Web lists-archives.com

Re: [Samba] Using GPO to mount shares on Linux




Wohoo, finaly i could help Rowland :-p  ;-) 

I follow this as guidance:

1 server ( all in one ) use RID, easy to setup etc, but .. If you go to ... Or have plans to.. 
 
2 servers ( DC + a member ) 
	use backend RID if you dont need access with a windows account to a shared home folder. ( cifs or nfs )
	 	you use a dedicated local "linuxAdmin" for maintanace. ( often the first created user in linux ) 
	use backend AD if you do need access with ssh for example or shared homefolders. 

3 server or more, all server where ssh or access to a server with a shared folder is needed, use backend AD.
	adviced is all servers with file shares. 
	Optional, mix this with RID, for example for a dedicated print server, or proxy server (auth). 

I use setup 3. 
Multiple servers with AD and RID mixed on the members, based on function. 

A NFS pointer is. 
Make sure you set you home folder 755, kerberos ( MIT ), lookf or .klogin in the home dir. 
If the setup is to tight this fails.  ( workaround: disable .klogin checking in krb5.conf ) 
And nfs/hostname.FQDN needs to be added to HOSTNAME$ where its needed. 

For Cifs. You may need to add these lines in krb5.conf cifs uses them nfs not. 
; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 

Now here, if you see, Required keys not available, no matter what you do
Then you probley are missing these line in krb5.conf. 

The source i use for above info : 
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/mount_ms_cifs_using_ad_krb.html 
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html

Its a .nl domain but its in english  ;-) and contains still good info. 
Just beware its based on debian squeeze. 
And a handy to know. 
https://support.microsoft.com/en-us/help/977321/kdc-event-id-16-or-27-is-logged-if-des-for-kerberos-is-disabled 

Greetz, 

Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba