SDS@hd/Access/CIFS: Difference between revisions
S Richling (talk | contribs) |
m (→Prerequisites) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
'''Attention:''' To access data served by SDS@hd via CIFS, You need a '''''Service Password'''''. See details [[SDS@hd/Registration]]. |
'''Attention:''' To access data served by SDS@hd via CIFS, You need a '''''Service Password'''''. See details [[SDS@hd/Registration]]. |
||
Additionally the access to SDS@hd is currently only available inside the [https://www.belwue.de/netz/netz0.html belwue-Network]. |
Additionally the access to SDS@hd is currently only available inside the networks of participating Organizations, e.g. [https://www.belwue.de/netz/netz0.html belwue-Network]. |
||
This means you have to use the VPN Service of your HomeOrganization, if you want to access SDS@hd from outside the bwHPC-Clusters (e.g. via [https://www.eduroam.org/where/ eduroam] or from your personal Laptop) |
This means you have to use the VPN Service of your HomeOrganization, if you want to access SDS@hd from outside the bwHPC-Clusters (e.g. via [https://www.eduroam.org/where/ eduroam] or from your personal Laptop) |
||
Line 278: | Line 278: | ||
</pre> |
</pre> |
||
For further information about handling kerberos ticket take a look at [[ |
For further information about handling kerberos ticket take a look at [[SDS@hd/Access/NFS#access_your_data|SDS@hd kerberos]] |
Latest revision as of 09:01, 28 September 2023
Prerequisites
Attention: To access data served by SDS@hd via CIFS, You need a Service Password. See details SDS@hd/Registration.
Additionally the access to SDS@hd is currently only available inside the networks of participating Organizations, e.g. belwue-Network.
This means you have to use the VPN Service of your HomeOrganization, if you want to access SDS@hd from outside the bwHPC-Clusters (e.g. via eduroam or from your personal Laptop)
The SMB connection has to be established at least with Protocolversion SMB2.02, which is available since Windows Vista or OSX 10.7, and a NTLMv2 Authentication Level of "Send NTLMv2 responses only"
Using SMB/CIFS for Windows client
You can use a CIFS share from a Microsoft operating system.
Adopting Universal Naming Convention (UNC) syntax
Use Windows Explorer entering the path to the share in UNC syntax:
Examples:
\\lsdf02.urz.uni-heidelberg.de or \\lsdf02.urz.uni-heidelberg.de\<sv-acronym>
Following the input of the UNC path, a window will pop up:
Loginname: BWSERVICESAD\hd_xy123
Password: Service Password
Following authentication a new window pops up, showing the content of the share.
You can now manipulate your files as accustomed.
Creation of a network (pseudo) drive with Windows Explorer
To connect to a network share in Windows Explorer select the control field
Select a drive letter to be associated with the network share and enter the network path (e.g. \\lsdf02.urz.uni-heidelberg.de). Select ‘use a different identification‘, as these differ from your credential used locally.
Path: \\lsdf02.urz.uni-heidelberg.de\<sv-acronym>
Username: BWSERVICESAD\hd_xy123
Password: Service Password
Using SMB/CIFS for Mac OS client
Important To use SMB Protocol you need a OSX Version 10.7 or newer!
Creation of a network drive with Finder
To connect to a network share in Finder select the control field
Select a drive letter to be associated with the network share and enter the network path (e.g. \\lsdf02.urz.uni-heidelberg.de). Select ‘use a different identification‘, as these differ from your credential used locally.
Path: smb://lsdf02.urz.uni-heidelberg.de/<sv-acronym>
Username: BWSERVICESAD\hd_xy123
Password: Service Password
Using SMB/CIFS for UNIX client
A UNIX like operating system needs a CIFS client to use a share. CIFS clients are part of Samba implementation for Linux and other UNIX like operating systems (http://www.samba.org)
Attention: The core CIFS protocol does not provide unix ownership information or mode for files and directories. Because of this, files and directories will generally appear to be owned by whatever values the uid= or gid= options are set, and will have permissions set to the default file_mode and dir_mode for the mount. Attempting to change these values via chmod/chown will return success but have no effect.
For security reasons, server side permission checks cannot be overriden. The permission checks done by the server will always correspond to the credentials used to mount the share, and not necessarily to the user who is accessing the share.
