Warning on login methods
This guide only applies to machine that have been connected to Active Directory for people who use their UC user code and password. The method below doesn't really work for login with ssh keys.
Warning on time limits
The guide below shows how to automount SMB shares on login using ticket generated by kerberos when using Active Directory. Kerberos tickets are limited in time and that time limit is enforced by the server. Expect to lose your mount if you stay logged in for more than 7 day at a time on a single session. Kerberos tickets have a lifespan of 10 hours and can be renewed for up to 7 days at UC. If you are using a setup connected to active directory by the eResearch support team (François Bissey at the time of writing), your ticket should be automatically renewed to the end of the 7 days by the login service.
Our team can do the setup for you according to your specifications (within reason). This page is mainly a document for people who want to manage and learn things on their own. It also document some limitations of the current storage solution at UC. It can also help you make an informed decision on the setup if you request it be done by the eResearch support team.
Pre-requisites
This setup will use pam_mount to magically mount the UC shared drive upon login. We will need the following packages on the machine
sudo apt install libpam-mount cifs-utils hxtools keyutils
the above is of course for ubuntu/debian linux distributions. Look for the equivalent packages if you use a different flavor. Note, that some pre-requisites should already be present because your system has been hooked up with Active Directory.
You should already have the krb5-user
package installed. Upon installation it should have generated a sample configuration of krb5.conf
in the /etc
folder of your machine. This configuration, usually based on the original setup at the MIT, can be safely removed in its entirety and replaced with the following
[libdefaults] default_realm = CANTERBURY.AC.NZ dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d default_ccache_name = FILE:/tmp/krb5cc_%{uid} [realms] CANTERBURY.AC.NZ = { default_domain = canterbury.ac.nz } [domain_realm] canterbury.ac.nz = CANTERBURY.AC.NZ .canterbury.ac.nz = CANTERBURY.AC.NZ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
Optional
Because of the installation of pam_mount
the configuration of the sssd
daemon which is charge of managing your login with Active Directory should have a small change. Note that this is optional. There will be some complaints registered in logs on the machine but the functionality won't be affected.
In the file /etc/sssd/sssd.conf
the last line of the sssd
block labeled services
needs to have pam
removed. From
[sssd] domains = canterbury.ac.nz config_file_version = 2 services = nss, pam
to
[sssd] domains = canterbury.ac.nz config_file_version = 2 services = nss
Do not touch any other lines before or after the services
line.
Managing the mounting process will take place in the file /etc/security/pam_mount.conf.xml
. Further configuration can devolved to the user inside a file in their home directory. This needs to be allowed, and the file location defined, in the general configuration file under /etc/security
. The advantage of devolving some configuration to the user means that they can choose a mount point in a folder they own. But more on this in the next few sections.
Mounting file systems in central mount points
In this section we will configure pam_mount
to mount all the shares you usually would need under a central point under /file
, this mimics the setup of RedHat machine centrally managed by ITS. The only difference will be that don't make the P
drive the home for your user, we just make it available.
You can use the pam_mount.config.xml
file below to achieve mounting of all the P
drive, K
drive, bulk, research, share and scratch drives
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="3" /> <!-- Volume definitions --> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Research" mountpoint="/file/research" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Bulk" mountpoint="/file/bulk" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Departments" mountpoint="/file/departments" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Scratch" mountpoint="/file/scratch" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Shared" mountpoint="/file/shared" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <!-- P drives --> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersa$" mountpoint="/file/usersa" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersb$" mountpoint="/file/usersb" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersc$" mountpoint="/file/usersc" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersd$" mountpoint="/file/usersd" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Userse$" mountpoint="/file/userse" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersf$" mountpoint="/file/usersf" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersg$" mountpoint="/file/usersg" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersh$" mountpoint="/file/usersh" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersi$" mountpoint="/file/usersi" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersj$" mountpoint="/file/usersj" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersk$" mountpoint="/file/usersk" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersl$" mountpoint="/file/usersl" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersm$" mountpoint="/file/usersm" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersn$" mountpoint="/file/usersn" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Userso$" mountpoint="/file/userso" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersp$" mountpoint="/file/usersp" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersq$" mountpoint="/file/usersq" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersr$" mountpoint="/file/usersr" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Userss$" mountpoint="/file/userss" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Userst$" mountpoint="/file/userst" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersu$" mountpoint="/file/usersu" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersv$" mountpoint="/file/usersv" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersw$" mountpoint="/file/usersw" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersx$" mountpoint="/file/usersx" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersy$" mountpoint="/file/usersy" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <volume fstype="cifs" server="file.canterbury.ac.nz" path="Usersz$" mountpoint="/file/usersz" uid="10000-640000" options="user=%(USER),domain=uocnt,cruid=%(USERUID),multiuser,vers=3.0" /> <!-- We need to over-ride the cifs mount command so that uid and gid are not set as they would by default. This would result in a permission denied error. --> <cifsmount>mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o %(OPTIONS)"</cifsmount> <!-- requires ofl from hxtools to be present --> <logout wait="0" hup="no" term="no" kill="no" /> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true" /> </pam_mount>