 1
 +
  ccache_type = 4
 +
  forwardable = true
 +
  proxiable = true
 +
  default_ccache_name = KEYRING:persistent:%{uid}
 +
 +
  [realms]
 +
  WURNET.NL = {
 +
  kdc = wurdc1.wurnet.nl
 +
  admin_server = wurdc1.wurnet.nl
 +
  kdc = wurdc2.wurnet.nl
 +
  kdc = wurdc1.wurnet.nl
 +
  kdc = wurdc3.wurnet.nl
 +
  }
 +
 +
  [domain_realm]
 +
    wurnet.nl = WURNET.NL
 +
    .wurnet.nl = WURNET.NL
 +
 
 +
3. Configure the Kerberos session keys
 +
sudo vim /etc/request-key.d/cifs.spnego.conf
 +
 
 +
create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k
 +
 +
This file will most probably already exist. Make sure you are using the '-t' flag!
 +
 +
4. Edit /etc/fstab
 +
  //WURNET.NL/dfs-root/  /mnt/dfs-root          cifs   rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user>    0      0
 +
 
 +
<local_path> is the path on your local machine to the credential file which we will create in the next step.
 +
 
 +
5. Create the Kerberos credential file
 +
vim /<local_path>/.creds
 +
 
 +
username=<WUR_user>
 +
password=
 +
domain=WUR
 +
 
 +
Please leave the field for password really empty!
 +
 
 +
6. Acquire a Kerberos key with your credentials
 +
sudo kinit <WUR_user>@WURNET.NL
 +
 
 +
Now you will be asked to provide your password.
 +
 
 +
7. Check key properties
 +
sudo klist
 +
 
 +
Valid starting    Expires            Service principal
 +
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6133.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6000.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:07:16  11-02-20 22:06:59  cifs/scomp6004.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:06:59  11-02-20 22:06:59  krbtgt/WURNET.NL@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
 
 +
8. Now you can mount the drive
 +
sudo mkdir /mnt/dfs-root/
 +
sudo chmod 755 /mnt/dfs-root
 +
sudo mount /mnt/dfs-root/
 +
 
 +
 
 +
=== Other Shares ===
 +
 
 +
The easiest way to gather information about available CIFS shares is using smbclient. On Ubuntu, you need the pacakge 'smbclient' to provide this.
 +
 
 +
Usage:
 +
 
 +
<code>smbclient -L <server> -U username</code>
 +
 
 +
This will show you all the mounts available to you on that machine.
 +
 +
To test the mount:
 +
 
 +
<code>sudo mount //server/share -ousername=username,domain=wur /tmp/smb</code>
 +
 
 +
This will hold until you unmount it.
  
 
=== Automatically mounting at boot (/etc/fstab) ===
 
=== Automatically mounting at boot (/etc/fstab) ===
  
Add the following line to the file <b>/etc/fstab</b>
+
The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this:
 +
 
 +
<pre style="white-space: pre;">//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/username /mnt/mdrive cifs credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser 0 0</pre>
 +
 
 +
Then you can make the credential file. Set it 600 so that only you or root may read or write.
 +
 
 +
<code>echo username=username > ~/.smbpassword</code>
 +
 
 +
<code>echo password=mypassword >> ~/.smbpassword</code>
 +
 
 +
<code>chmod 600 ~/.smbpassword</code>
 +
 
 +
=== Automatically mounting when users login (pam_mount) ===
 +
 
 +
<code>apt-get install libpam-mount cifs-utils</code>
 +
 
 +
Create or edit pam_mount.conf.xml in /etc/security
 +
<pre>
 +
<nowiki>
 +
<?xml version="1.0" encoding="utf-8" ?>
 +
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
 +
<!--
 +
See pam_mount.conf(5) for a description.
 +
-->
 +
 
 +
<pam_mount>
  
  //sdep001/annie001$ /mnt/wur smbfs username=annie001,password=annie,workgroup=WUR,uid=502 0 0
+
<!-- debug should come before everything else,
 +
since this file is still processed in a single pass
 +
from top-to-bottom -->
  
or a really working example for a shared network drive (for DPW - note the odd spaces in the name using \040):
+
<debug enable="0" />
  
//scomp0300/PSG~DPW\040Laboratory\040of\040Nematology$ /mnt/wur smbfs username=annie001,password=annie,workgroup=WUR,uid=501 0 0
+
<!-- Volume definitions -->
  
or try
 
  
//scomp0300/PSG~DPW\040Laboratory\040of\040Nematology$ /mnt/wur smbfs //username=annie001,password=annie,workgroup=WUR,uid=501 0 0
+
<!-- pam_mount parameters: General tunables -->
  
