Difference between revisions of "File shares"
Line 17: | Line 17: | ||
This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection. | This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection. | ||
+ | |||
+ | === Mounting dfs-root === | ||
+ | The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share. | ||
+ | |||
+ | 1. Installing the kerberos client | ||
+ | |||
+ | (RedHat/Centos) | ||
+ | |||
+ | <code>yum install krb5.libs krb5.workstation</code> | ||
+ | |||
+ | (Ubuntu) | ||
+ | |||
+ | <code>sudo apt-get install krb5-user</code> | ||
+ | |||
+ | 2. Configuration for WURNET | ||
+ | <code>sudo vim /etc/krb5.conf | ||
+ | |||
+ | includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu | ||
+ | |||
+ | [logging] | ||
+ | default = FILE:/var/log/krb5libs.log | ||
+ | kdc = FILE:/var/log/krb5kdc.log | ||
+ | admin_server = FILE:/var/log/kadmind.log | ||
+ | |||
+ | [libdefaults] | ||
+ | dns_lookup_realm = false | ||
+ | ticket_lifetime = 24h | ||
+ | renew_lifetime = 7d | ||
+ | forwardable = true | ||
+ | rdns = false | ||
+ | pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt | ||
+ | default_realm = WURNET.NL | ||
+ | kdc_timesync = 1 | ||
+ | ccache_type = 4 | ||
+ | forwardable = true | ||
+ | proxiable = true | ||
+ | default_ccache_name = KEYRING:persistent:%{uid} | ||
+ | |||
+ | [realms] | ||
+ | WURNET.NL = { | ||
+ | kdc = wurdc1.wurnet.nl | ||
+ | admin_server = wurdc1.wurnet.nl | ||
+ | kdc = wurdc2.wurnet.nl | ||
+ | kdc = wurdc1.wurnet.nl | ||
+ | kdc = wurdc3.wurnet.nl | ||
+ | } | ||
+ | |||
+ | [domain_realm] | ||
+ | wurnet.nl = WURNET.NL | ||
+ | .wurnet.nl = WURNET.NL | ||
+ | |||
+ | </code> | ||
+ | |||
+ | 3. Configure the Kerberos session keys | ||
+ | <code>sudo vim /etc/request-key.d/cifs.spnego.conf | ||
+ | create cifs.spnego * * /usr/sbin/cifs.upcall -t %k | ||
+ | </code> | ||
+ | This file will most probably already exist. Make sure you are using the '-t' flag! | ||
+ | |||
+ | 4. Edit /etc/fstab | ||
+ | <code>//WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user> 0 0</code> | ||
+ | <local_path> is the path on your local machine to the credential file which we will create in the next step. | ||
+ | 5. Create the Kerberos credential file | ||
+ | <code>vim /<local_path>/.creds | ||
+ | |||
+ | username=<WUR_user> | ||
+ | password= | ||
+ | domain=WUR | ||
+ | |||
+ | </code> | ||
+ | Please leave the field for password really empty! | ||
+ | |||
+ | 6. Acquirea Kerberos key with your credentials | ||
+ | <code> | ||
+ | sudo kinit sikke025@WURNET.NL | ||
+ | </code> | ||
+ | Now you will be asked to provide your password. | ||
+ | |||
+ | 7. Check key properties | ||
+ | <code> | ||
+ | sudo klist | ||
+ | |||
+ | Valid starting Expires Service principal | ||
+ | 11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6133.wurnet.nl@WURNET.NL | ||
+ | renew until 18-02-20 12:06:55 | ||
+ | 11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6000.wurnet.nl@WURNET.NL | ||
+ | renew until 18-02-20 12:06:55 | ||
+ | 11-02-20 12:07:16 11-02-20 22:06:59 cifs/scomp6004.wurnet.nl@WURNET.NL | ||
+ | renew until 18-02-20 12:06:55 | ||
+ | 11-02-20 12:06:59 11-02-20 22:06:59 krbtgt/WURNET.NL@WURNET.NL | ||
+ | renew until 18-02-20 12:06:55 | ||
+ | |||
+ | </code> | ||
+ | |||
+ | 8. Now you can mount the drive | ||
+ | |||
+ | <code> | ||
+ | sudo mkdir /mnt/dfs-root/ | ||
+ | sudo chmod 755 /mnt/dfs-root | ||
+ | sudo mount /mnt/dfs-root/ | ||
+ | </code> | ||
+ | |||
=== Other Shares === | === Other Shares === |
Revision as of 11:15, 11 February 2020
Contents
Mounting Home Directories - CIFS
As WUR has moved to a new home directory storage method, the path to finding it is much simpler:
Write yourself an /etc/fstab entry that looks like this:
//fs01mixedsmb.wurnet.nl/DBL-STANDARD_HOMEDIR$/myuser /mnt/mdrive cifs noauto,user,username=myuser,domain=wur,uid=mylocaluser,gid=mylocalgroup 0 0
(Replace myuser with your own WUR account name, and mylocaluser/mylocalgroup with the account/group you have locally)
Now you can simply:
mount /mnt/mdrive
And after entering your password, you have access to your M drive share.
Caveats
This may occasionally not work on the first try, as the hostname WURNET.NL points to multiple machines. You may need to do this repeatedly to get a stable connection.
