Difference between revisions of "File shares"

From LUG
Jump to navigation Jump to search
(Missed a spot.)
 
(23 intermediate revisions by 4 users not shown)
Line 1: Line 1:
== Using the department fileserver ==
+
=== Mounting Home Directories - CIFS ===
 +
As WUR has moved to a new home directory storage method, the path to finding it is much simpler:
  
=== Finding the location of a share ===
+
Write yourself an /etc/fstab entry that looks like this:
  
In order to use the guides below, you'll have to know on which servers the windows shares reside.
+
<pre style="white-space: pre;">//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/myuser /mnt/mdrive cifs noauto,user,username=myuser,domain=wur,uid=mylocaluser,gid=mylocalgroup 0 0</pre>
The easiest way is to use a Windows PC, start up Explorer, got to the share and look at the Properties.
 
  
Alternatively, you can use smbclient to find all shares on a server:
+
(Replace myuser with your own WUR account name, and mylocaluser/mylocalgroup with the account/group you have locally)
  
* smbclient -I <server>.wurnet.nl -W wurnet.nl -U yourname001 -L <server>
+
Now you can simply:
  
Where <server> is scomp0300 for PSG and scomp0291 for ESG.
+
<code>mount /mnt/mdrive</code>
  
 +
And after entering your password, you have access to your M drive share.
  
=== Using smbmount (normal user) ===
+
==== Caveats ====
  
Suppose the server your personal share is located on is called sdep001 and your username is annie001, your password is annie, and you want to mount this share on ~/mnt If you do not know this information you can get it out of the ActiveDirectoryServer or from the "My Computer" screen of a windows machine.
+
This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.
  
* smbmount '//sdep001/annie001$' ~/mnt/ -o username=annie001,password=annie,workgroup=WUR
+
=== Mounting dfs-root ===
  
if you leave out the password, the program will ask you for your password during the mounting:
+
==== With ntlmssp authentication ====
 +
Please add this line to your /etc/fstab
  
* smbmount '//sdep001/annie001$' ~/mnt/ -o username=annie001,workgroup=WUR
+
<code>//WURNET.NL/dfs-root/  /mnt/dfs-root          cifs    rw,credentials=/<path_to>/.creds,sec=ntlmssp,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_group>    0      0</code>
  
=== Using mount (as root) ====
+
Make sure your credentials file .creds contains your wur-user password.
  
you can also do this using regular mount, as Stephan Verrips writes:
+
username=<wur_user>
 +
password=<wur_password>
 +
domain=WUR
  
* mount -t smbfs -o username=verri001,workgroup=wurnet.nl //sdpw0001.wurnet.nl/verri001$ ~/mnt
+
If you do not specify the paasword you will receive the error:
  
Alternatively, the (newer) CIFS protocol can be used instead of SMB. The following example connects to the 'webdocs' share where web related files can be stored.
+
<code>mount error(13): Permission denied</code>
  
* mkdir /mnt/webdocs
+
==== With kerberos authentication ====
* mount -t cifs -o username=annie001,workgroup=wurnet.nl //skgr0004.wurnet.nl/webdocs$ /mnt/webdocs
+
The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.
  
=== Automatically mounting at boot (/etc/fstab) ===
+
1. Installing the kerberos client
 +
#RedHat/Centos
 +
yum install krb5.libs krb5.workstation
 +
#Ubuntu
 +
sudo apt-get install krb5-user
 +
 