The uid represents the user id you use - check your id with the id command:
+
<luserconf name=".pam_mount.conf.xml" />
  
  id
+
<!-- Note that commenting out mntoptions will give you the defaults.
 +
    You will need to explicitly initialize it with the empty string
 +
    to reset the defaults to nothing. -->
 +
<mntoptions allow="*" />
 +
<!--
 +
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
 +
<mntoptions deny="suid,dev" />
 +
<mntoptions allow="*" />
 +
<mntoptions deny="*" />
 +
-->
 +
<mntoptions require="nosuid,nodev" />
  
it is also possible to use a gid (group id) to share the mounted drive with multiple users on one system.
+
<logout wait="0" hup="0" term="0" kill="0" />
  
Note: since it contains your password this option is not so secure!
+
<!-- pam_mount parameters: Volume-related -->
  
  Safer is to use a separate password file:
+
<mkmountpoint enable="1" remove="true" />
 
 
* cd ~
 
* echo username=annie001 > .smbpassword 
 
* echo password=annie >> .smbpassword 
 
* chmod 600 .smbpassword
 
  
  This created a hidden password file that can only be read by you or the root
+
</pam_mount>
 +
</nowiki>
 +
</pre>
  
Change the line in the <b>/etc/fstab</b> into
+
Create a .pam_mount.conf.xml file in each users home directory.
  
* //sdep001/annie001$ /mnt/wur smbfs credentials=/home/annie/.smbpassword,workgroup=WUR,uid=502 0 0
+
<pre>
 +
<nowiki>
 +
<pam_mount>
 +
<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/M" path="Homes/%(USER)" server="WURNET.NL" fstype="cifs" />
 +
<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/W" path="DFS-Root" server="WURNET.NL" fstype="cifs" />
 +
</pam_mount>
 +
</nowiki>
 +
</pre>
  
Note: you set the uid to your user id (see 'man id') so you can write/read from your normal account.
+
And then create the directories in the users homedir.
  
Another example, again using the CIFS protocol instead of SMB, to automatically connect to the 'webdocs' share:
+
<code>mkdir ~/M</code>
  
* //skgr0004.wurnet.nl/webdocs$ /mnt/webdocs cifs credentials=/home/annie/.smbpassword,workgroup=wurnet.nl,uid=502 0 0
+
<code>mkdir ~/W</code>
  
=== Using Konqueror ===
+
You can use skel to automatically put it in users home dir when creating a new user. If you want this then place the .pam_mount.conf.xml file in /etc/skel/ and create the M and W directory in /etc/skel
  
Windows shares can also be accessed, without any mounting, with the SMB kio slave (KDE).
+
=== What is the DFS-Root ===
The SMB kio slave can be used in Konqueror but also in other KDE applications.
 
  
The format of the url is:
+
DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.
  
  smb://<username>@<hostname>/<sharename>
+
Most modern CIFS implementations are able to handle DFS properly, thus a config like:
  
where e.g.:
+
<nowiki>//WURNET.NL/DFS-Root /mnt/wdrive cifs noauto,user,username=username,domain=wur 0 0</nowiki>
  
* username: wur\annie001
+
Should work.
* hostname: sdep001.wur.nl
 
* sharename: annie001$
 
  
=== Troubleshooting ===
+
With newer versions of smbclient it could happen that it needs a version specified in the mount options because the default version is not working. Then try it with version 1.0
  
If you get the error "Connection to .... failed" and you are sure you typed the server name correctly, you have to manually set the wins server in /etc/samba/smb.conf. Find the line that reads like:
+
<nowiki>//WURNET.NL/DFS-Root /mnt/wdrive cifs noauto,user,username=username,domain=wur,vers=1.0 0 0</nowiki>
* ; wins server = <something>
 
Remove the ; and change the <something>:
 
* wins server = 10.110.10.3
 

Latest revision as of 14:31, 25 February 2020

Mounting Home Directories - CIFS

As WUR has moved to a new home directory storage method, the path to finding it is much simpler:

Write yourself an /etc/fstab entry that looks like this:

//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/myuser	/mnt/mdrive	cifs	noauto,user,username=myuser,domain=wur,uid=mylocaluser,gid=mylocalgroup	0	0

(Replace myuser with your own WUR account name, and mylocaluser/mylocalgroup with the account/group you have locally)

Now you can simply:

mount /mnt/mdrive

And after entering your password, you have access to your M drive share.

Caveats

This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.