Mounting dfs-root
The dfs-root share uses Kerberos authentication. We will explain how to setup the kerberos client, obtain a token and finally mount this share.
1. Installing the kerberos client
(RedHat/Centos)
yum install krb5.libs krb5.workstation
(Ubuntu)
sudo apt-get install krb5-user
2. Configuration for WURNET
sudo vim /etc/krb5.conf
includedir /etc/krb5.conf.d/ #only for red hat and centos, drop this line for ubuntu
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = WURNET.NL
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
WURNET.NL = {
kdc = wurdc1.wurnet.nl
admin_server = wurdc1.wurnet.nl
kdc = wurdc2.wurnet.nl
kdc = wurdc1.wurnet.nl
kdc = wurdc3.wurnet.nl
}
[domain_realm]
wurnet.nl = WURNET.NL
.wurnet.nl = WURNET.NL
3. Configure the Kerberos session keys
sudo vim /etc/request-key.d/cifs.spnego.conf
create cifs.spnego * * /usr/sbin/cifs.upcall -t %k
This file will most probably already exist. Make sure you are using the '-t' flag!
4. Edit /etc/fstab
//WURNET.NL/dfs-root/ /mnt/dfs-root cifs rw,credentials=/<local_path>/.creds,sec=krb5,vers=3.0,noauto,nofail,uid=<local_user>,gid=<local_user> 0 0
<local_path> is the path on your local machine to the credential file which we will create in the next step.
5. Create the Kerberos credential file
vim /<local_path>/.creds
username=<WUR_user>
password=
domain=WUR
Please leave the field for password really empty!
6. Acquirea Kerberos key with your credentials
sudo kinit sikke025@WURNET.NL
Now you will be asked to provide your password.
7. Check key properties
sudo klist
Valid starting Expires Service principal
11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6133.wurnet.nl@WURNET.NL
renew until 18-02-20 12:06:55
11-02-20 12:07:35 11-02-20 22:06:59 cifs/scomp6000.wurnet.nl@WURNET.NL
renew until 18-02-20 12:06:55
11-02-20 12:07:16 11-02-20 22:06:59 cifs/scomp6004.wurnet.nl@WURNET.NL
renew until 18-02-20 12:06:55
11-02-20 12:06:59 11-02-20 22:06:59 krbtgt/WURNET.NL@WURNET.NL
renew until 18-02-20 12:06:55
8. Now you can mount the drive
sudo mkdir /mnt/dfs-root/
sudo chmod 755 /mnt/dfs-root
sudo mount /mnt/dfs-root/
The easiest way to gather information about available CIFS shares is using smbclient. On Ubuntu, you need the pacakge 'smbclient' to provide this.
Usage:
smbclient -L <server> -U username
This will show you all the mounts available to you on that machine.
To test the mount:
sudo mount //server/share -ousername=username,domain=wur /tmp/smb
This will hold until you unmount it.
Automatically mounting at boot (/etc/fstab)
The above example will only mount when called. You want it to mount on boot. However, a simple issue is present - you must authenticate to mount. Thus, you need to have some credential stash. Modify the options to this:
//fs01mixedsmb.wurnet.nl/Homes/username /mnt/mdrive cifs credentials=/home/localuser/.smbpassword,user,username=username,domain=wur,uid=localuser,gid=localuser 0 0
Then you can make the credential file. Set it 600 so that only you or root may read or write.
echo username=username > ~/.smbpassword
echo password=mypassword >> ~/.smbpassword
chmod 600 ~/.smbpassword
Automatically mounting when users login (pam_mount)
apt-get install libpam-mount cifs-utils
Create or edit pam_mount.conf.xml in /etc/security
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="0" /> <!-- Volume definitions --> <!-- pam_mount parameters: General tunables --> <luserconf name=".pam_mount.conf.xml" /> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="*" /> <!-- <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev" /> <logout wait="0" hup="0" term="0" kill="0" /> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true" /> </pam_mount>
Create a .pam_mount.conf.xml file in each users home directory.
<pam_mount> <volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/M" path="Homes/%(USER)" server="WURNET.NL" fstype="cifs" /> <volume options="domain=WUR,nodev,nosuid" user="*" mountpoint="~/W" path="DFS-Root" server="WURNET.NL" fstype="cifs" /> </pam_mount>
And then create the directories in the users homedir.
mkdir ~/M
mkdir ~/W
You can use skel to automatically put it in users home dir when creating a new user. If you want this then place the .pam_mount.conf.xml file in /etc/skel/ and create the M and W directory in /etc/skel
What is the DFS-Root
DFS is Microsoft's Distributed File System. The purpose of a distributed file system is that the user can access files without knowing on which server the files are locates. The root of a distributed files system is called the DFS-Root. In the DFS-Root are virtual directories which are actual 'links' to shares on some servers.
Most modern CIFS implementations are able to handle DFS properly, thus a config like:
//WURNET.NL/DFS-Root /mnt/wdrive cifs noauto,user,username=username,domain=wur 0 0
Should work.
With newer versions of smbclient it could happen that it needs a version specified in the mount options because the default version is not working. Then try it with version 1.0
//WURNET.NL/DFS-Root /mnt/wdrive cifs noauto,user,username=username,domain=wur,vers=1.0 0 0