 +
2. Configuration for WURNET
 +
  sudo vim /etc/krb5.conf
 +
 
 +
  includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu
 +
 +
  [logging]
 +
  default = FILE:/var/log/krb5libs.log
 +
  kdc = FILE:/var/log/krb5kdc.log
 +
  admin_server = FILE:/var/log/kadmind.log
 +
 +
  [libdefaults]
 +
  dns_lookup_realm = false
 +
  ticket_lifetime = 24h
 +
  renew_lifetime = 7d
 +
  forwardable = true
 +
  rdns = false
 +
  pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 +
  default_realm = WURNET.NL
 +
  kdc_timesync = 1
 +
  ccache_type = 4
 +
  forwardable = true
 +
  proxiable = true
 +
  default_ccache_name = KEYRING:persistent:%{uid}
 +
 +
  [realms]
 +
  WURNET.NL = {
 +
  kdc = wurdc1.wurnet.nl
 +
  admin_server = wurdc1.wurnet.nl
 +
  kdc = wurdc2.wurnet.nl
 +
  kdc = wurdc1.wurnet.nl
 +
  kdc = wurdc3.wurnet.nl
 +
  }
 +
 +
  [domain_realm]
 +
    wurnet.nl = WURNET.NL
 +
    .wurnet.nl = WURNET.NL
 +
 
 +
3. Configure the Kerberos session keys
 +
sudo vim /etc/request-key.d/cifs.spnego.conf
 +
 
 +
create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k
 +
 +
This file will most probably already exist. Make sure you are using the '-t' flag!
 +
 +
4. Edit /etc/fstab
 +
  //WURNET.NL/dfs-root/  /mnt/dfs-root          cifs    rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user>    0      0
 +
 
 +
<local_path> is the path on your local machine to the credential file which we will create in the next step.
 +
 
 +
5. Create the Kerberos credential file
 +
vim /<local_path>/.creds
 +
 
 +
username=<WUR_user>
 +
password=
 +
domain=WUR
 +
 
 +
Please leave the field for password really empty!
 +
 
 +
6. Acquire a Kerberos key with your credentials
 +
sudo kinit <WUR_user>@WURNET.NL
 +
 
 +
Now you will be asked to provide your password.
 +
 
 +
7. Check key properties
 +
sudo klist
  
Add the following line to the file <b>/etc/fstab</b>
+
Valid starting    Expires            Service principal
 +
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6133.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6000.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:07:16  11-02-20 22:06:59  cifs/scomp6004.wurnet.nl@WURNET.NL
 +
renew until 18-02-20 12:06:55
 +
11-02-20 12:06:59  11-02-20 22:06:59  krbtgt/WURNET.NL@WURNET.NL
 +
renew until 18-02-20 12:06:55
  
  //sdep001/annie001$ /mnt/wur smbfs username=annie001,password=annie,workgroup=WUR,uid=502 0 0
+
8. Now you can mount the drive
 +
sudo mkdir /mnt/dfs-root/
 +
sudo chmod 755 /mnt/dfs-root
 +
sudo mount /mnt/dfs-root/
  
or a really working example for a shared network drive (for DPW - note the odd spaces in the name using \040):
 
  
//scomp0300/PSG~DPW\040Laboratory\040of\040Nematology$ /mnt/wur smbfs username=annie001,password=annie,workgroup=WUR,uid=501 0 0
+
=== Other Shares ===
  
or try
+
The easiest way to gather information about available CIFS shares is using smbclient. On Ubuntu, you need the pacakge 'smbclient' to provide this.
  
//scomp0300/PSG~DPW\040Laboratory\040of\040Nematology$ /mnt/wur smbfs //username=annie001,password=annie,workgroup=WUR,uid=501 0 0
+
Usage:
  
The uid represents the user id you use - check your id with the id command:
+
<code>smbclient -L <server> -U username</code>
  
  id
+
This will show you all the mounts available to you on that machine.
 +
 +
To test the mount:
  
it is also possible to use a gid (group id) to share the mounted drive with multiple users on one system.
+
<code>sudo mount //server/share -ousername=username,domain=wur /tmp/smb</code>
  
Note: since it contains your password this option is not so secure!
+
This will hold until you unmount it.
  
  Safer is to use a separate password file:
+
=== Automatically mounting at boot (/etc/fstab) ===
 
+
 
* cd ~
+
The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this:
* echo username=annie001 > .smbpassword 
 
* echo password=annie >> .smbpassword 
 
* chmod 600 .smbpassword
 
  
  This created a hidden password file that can only be read by you or the root
+
<pre style="white-space: pre;">//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/username /mnt/mdrive cifs credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser 0 0</pre>
  
Change the line in the <b>/etc/fstab</b> into
+
Then you can make the credential file. Set it 600 so that only you or root may read or write.
  