Mounting dfs-root

With ntlmssp authentication

Please add this line to your /etc/fstab

//WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<path_to>/.creds,sec=ntlmssp,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_group> 0 0

Make sure your credentials file .creds contains your wur-user password.

username=<wur_user>
password=<wur_password>
domain=WUR

If you do not specify the paasword you will receive the error:

mount error(13): Permission denied

With kerberos authentication

The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.

1. Installing the kerberos client

#RedHat/Centos 
yum install krb5.libs krb5.workstation
#Ubuntu 
sudo apt-get install krb5-user

2. Configuration for WURNET

 sudo vim /etc/krb5.conf
 includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu

 [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = WURNET.NL
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 default_ccache_name = KEYRING:persistent:%{uid}

 [realms]
 WURNET.NL = {
  kdc = wurdc1.wurnet.nl
  admin_server = wurdc1.wurnet.nl
  kdc = wurdc2.wurnet.nl
  kdc = wurdc1.wurnet.nl
  kdc = wurdc3.wurnet.nl
 }

 [domain_realm]
   wurnet.nl = WURNET.NL
   .wurnet.nl = WURNET.NL

3. Configure the Kerberos session keys

sudo vim /etc/request-key.d/cifs.spnego.conf
 
create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k

This file will most probably already exist. Make sure you are using the '-t' flag!

4. Edit /etc/fstab

 //WURNET.NL/dfs-root/   /mnt/dfs-root           cifs    rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user>    0       0

<local_path> is the path on your local machine to the credential file which we will create in the next step.

5. Create the Kerberos credential file

vim /<local_path>/.creds
username=<WUR_user>
password=
domain=WUR

Please leave the field for password really empty!

6. Acquire a Kerberos key with your credentials

sudo kinit <WUR_user>@WURNET.NL

Now you will be asked to provide your password.

7. Check key properties

sudo klist
Valid starting     Expires            Service principal
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6133.wurnet.nl@WURNET.NL
	renew until 18-02-20 12:06:55
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6000.wurnet.nl@WURNET.NL

renew until 18-02-20 12:06:55

11-02-20 12:07:16  11-02-20 22:06:59  cifs/scomp6004.wurnet.nl@WURNET.NL

renew until 18-02-20 12:06:55

11-02-20 12:06:59  11-02-20 22:06:59  krbtgt/WURNET.NL@WURNET.NL

renew until 18-02-20 12:06:55

8. Now you can mount the drive

sudo mkdir /mnt/dfs-root/
sudo chmod 755 /mnt/dfs-root
sudo mount /mnt/dfs-root/


Other Shares

The easiest way to gather information about available CIFS shares is using smbclient. On Ubuntu, you need the pacakge 'smbclient' to provide this.

Usage:

smbclient -L <server> -U username

This will show you all the mounts available to you on that machine.

To test the mount:

sudo mount //server/share -ousername=username,domain=wur /tmp/smb

This will hold until you unmount it.

Automatically mounting at boot (/etc/fstab)

The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this:

//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/username	/mnt/mdrive	cifs	credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser	0	0

Then you can make the credential file. Set it 600 so that only you or root may read or write.

echo username=username > ~/.smbpassword

echo password=mypassword >> ~/.smbpassword

chmod 600 ~/.smbpassword

Automatically mounting when users login (pam_mount)

apt-get install libpam-mount cifs-utils

Create or edit pam_mount.conf.xml in /etc/security


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->

<pam_mount>

		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->

<debug enable="0" />

		<!-- Volume definitions -->


		<!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="*" />
<!--
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />

<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

</pam_mount>

Create a .pam_mount.conf.xml file in each users home directory.

 
<pam_mount>
	<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/M" path="Homes/%(USER)" server="WURNET.NL" fstype="cifs" />
	<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/W" path="DFS-Root" server="WURNET.NL" fstype="cifs" />
</pam_mount>

And then create the directories in the users homedir.

mkdir ~/M

mkdir ~/W

You can use skel to automatically put it in users home dir when creating a new user. If you want this then place the .pam_mount.conf.xml file in /etc/skel/ and create the M and W directory in /etc/skel

What is the DFS-Root

DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.

Most modern CIFS implementations are able to handle DFS properly, thus a config like:

//WURNET.NL/DFS-Root	/mnt/wdrive	cifs	noauto,user,username=username,domain=wur	0	0

Should work.

With newer versions of smbclient it could happen that it needs a version specified in the mount options because the default version is not working. Then try it with version 1.0

//WURNET.NL/DFS-Root	/mnt/wdrive	cifs	noauto,user,username=username,domain=wur,vers=1.0	0	0