Although mapping of POSIX UIDs and SIDs is not needed mounting a CIFS share it might become necessary when working with files on the share, e.g. when modifying ACLs.
SMB Client
Example: To list the files in a SMB share, use the program smbclient.
smbclient -U 'BWSERVICESAD\hd_xy123' //lsdf02.urz.uni-heidelberg.de/<sv-acronym> Enter BWSERVICESAD\hd_xy123's password:
The program allows you to access the files with a FTP like tool in an interactive shell.
$ smbclient //lsdf02.urz.uni-heidelberg.de/<sv-acronym> -U 'BWSERVICESAD\hd_xy123' Enter BWSERVICESAD\hd_xy123's password: smb: \> ls . D 0 Thu Apr 23 12:51:48 2020 .. D 0 Wed Apr 22 21:54:04 2020 bench D 0 Fri Jul 26 10:24:05 2019 benchmark_test D 0 Tue Oct 30 16:12:21 2018 checksums D 0 Mon Sep 18 10:24:21 2017 test.multiuser A 6 Thu Apr 23 12:36:07 2020 test A 7 Thu Apr 23 09:38:13 2020 ..... .snapshots DHR 0 Thu Jan 1 01:00:00 1970 115343360000 blocks of size 1024. 108260302848 blocks available smb:\
Mounting a SDS@hd CIFS share can be done by using username/password credentials or by using kerberos tickets. Information about settting up a kerberos environment for SDS@hd can be found *here*.
Single-User Environment
A share can be mounted to a local directory, (e.g. /mnt/sds-hd ). Depending on your system setup, root privileges may be required.
CIFS normally binds all shares on the client as the property of the user who mounted them and transfers any existing write rights only to the user. With additional information from uid, gid, file_mode and dir_mode, other ownership and access rights can be defined when mounting on the client.
Nevertheless the ownership and access rights defined in this way are only simulated on the client and are not really transferred to the server. If access rights are changed on the client or files with other owners are created in shared folders, these changes only apply to the client and only until the next remount.
If you need to work with the correct server side permissions, please follow the setup of a MultiUser Setup
Mount over command line
Example:
$ mkdir /mnt/sds-hd $ sudo mount -t cifs -o username=hd_xy123,domain=BWSERVICESAD,vers=3.0,mfsymlinks //lsdf02.urz.uni-heidelberg.de/<sv-acronym> /mnt/sds-hd Password: $ df -h | grep sds-hd //lsdf02.urz.uni-heidelberg.de/sd16j007 108T 6,6T 101T 7% /mnt/sds-hd $ cd /mnt/sds-hd/ $ ls
Verify the success of the mount invoking the mount command without any arguments:
$ mount | grep lsdf02 //lsdf02.urz.uni-heidelberg.de/sd16j007 on /mnt/sds-hd type cifs (rw,relatime,vers=3.0,cache=strict,username=xxxx,domain=BWSERVICESAD,uid=1000,forceuid,gid=0,noforcegid,addr=xxxxx,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)
Mount over /etc/fstab
Example:
$ mkdir /mnt/mountpoint /etc/fstab //lsdf02.urz.uni-heidelberg.de/<sv_acronym> /mnt/mountpoint cifs uid=<YOUR_UID>,gid=<YOUR_GID>,user,vers=3.0,mfsymlinks,credentials=<path_to_user_HOME>/credentialsfile,noauto 0 0 $ cat /path_to_user_HOME/credentialsfile username=hd_ xy123 password=<your_servicepassword> domain=BWSERVICESAD $ mount /mnt/mountpoint
Verify the success of the mount invoking the mount command without any arguments:
$ mount | grep cifs //lsdf02.urz.uni-heidelberg.de/sd16j007 on /mnt/mountpoint type cifs (rw,relatime,vers=3.0,cache=strict,username=xxxx,domain=BWSERVICESAD,uid=1000,forceuid,gid=0,noforcegid,addr=xxxxx,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)
Multiuser Environment
By default, CIFS mounts only use a single set of user credentials (the mount credentials) when accessing a share. To support different user session on the same mountpoint and the correct permission/ownership processing, the mount options
multiuser,cifsacl
have to be used. Because the kernel cannot prompt for passwords, multiuser mounts are limited to mounts using passwordless sec= options, like with sec=krb5. Information about settting up a kerberos environment can be found *here*
ID Mapping
In a Multiuser Environment it is important to get the correct ownerships and permissions from the server. Therefor you need to setup a ID Mapping environment.
