CIFS/NFS Homes

About

OIT has moved the majority of home directories over to CIFS, from AFS.  There has been a large number of requests to also support NFS, so that is currently in beta.  Below is how to set up your RHEL based system for use with the OIT supported CIFS or NFS environment

NFS (WORK IN PROGRESS)

Requirements

  • /etc/krb5.keytab
  • autofs package
  • nfs-utils package
  • Working connection to ACPUB.DUKE.EDU krb authentication (available here)

How Does the Whole Thing Work?

When you log in to a server using your password, you will get a kerberos ticket.  This ticket grants you access to your home directory on the NAS.  When you cd to your NFSv4 home, or when you are dropped in from PAM, autofs will mount /nfshomes/$n/$netid to the NAS share.

Installation

Make sure you are authenticating against ACPUB.DUKE.EDU with kerberos (running klist after you log in should show a valid acpub.duke.edu ticket)

Install the tools

# yum -y install autofs nfs-utils

Copy the keytab provided by IDMS to /etc/krb5.keytab.  This keytab doesn’t have to have any special rights, it just needs to exist, since root will not use your ticket to do the mount.  You will need to use your own krb ticket to get any sort of access to this mount, once it’s up

Configure NFS to support kerberos by setting the following value in /etc/sysconfig/nfs

SECURE_NFS="yes"

For additional debugging and a shorter kernel lock timeout, also set:

RPCGSSDARGS="-vvv -t 600"

Add the following line to the [General] section in /etc/idmapd.conf

Domain = acpub.duke.edu

Create a new autofs script to do the mapping to the nas in /etc/auto.nfshomes with the contents of:

#!/bin/bash
# /etc/auto.nfshomes
# This file must be executable to work! chmod 755
# This is very simple
# If you wish to use full encryption instead of just encrypted authentication, 
# replace 'sec=krb5' with 'sec=krb5p'
opts="-fstype=nfs4,nodev,async,_netdev,sec=krb5,vers=4"

echo "${opts} oit-nas-fe03.oit.duke.edu:/nfshomedir/${1}"

Be sure to make it executable with:

chmod 755 /etc/auto.nfshomes

Enable it in the main /etc/auto.master by adding this line:

/nfshomes /etc/auto.nfshomes

Restart all affected services:

# service autofs restart
# service rpcgssd restart
# service rpcidmapd restart

You should now be able to cd in to /nfshomes/$n/$netid where $n is the first initial of your netid and $netid is your netid

CIFS

Requirements

  • pam_cifs (available from Linux@Duke repos)
  • cifs-utils

How does the whole thing work?

  1. The user enters their password by the normal PAM methods
  2. pam_cifs takes their username, and does an ldap lookup to find where their CIFS home directory actually is (Ex: //homedirs.oit.duke.edu/users/u/username)
  3. pam_cifs passes your username and password to the mount.cifs program from cifs-utils and mounts the entry from ntUserHomedir to /winhomes/<username>

Installation

Install necessary tools

# yum -y install pam_cifs cifs-utils

Edit the file in your /etc/pam.d directory to allow for cifs lookups.  The specific file in this directory will differ depending on the way your server is set up.

Example PAM line:

session    optional       pam_cifs.so  debug prefix=/winhomes source=ldap:ntUserHomeDir ldapobjectclass=posixAccount options=sfu ldaploginattribute=uid ldapbinddn=duLDAPKey=7314a2e8-e22c-11e1-b1b3-f0ed5a3818a9,ou=Accounts,dc=duke,dc=edu ldapbindpw=a=2B@$CERFkZ3uQ ldap=ldaps://ldap.duke.edu ldapbasedn=ou=people,dc=duke,dc=edu debug max_uid=10000000 windomain=WIN.DUKE.EDU make_mount_point

* The ldapbinddn used in the line above is a special service account used for this sort of lookup.  Technically, the ldap entry ‘ntUserHomeDir’ can be looked up anonymously, but the pam_cifs module does not currently work with anonymous lookups.

Leave a Reply

Your email address will not be published. Required fields are marked *