-
Notifications
You must be signed in to change notification settings - Fork 136
Exporting dCache with SAMBA
Obsolete documentation
This wiki contains various bits of information that have meanwhile been integrated into our main body of documentation, The dCache Book. These texts will be removed from here during early 2019 in order to avoid fragmentation of the documentation.
The following document describes how to export dCache's NFS mount with SAMBA server. The samba server is configured to be a member of windows domain. The configuration assumes that user local unix users coming from LDAP, windows users authenticates against Active Directory.
All testing done with SAMBA 4.4 running on CentOS7 server.
To keep file access consistent across unix and windows platforms, you have to ensure consistent UID/GID mapping. One possibility is to use idmap_tdb2 mapping backend for samba, which can use external script to provide mapping between two worlds. The script accepts:
SIDTOID S-1-xxxx
IDTOSID UID xxxx
IDTOSID GID xxxx
as input and returns corresponding mapping in form:
UID:yyyy
GID:yyyy
SID:yyyy
ERR:yyyy
- Install required packages
$ yum install samba sssd sssd-client krb5-workstation
- Configure sssd to get correct user mapping on the server. Override users shell to avoid logins on the server node.
# /etc/sssd/sssd.conf
[sssd]
domains = LDAP
services = nss
config_file_version = 2
[nss]
filter_users = ['root']
filter_groups = ['root']
override_homedir = /tmp
override_shell = /bin/false
[domain/LDAP]
debug_level = 4
chpass_provider = none
ldap_schema = rfc2307bis
id_provider = ldap
ldap_uri = ldaps://ldap.server.example
ldap_search_base = ou=RGY,o=DESY,c=DE
ldap_group_member = uniqueMember
cache_credentials = false
enumerate = false
We override users shell to disallow interactive logins.
- Ensure correct owner and permissions for the /etc/sssd/sssd.conf file:
$ chmod chown root:root /etc/sssd/sssd.conf
$ chmod 0600 /etc/sssd/sssd.conf
- Enable and start sssd service:
$ systemctl enable sssd.service
$ systemctl start sssd.service
- Configure samba server:
# /etc/samba/smb.conf
[global]
workgroup = <WIN GROUP>
server string = "SMB gateway to dCache"
server role = member
netbios name = <host name>
server services = smb
security = ADS
realm = <WIN DOMAIN NAME>
unix password sync = no
password server = <your AD server>
tls verify peer = ca_only
client ldap sasl wrapping = sign
wins support = no
wins server = <your AD server>
domain master = no
local master = no
map to guest = bad user
log file = /var/log/samba/log.%m
log level = 2
max log size = 4096
idmap config * : backend = tdb2
idmap config * : range = 1-100000
idmap config * : script = <path to mapping script>
#smb encrypt = mandatory
client min protocol = smb2
client max protocol = smb3
load printers = No
printcap name = /dev/null
disable spoolss = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
include = registry
unix extensions = Yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
read raw = Yes
write raw = Yes
[dcache]
comment = dCache exports
# path where dcache is mounted
path = /dcache
#valid users = all
browseable = Yes
read only = No
writeable = Yes
inherit acls = Yes
public = No
- Join server to windows domain. You need domain administrator rights to do so.
$ net join -S <your AD server> -U <admin user account>
- Start winbindd service
$ systemctl enable winbindd.service
$ systemctl start winbindd.service
- Start samba service
$ systemctl enable samba.service
$ systemctl start samba.service
At this point your samba server must be up-and-runnig!
- NFSv4 ACLs are not visible to the clients
- UNIX permissions are not visible to the clients