* //sdep001/annie001$ /mnt/wur smbfs credentials=/home/annie/.smbpassword,workgroup=WUR,uid=502 0 0
+
<code>echo username=username > ~/.smbpassword</code>
  
Note: you set the uid to your user id (see 'man id') so you can write/read from your normal account.
+
<code>echo password=mypassword >> ~/.smbpassword</code>
  
Another example, again using the CIFS protocol instead of SMB, to automatically connect to the 'webdocs' share:
+
<code>chmod 600 ~/.smbpassword</code>
  
* //skgr0004.wurnet.nl/webdocs$ /mnt/webdocs cifs credentials=/home/annie/.smbpassword,workgroup=wurnet.nl,uid=502 0 0
+
=== Automatically mounting when users login (pam_mount) ===
  
=== Using Konqueror ===
+
<code>apt-get install libpam-mount cifs-utils</code>
  
Windows shares can also be accessed, without any mounting, with the SMB kio slave (KDE).
+
Create or edit pam_mount.conf.xml in /etc/security
The SMB kio slave can be used in Konqueror but also in other KDE applications.
+
<pre>
 +
<nowiki>
 +
<?xml version="1.0" encoding="utf-8" ?>
 +
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
 +
<!--
 +
See pam_mount.conf(5) for a description.
 +
-->
  
The format of the url is:
+
<pam_mount>
  
  smb://<username>@<hostname>/<sharename>
+
<!-- debug should come before everything else,
 +
since this file is still processed in a single pass
 +
from top-to-bottom -->
  
where e.g.:
+
<debug enable="0" />
  
* username: wur\annie001
+
<!-- Volume definitions -->
* hostname: sdep001.wur.nl
 
* sharename: annie001$
 
  
=== Troubleshooting ===
 
  
If you get the error "Connection to .... failed" and you are sure you typed the server name correctly, you have to manually set the wins server in /etc/samba/smb.conf. Find the line that reads like:
+
<!-- pam_mount parameters: General tunables -->
* ; wins server = <something>
 
Remove the ; and change the <something>:
 
* wins server = 10.110.10.3
 
  
 +
<luserconf name=".pam_mount.conf.xml" />
  
=== Using WebDAVS ===
+
<!-- Note that commenting out mntoptions will give you the defaults.
 +
    You will need to explicitly initialize it with the empty string
 +
    to reset the defaults to nothing. -->
 +
<mntoptions allow="*" />
 +
<!--
 +
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
 +
<mntoptions deny="suid,dev" />
 +
<mntoptions allow="*" />
 +
<mntoptions deny="*" />
 +
-->
 +
<mntoptions require="nosuid,nodev" />
  
You can also connect to the fileservers with WebDAV.
+
<logout wait="0" hup="0" term="0" kill="0" />
GNOME and KDE both provide GUI's for doing that.
 
In GNOME you can open the GUI with Connect to server... under Locations.
 
In KDE you have to open konqueror and type "remote:/". Then click on the "Add a Network Folder"-icon.
 
  
Select the encrypted WebDAV(s)-type
+
<!-- pam_mount parameters: Volume-related -->
Then fill in the fields
 
  
* Server = wic2.wur.nl
+
<mkmountpoint enable="1" remove="true" />
* Port = 443 (or use encryption)
 
* Folder = ANNIE001_annie001
 
* User = annie001
 
* Name = anything you like
 
  
=== Accessing files through the web ===
+
</pam_mount>
 +
</nowiki>
 +
</pre>
  
You can use [https://portal.web.wur.nl/ WIC] or [http://wurweb.wur.nl WURWEB]. These also work from outside the WUR network
+
Create a .pam_mount.conf.xml file in each users home directory.  
  
== Accessing files on the DFS-Root ==
+
<pre>
 +
<nowiki>
 +
<pam_mount>
 +
<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/M" path="Homes/%(USER)" server="WURNET.NL" fstype="cifs" />
 +
<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/W" path="DFS-Root" server="WURNET.NL" fstype="cifs" />
 +
</pam_mount>
 +
</nowiki>
 +
</pre>
  
=== What is the DFS-Root ===
+
And then create the directories in the users homedir.
  
DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.
+
<code>mkdir ~/M</code>
  
In WURNET there is one wur-wide DFS-Root \\wur\dfs-root usually mapped to the W:-drive in windows.
+
<code>mkdir ~/W</code>
  
The samba client is unable to directly access files in the DFS-Root, instead you have to connect to the actual underlying shares.
+
You can use skel to automatically put it in users home dir when creating a new user. If you want this then place the .pam_mount.conf.xml file in /etc/skel/ and create the M and W directory in /etc/skel
  
=== DFS-Root directory mappings ===
+
=== What is the DFS-Root ===
  
If you have access a file or directory in the format:
+
DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.
  
\\wur\dfs-root\dir\rest\of\path or W:\dir\rest\of\path
+
Most modern CIFS implementations are able to handle DFS properly, thus a config like:
  
then you must substitute \\wur\dfs-root\dir or W:\dir according the following table
+
<nowiki>//WURNET.NL/DFS-Root /mnt/wdrive cifs noauto,user,username=username,domain=wur 0 0</nowiki>
(Dir -> share):
 
  
 +
Should work.
  
* AFSG  =  //ATO0001C/AFSG$
+
With newer versions of smbclient it could happen that it needs a version specified in the mount options because the default version is not working. Then try it with version 1.0
* APPS  =  //SCOMP0025/apps
 
* ASG  =  //LD010s/ASG$
 
* ATV  =  //SATVF0001/shares
 
* BC    =  //SCOMP0064/BC
 
* DPT-DIER  =    //SCOMP0064/DIER
 
* DPT-MAATSCHAPPIJ    =    //SCOMP0063/MAATSCHAPPIJ
 
* FB    =  //SCOMP0064/FB
 
* LEI  =  //LEIDH017S/SHARES
 
* PLANT PROJECTS = //SPRI0010/PLANTPROJECTS$
 
* RIKILT = //SCOMP0063/RIKILT
 
* STUDENT = //SCOMP0064/STUDENT
 
  
The spaces in the names have to be escaped, using \040.
+
<nowiki>//WURNET.NL/DFS-Root /mnt/wdrive cifs noauto,user,username=username,domain=wur,vers=1.0 0 0</nowiki>

Latest revision as of 14:31, 25 February 2020

Mounting Home Directories - CIFS

As WUR has moved to a new home directory storage method, the path to finding it is much simpler:

Write yourself an /etc/fstab entry that looks like this: 

//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/myuser	/mnt/mdrive	cifs	noauto,user,username=myuser,domain=wur,uid=mylocaluser,gid=mylocalgroup	0	0

(Replace myuser with your own WUR account name, and mylocaluser/mylocalgroup with the account/group you have locally)

Now you can simply:

mount /mnt/mdrive

And after entering your password, you have access to your M drive share.

Caveats

This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.

Mounting dfs-root

With ntlmssp authentication

Please add this line to your /etc/fstab

//WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<path_to>/.creds,sec=ntlmssp,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_group> 0 0

Make sure your credentials file .creds contains your wur-user password. 

username=<wur_user>
password=<wur_password>
domain=WUR

If you do not specify the paasword you will receive the error:

mount error(13): Permission denied

With kerberos authentication

The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.

1. Installing the kerberos client 

#RedHat/Centos 
yum install krb5.libs krb5.workstation
#Ubuntu 
sudo apt-get install krb5-user

2. Configuration for WURNET 

 sudo vim /etc/krb5.conf

 includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu

 [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = WURNET.NL
 kdc_timesync = 1
 ccache_type = 4
 forwardable = true
 proxiable = true
 default_ccache_name = KEYRING:persistent:%{uid}

 [realms]
 WURNET.NL = {
  kdc = wurdc1.wurnet.nl
  admin_server = wurdc1.wurnet.nl
  kdc = wurdc2.wurnet.nl
  kdc = wurdc1.wurnet.nl
  kdc = wurdc3.wurnet.nl
 }

 [domain_realm]
   wurnet.nl = WURNET.NL
   .wurnet.nl = WURNET.NL

3. Configure the Kerberos session keys 

sudo vim /etc/request-key.d/cifs.spnego.conf
 
create  cifs.spnego    * * /usr/sbin/cifs.upcall -t %k

This file will most probably already exist. Make sure you are using the '-t' flag!

