Chattering random observations, tips, and tutorials on all things related to IT.
In this how-to, I will show you how to take your Linux box, export a share, and modify its contents using Windows.
Background
I was asked to export some data from a host which has connectivity to an iSCSI LUN. Since the Windows hosts don’t have connectivity to the iSCSI LUN , the Linux box will export this share via NFS and use Samba/Kerberos to allow windows users to see it.
Caveats
When you are on Linux and you look at the files created via windows, you see the user name like this:
DOMAIN+bob
If you currently aren’t using Samba/Kerberos authentication on your Linux box for user accounts, then this is a reasonable problem. Your Windows users need to have authentication/access to the Linux box. This can be configured using Pam.d/nsswitch.conf and a few more tweaks.
I am going to skip this, and assume that you only really care about exporting the share, and allowing Windows users to use there accounts to write/read files. I will have a subsequent post that explains how to setup winbind/samba to do your authentication.
Steps
server# yum -y install samba-client krb5-workstation.x86_64
modify /etc/hosts and add the following:
xxx.xxx.xxx.xxx adserver.domain adserver
modify /etc/krb.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog
[libdefaults]
ticket_lifetime = 24000
default_realm = MATCAP.NET
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN.NET = {
kdc = adserver.domain.net:88
kdc = adserver2.domain.net:88
kdc = adserver3.domain.net:88
admin_server = adserver.domain.net:749
default_domain = domain.net
}
[domain_realm]
.domain.net = DOMAIN.NET
domain.net = DOMAIN.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Next run:
server# kinit administrator@DOMAIN.NET
Make sure you can authenticate
Edit /etc/smb.conf
[global]
netbios name = mylinuxbox
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = DOMAIN
os level = 20
winbind enum groups = yes
# socket address = 10.10.1.88
password server = *
preferred master = no
winbind separator = +
max log size = 50
log file = /var/log/samba/log.%m
encrypt passwords = yes
dns proxy = no
realm = DOMAIN.NET
security = ADS
wins server = 10.10.1.88
wins proxy = no
[nas]
comment = a comment
path = /nas
browseable = yes
writeable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"DOMAIN.NET+Domain Users"
admin users = @"DOMAIN.NET+Domain Admins"
Run the following
server# service smb start
server# net ads join -U Administrator
modify /etc/nsswitch.conf
passwd: files ldap winbind
shadow: files ldap winbind
group: files ldap winbind
server# winbindd
server# echo “/usr/bin/winbindd” »/etc/rc.local
server# chkconfig smb on
server# wbinfo -u
Commands to run to check stuff:
getent passwd
Should show you the passwd files for AD
kinit administrator@MATCAP.NET
should prompt you for a password and return you to command line
net ads join -U Administrator
Need to run this to join to the domain, enter your pw
edit /etc/exports
/nas *(rw,sync)
You can put whatever you like in your exports just like you normally would.
