Tutorial: Ubuntu as UCS client with NFSv4 / Kerberos & Samba-AD

Linux Clients
, ,
#1

Hi@all,

I have spent a lot of time in the last weeks to set up the UCS5 with ADS, NFSv4 and Kerberos so that Ubuntu with kernel > 5.10 works without problems. NFS is only used for the user home. The rest of the shares are mounted as CIFS.

The mounting of all shares (NFSv4 & CIFS) is done dynamically using PAM_MOUNT at login.

If it is desired I would write a manual for this. I would just like to send this to someone who is deeper in the subject and look over it again. I got some things working more by trial and error than knowledge.

Just in case there is interest.

with best
Sven

2 Likes
Mount Home directories in Ubuntu-Client
#2

I for one would like to see this as I am sure at least some of this would benefit me and many others.
I hold no expertise, however, I am pretty certain I will need PAM-Mount to automatically attach user shares (to be held) on my fileserver.

Thanks.

#3

Yes, the PAM_MOUNT is a fine thing. It is always only /home/%DOMAIN_USER mounted on the client and not the complete /home.

I will edit the text a bit on the weekend and just post it here. It would be nice if a professional looks over it again :slight_smile:

#4

Very interessed to read.

#5

Without warranty. Perform a backup beforehand. Perhaps an expert can still say something about it.

I use Linuxmint 20.03 (Edge) with kernel 5.13. Add Linux users to the ‘users’ group.

Starting from a new UCS 5.0.1 installation with ADS installed, I proceeded as follows:

Create share for /home

image
image
image

Manual editing of /etc/exports was no longer necessary.

Enable svcgssd

systemctl unmask rpc-svcgssd.service
ln -sf /lib/systemd/system/rpc-svcgssd.service /etc/systemd/system/rpc-svcgssd.service

configure idmapd

cp /etc/idmapd.conf /etc/idmapd.conf.org
nano /etc/idmapd.conf

[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
Domain = lan.example.club

[Translation]
GSS-Methods = static,nsswitch

[Static]
PC001$@LAN.EXAMPLE.CLUB = root

[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup

The static mapping PC001… is necessary for me because I use a real root-account (not sudo) on the client. If I leave out the mapping I have no rights on the share after su.

SPN account for NFS

/usr/share/univention-samba4/scripts/create_spn_account.sh --samaccountname "nfs-$HOSTNAME" --serviceprincipalname "nfs/$(hostname -f)" --privatekeytab nfs.keytab

ktutil copy /var/lib/samba/private/nfs.keytab /etc/krb5.keytab

kinit Administrator
net ads enctypes set "nfs-$(hostname)"

reboot

Linux Mint

Starting from a new installation. I perform the configuration of the client via SSH from another computer.

nano /etc/profile

Add at the end:
xhost si:localuser:root

Is necessary for me (real root). Otherwise GUI programs that request root rights do not start.

nano /etc/systemd/timesyncd.conf

...
[Time]
NTP=srv01.lan.example.club
FallbackNTP=0.de.pool.ntp.org 1.de.pool.ntp.org 2.de.pool.ntp.org

ADS Join

apt install nfs-common libpam-mount ntpdate git realmd libnss-sss libpam-sss sssd sssd-tools adcli oddjob oddjob-mkhomedir packagekit krb5-user krb5-auth-dialog cachefilesd cifs-utils

→ Default realm for Kerberos version 5: LAN.EXAMPLE.CLUB

nano /etc/default/nfs-common

...
NEED_IDMAPD=yes
NEED_GSSD=yes

git clone https://github.com/fbartels/UCS_domain_join.git && cd UCS_domain_join && bash setup.sh

What is the Kerberos realm? (dom.example.com)?lan.example.club
What is the domain controllers short hostname ? ('dc' part of dc.dom.example.com)? srv01
What is the domain admin username? Administrator
Creating computer account on srv01.lan.example.club UCS server. Password for domain admin will be prompted.
Password:[rootPW]

Passwort für Administrator:[rootPW]

Add a domain user to local sudoers? Y/N: N
UCS Domain Join Complete! REBOOT NOW? [y/N] N

I answered the question about “sudors” with “no” because … real root

cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.org
nano /etc/sssd/sssd.conf

[sssd]
domains = lan.example.club
config_file_version = 2

[domain/lan.example.club]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = LAN.EXAMPLE.CLUB
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_server = srv01.lan.example.club
ad_domain = lan.example.club
use_fully_qualified_names = False
ldap_id_mapping = True
ldap_schema = ad
access_provider = ad
ad_gpo_access_control = permissive
auth_provider = ad
chpass_provider = ad
access_provider = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600
ldap_schema = rfc2307bis
ldap_group_member = uniqueMember
ldap_group_nesting_level = 2
enumerate = True

cp /etc/idmapd.conf /etc/idmapd.conf.org
nano /etc/idmapd.conf

Exactly the same as on the server (see above).

nano /etc/default/cachefilesd

Activate this line:
secctx system_u:system_r:cachefiles_kernel_t:s0

kinit Administrator
reboot

With the users who work with Linux clients log in once via SSH on the master so that the home directory is created.

Test und Login

As root Test the mount:

showmount -e srv01.lan.example.club
mount -t nfs4 -o sec=krb5i srv01.lan.example.club:/home /home

PAM Mount

I only mount the /home via NFSv4. All other shares via SMB. Why?

The Linux desktop behaved very strangely when the /home is on an SMB share.

From the SMB share I write from the client with ~130 MB/s … NFSv4 “only” 95 MB/s

We work with the shares on group level. I force on the server that files/directory with: Adminstraor / [Group] are written.

mkdir -p /data01/Bilder /data01/Buchhaltung

nano /etc/security/pam_mount.conf.xml

                <volume user="*" fstype="nfs4" sec="krb5i" server="srv01.lan.example.club" path="/home/%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="rw,nolock,nocto,soft,fsc,_netdev,exec,nosuid"/>
                <volume fstype="cifs" vers="3.1" sec="krb5i" pgrp="domain users" path="//srv01.lan.example.club/Bilder" mountpoint="/data01/Bilder/" cruid="%(USERUID)" options="fsc,iocharset=utf8" />

reboot an desktop-login

s.me ツ pc001:~ uname -r
5.13.0-27-generic
...
s.me ツ pc001:~ mount |grep srv01
srv01.lan.example.club:/home/s.me on /home/s.me type nfs4 (rw,nosuid,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,soft,nocto,proto=tcp,timeo=600,retrans=2,sec=krb5i,clientaddr=192.168.83.140,fsc,local_lock=none,addr=192.168.83.5,_netdev)
//srv01.lan.example.club/Bilder on /data01/Bilder type cifs (rw,relatime,vers=3.1.1,cache=strict,username=s.me,uid=1381401120,noforceuid,gid=1381400513,noforcegid,addr=192.168.83.5,file_mode=0755,dir_mode=0755,iocharset=utf8,soft,nounix,serverino,mapposix,fsc,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1)

Best regards
Sven

1 Like
Umstellung W10 auf Ubuntu / KDE
Difference between the different Linux joins
#6

I found an easier way to get it. With UCS 5 and Ubuntu 20.04 I just did as mentioned here

Nothing special. After installing NFS

apt install nfs-common

I put this line

<volume user="*" fstype="nfs4" sec="sys" server="srv01.lan.example.club" path="/home/%(DOMAIN_USER)" mountpoint="/home/%(DOMAIN_USER)" options="rw,nolock,nocto,soft,fsc,_netdev,exec,nosuid"/>

into

/etc/security/pam_mount.conf.xml

I couldn’t get it running with sec="krb5i", so I keep sec="sys"

#7

Yes, joining the UCS domain is easier with univention-domain-join. But …

NFSv4 with Kerberos will not work like this.

1 Like
Mastodon