Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Fedora Linux & Windows integration

  • 15-12-2020 3:12pm
    #1
    Registered Users, Registered Users 2 Posts: 5,053 ✭✭✭


    Having gotten rid of some ancient Solaris boxes recently, I've been playing with the set up of Fedora to authenticate via Kerberos to the Windows DC rather than vis NIS as in the past. It was a bit nit-picky to get working but seems fine so all new installs for desktops will be using that meaning in the fullness of time, NIS can be retired.

    However try as I might, I couldn't get the automounter to automatically mount CIFS shares for the home directory. Left it as NFS for now which is working fine but will no doubt try again at some stage.

    Guessing I might be in a minority trying to do this but no harm asking if anyone else has been down this road?


Comments

  • Registered Users, Registered Users 2 Posts: 2,755 ✭✭✭niallb


    I'll be setting something similar up in the new year, so took on a bit of reading.
    NIS and NFS have just worked for so long it's hard to say goodbye!

    Are you using "sec=krb5" in the autofs config file?
    If so, how are you arranging for the tickets to be initialised?

    I see somebody called Ricky Adams recommending a cron job to update the krb5 ticket every 12 hours to allow the mount to complete.

    Have you gone down a different route?


  • Registered Users, Registered Users 2 Posts: 5,053 ✭✭✭opus


    The PC is a member of the Windows domain (as in I joined it with 'realm join' command) same as a Windows 10 PC so haven't had to do anything extra with it wrt tickets. Yes I had that parameter (krb5) in the file

    The problem I kept getting was this:
    oddjob-mkhomedir[2037]: error creating /home/xxxx: Permission denied

    Despite a good solid Google trawl wasn't able to find anything to sort it out.

    This might save you some time for the authentication part, I had to add these lines to the krb5.conf file to get it to work.
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
    permitted_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac


  • Registered Users, Registered Users 2 Posts: 29 anfirrua


    You are going to face issues using CIFs with $HOME, it wouldn't be POSIX compliant.
    You can start autofs in debug to determine what the issue is
    Have you addressed the uid/gid migration from NIS to AD?


  • Registered Users, Registered Users 2 Posts: 5,053 ✭✭✭opus


    I should have mentioned that the "NIS" server that I'm moving away from is actually Windows Services for UNIX. There hasn't been a Unix NIS server for years here.

    There was some parameter I had to change to make sure it was using the Unix UID rather the the Windows version as that was the first problem I ran into, not having permission on my own home directory.

    Files are coming from a multiprotocol SAN device.


  • Registered Users, Registered Users 2 Posts: 9,294 ✭✭✭limnam


    opus wrote: »
    I should have mentioned that the "NIS" server that I'm moving away from is actually Windows Services for UNIX. There hasn't been a Unix NIS server for years here.

    There was some parameter I had to change to make sure it was using the Unix UID rather the the Windows version as that was the first problem I ran into, not having permission on my own home directory.

    Files are coming from a multiprotocol SAN device.

    multi-protocol SAN?

    You mean NAS? Is it Isilon or something?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 5,053 ✭✭✭opus


    You'd think having working in SAN support for many year I'd know the difference :o

    The box is working as both a NAS (CIFS & NFS) & a SAN (iSCSI). You were close it's a Unity system rather than Isilon.


  • Registered Users, Registered Users 2 Posts: 9,294 ✭✭✭limnam


    opus wrote: »
    You'd think having working in SAN support for many year I'd know the difference :o

    The box is working as both a NAS (CIFS & NFS) & a SAN (iSCSI). You were close it's a Unity system rather than Isilon.


    Yeah the whole UUID mapping can be a bit of a mess on some of the multi-protocol products


Advertisement