Mounting Usershares with NFS and Kerberos on Linux
Detailed instruction on how to access your usershares on Linux
Join the Active Directory
To mount usershares provided by OpenStack, the computer must be part of a domain in the University of Münster CIT Active Directory Forest. The IVVs are responsible for the addition of new computers to their domains. The scripts shown below are an example for joining a computer to the WWU domain. However, the listed variables JOINUSER and OU must be configured individually. Please consult your IVV for the details!
Additional Remarks
- Hostnames may consist of at most 15 characters (this is an Active Directory limitation).
- Distributions with older Kernels (e.g. CentOS 7) may cause Problems when operating on many small files in short time frames (we could reproduce the issue by running
git clone https://github.com/torvalds/linux.giton a NFS share)
CentOS 8.2
# set variables
JOINUSER="joinuseraccount"
OU="OU=OpenStack,OU=ZIV,OU=IVV,DC=wwu,DC=de"
# install net tool, winbind and kerberos client tools
dnf install -y samba-common-tools samba-winbind krb5-workstation
# create samba conf
cat <<EOF > /etc/samba/smb.conf
[global]
netbios name = $(hostname)
security = ADS
realm = wwu.de
workgroup = WWU
kerberos method = system keytab
idmap config * : backend = tdb
idmap config * : range = 500000001-500000100
idmap config * : read only = yes
idmap config WWU : backend = ad
idmap config WWU : schema_mode = rfc2307
idmap config WWU : range = 1000-100000000
idmap config WWU : read only = yes
idmap config WWU : unix_nss_info = yes
idmap config WWU : unix_primary_group = yes
winbind refresh tickets = yes
winbind use default domain = yes
winbind expand groups = 4
EOF
# create kerberos conf
cat <<EOF > /etc/krb5.conf
[libdefaults]
default_realm = WWU.DE
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
[domain_realm]
.wwu.de = WWU.DE
wwu.de = WWU.DE
[logging]
default = STDERR
EOF
# join computer
net ads join -U ${JOINUSER} createcomputer=${OU} --no-dns-updates
# create kerberos keytab
net -P ads keytab create
# enable and start winbind
systemctl enable winbind
systemctl start winbind
# add winbind to nsswitch.conf
sed -i -e 's/^passwd:.*/passwd: winbind sss files systemd/' /etc/nsswitch.conf
sed -i -e 's/^group:.*/group: winbind sss files systemd/' /etc/nsswitch.conf
# enable and start nfs-client services
systemctl enable nfs-client.target
systemctl start nfs-client.target
# mount usershares
mount -o vers=4.2,sec=krb5 usershare-nfs.os.wwu.de:/usershare /mnt
Ubuntu 20.04
# set variables
JOINUSER="joinuseraccount"
OU="OU=OpenStack,OU=ZIV,OU=IVV,DC=wwu,DC=de"
# install net tool, winbind, kerberos client tools and nfs client services
export DEBIAN_FRONTEND=noninteractive
apt-get install -y --no-install-recommends samba-common-bin winbind libnss-winbind krb5-user nfs-common
# create samba conf
cat <<EOF > /etc/samba/smb.conf
[global]
netbios name = $(hostname)
security = ADS
realm = wwu.de
workgroup = WWU
kerberos method = system keytab
idmap config * : backend = tdb
idmap config * : range = 500000001-500000100
idmap config * : read only = yes
idmap config WWU : backend = ad
idmap config WWU : schema_mode = rfc2307
idmap config WWU : range = 1000-100000000
idmap config WWU : read only = yes
idmap config WWU : unix_nss_info = yes
idmap config WWU : unix_primary_group = yes
winbind refresh tickets = yes
winbind use default domain = yes
winbind expand groups = 4
EOF
# create kerberos conf
cat <<EOF > /etc/krb5.conf
[libdefaults]
default_realm = WWU.DE
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
[domain_realm]
.wwu.de = WWU.DE
wwu.de = WWU.DE
[logging]
default = STDERR
EOF
# join computer
net ads join -U ${JOINUSER} createcomputer=${OU} --no-dns-updates
# create kerberos keytab
net -P ads keytab create
# enable and start winbind
systemctl enable winbind
systemctl start winbind
# add winbind to nsswitch.conf
sed -i -e 's/^passwd:.*/passwd: winbind files systemd/' /etc/nsswitch.conf
sed -i -e 's/^group:.*/group: winbind files systemd/' /etc/nsswitch.conf
# enable and start nfs-client services
systemctl enable nfs-client.target
systemctl start nfs-client.target
# mount usershares
mount -o vers=4.2,sec=krb5 usershare-nfs.os.wwu.de:/usershare /mnt
Configure Active Directory login with automatic mount on boot
The following configuration can be performed after joining the domain as described above. It will configure Linux to authenticate via LDAP and mount the share on boot.
For this to work, a Kerberos Ticket must be created upon login. This ticket can be output using klist.
Centos 8
# Install sssd
dnf install -y sssd
# Minimal sssd configuration
cat > /etc/sssd/sssd.conf << EOF
[sssd]
config_file_version = 2
domains = wwu.de
services = nss,pam
[nss]
filter_groups = root
filter_users = root
[domain/wwu.de]
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = none
sudo_provider = none
ldap_id_mapping = False
EOF
chmod 600 /etc/sssd/sssd.conf
systemctl restart sssd
# Automatially mount usershare on boot
grep -q ^usershare-nfs.os.wwu.de:/usershare /etc/fstab || echo "usershare-nfs.os.wwu.de:/usershare /mnt nfs4 vers=4.2,sec=krb5,auto 0 0" >> /etc/fstab
# Optionally allow ChallengeResponseAuthentication in SSH
sed -i -e 's/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
systemctl restart sshd
Ubuntu 20.04
# Install sssd and pam modules for sssd and kerberos
apt install -y --no-install-recommends sssd libpam-sss libpam-krb5
# Minimal sssd configuration
cat > /etc/sssd/sssd.conf << EOF
[sssd]
config_file_version = 2
domains = wwu.de
services = nss,pam
[nss]
filter_groups = root
filter_users = root
[domain/wwu.de]
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = none
sudo_provider = none
EOF
chmod 600 /etc/sssd/sssd.conf
systemctl restart sssd
# Add sss to nsswitch.conf
sed -i -e 's/^shadow:.*/shadow: files sss/' /etc/nsswitch.conf
# Automatially mount usershare on boot
grep -q ^usershare-nfs.os.wwu.de:/usershare /etc/fstab || echo "usershare-nfs.os.wwu.de:/usershare /mnt nfs4 vers=4.2,sec=krb5,auto 0 0" >> /etc/fstab
# Optionally allow ChallengeResponseAuthentication in SSH
sed -i -e 's/^ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config
systemctl restart ssh