4. Edit /etc/fstab 

 //WURNET.NL/dfs-root/   /mnt/dfs-root           cifs    rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user>    0       0

<local_path> is the path on your local machine to the credential file which we will create in the next step.

5. Create the Kerberos credential file 

vim /<local_path>/.creds

username=<WUR_user>
password=
domain=WUR

Please leave the field for password really empty!

6. Acquire a Kerberos key with your credentials 

sudo kinit <WUR_user>@WURNET.NL

Now you will be asked to provide your password.

7. Check key properties 

sudo klist

Valid starting     Expires            Service principal
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6133.wurnet.nl@WURNET.NL
	renew until 18-02-20 12:06:55
11-02-20 12:07:35  11-02-20 22:06:59  cifs/scomp6000.wurnet.nl@WURNET.NL

renew until 18-02-20 12:06:55 

11-02-20 12:07:16  11-02-20 22:06:59  cifs/scomp6004.wurnet.nl@WURNET.NL

renew until 18-02-20 12:06:55 

11-02-20 12:06:59  11-02-20 22:06:59  krbtgt/WURNET.NL@WURNET.NL

renew until 18-02-20 12:06:55

8. Now you can mount the drive 

sudo mkdir /mnt/dfs-root/
sudo chmod 755 /mnt/dfs-root
sudo mount /mnt/dfs-root/


Other Shares

The easiest way to gather information about available CIFS shares is using smbclient. On Ubuntu, you need the pacakge 'smbclient' to provide this.

Usage:

smbclient -L <server> -U username

This will show you all the mounts available to you on that machine.

To test the mount:

sudo mount //server/share -ousername=username,domain=wur /tmp/smb

This will hold until you unmount it.

Automatically mounting at boot (/etc/fstab)

The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this: 

//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/username	/mnt/mdrive	cifs	credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser	0	0

Then you can make the credential file. Set it 600 so that only you or root may read or write.

echo username=username > ~/.smbpassword

echo password=mypassword >> ~/.smbpassword

chmod 600 ~/.smbpassword

Automatically mounting when users login (pam_mount)

apt-get install libpam-mount cifs-utils

Create or edit pam_mount.conf.xml in /etc/security 


<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
	See pam_mount.conf(5) for a description.
-->

<pam_mount>

		<!-- debug should come before everything else,
		since this file is still processed in a single pass
		from top-to-bottom -->

<debug enable="0" />

		<!-- Volume definitions -->


		<!-- pam_mount parameters: General tunables -->

<luserconf name=".pam_mount.conf.xml" />

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="*" />
<!--
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<logout wait="0" hup="0" term="0" kill="0" />

<!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />

</pam_mount>

Create a .pam_mount.conf.xml file in each users home directory. 

 
<pam_mount>
	<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/M" path="Homes/%(USER)" server="WURNET.NL" fstype="cifs" />
	<volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/W" path="DFS-Root" server="WURNET.NL" fstype="cifs" />
</pam_mount>

And then create the directories in the users homedir.

mkdir ~/M

mkdir ~/W

You can use skel to automatically put it in users home dir when creating a new user. If you want this then place the .pam_mount.conf.xml file in /etc/skel/ and create the M and W directory in /etc/skel

What is the DFS-Root

DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.

Most modern CIFS implementations are able to handle DFS properly, thus a config like: 

//WURNET.NL/DFS-Root	/mnt/wdrive	cifs	noauto,user,username=username,domain=wur	0	0

Should work.

With newer versions of smbclient it could happen that it needs a version specified in the mount options because the default version is not working. Then try it with version 1.0 

//WURNET.NL/DFS-Root	/mnt/wdrive	cifs	noauto,user,username=username,domain=wur,vers=1.0	0	0
Retrieved from "https://lug.wur.nl/index.php?title=File_shares&oldid=467"