Additionally we need the following packages to enable CIFS Mapping:
- RedHat/CentOS:
$ yum install cifs-utils keyutils
- debian/ubuntu:
$ apt install cifs-utils keyutils
After installing SSSD you have to ensure that it will be used for CIFS name resolution, e.g.
- RedHat/CentOS:
On RedHat SSSD should have allready a higher priority than winbind:
$ alternatives --display cifs-idmap-plugin cifs-idmap-plugin - Status ist automatisch. Link verweist auf /usr/lib64/cifs-utils/cifs_idmap_sss.so /usr/lib64/cifs-utils/cifs_idmap_sss.so - priority 20 /usr/lib64/cifs-utils/idmapwb.so - priority 10 Zur Zeit ist die `best' Version /usr/lib64/cifs-utils/cifs_idmap_sss.so.
- debian/ubuntu:
On debian systems SSSD has to be registered for ID mapping with an higher priority than winbind:
$ sudo update-alternatives --install /etc/cifs-utils/idmap-plugin idmap-plugin /usr/lib/x86_64-linux-gnu/cifs-utils/cifs_idmap_sss.so 50 $ update-alternatives --display idmap-plugin idmap-plugin - automatischer Modus beste Version des Links ist /usr/lib/x86_64-linux-gnu/cifs-utils/cifs_idmap_sss.so Link verweist zur Zeit auf /usr/lib/x86_64-linux-gnu/cifs-utils/cifs_idmap_sss.so Link idmap-plugin ist /etc/cifs-utils/idmap-plugin Slave idmap-plugin.8.gz ist /usr/share/man/man8/idmap-plugin.8.gz /usr/lib/x86_64-linux-gnu/cifs-utils/cifs_idmap_sss.so - Priorität 50 /usr/lib/x86_64-linux-gnu/cifs-utils/idmapwb.so - Priorität 40 Slave idmap-plugin.8.gz: /usr/share/man/man8/idmapwb.8.gz
AutoFS Setup
Because CIFS shares, in contrast to nfs-Mounts, have to be mounted directly, the root user can not simply mount them into a global folder. Instead the shares have to be initially mounted by a user who has access to the Share. To achieve this, you can use the automounter "autofs".
- RedHat/CentOS:
$ yum install autofs $ systemctl enable autofs $ systemctl start autofs
- debian/ubuntu:
$ apt install autofs $ systemctl enable autofs $ systemctl start autofs
Afterwards you configure the SDS@hd Speichervorhaben in a new map file:
$ cat /etc/auto.sds-hd <sv-acronym1> -fstype=cifs,cifsacl,multiuser,sec=krb5,cruid=${UID},vers=3.0,mfsymlinks ://lsdf02.urz.uni-heidelberg.de/<sv-acronym1> <sv-acronym2> -fstype=cifs,cifsacl,multiuser,sec=krb5,cruid=${UID},vers=3.0,mfsymlinks ://lsdf02.urz.uni-heidelberg.de/<sv-acronym2> ....
You have to include the new map into the auto.master file:
$ cat /etc/auto.master [...] /mnt/sds-hd /etc/auto.sds-hd [...]
To display all available SDS@hd shares on this machine to the users, you should enable "browser_mode":
$ cat /etc/autofs.conf [...] # to display all available SDS-hd shares on this to the users browse_mode=yes [...]
otherwise each share-folder will only be visible after a user has mounted.
After changing the configuration, you should restart the autofs daemon, e.g.:
$ systemctl restart autofs
Of course you can adopt all other autofs options, like timeouts, etc. to the specific needs of your environment or use any other method for dynamically mounting the CIFS shares.
Now each user should be able to mount a SDS@hd share, which is configured for the machine. If a share is allready mounted, other users will access this share with their own credentials without mounting again.
To get access, each user needs a valid kerberos ticket, which can be fetched with
$ kinit hd_xy123
For further information about handling kerberos ticket take a look at SDS@hd kerberos