Linux can mount all or part of DartFS via the SMB protocol. This requires SMB version 2 or higher, and so is only available to Red Hat Enterprise 7 and later, or Ubuntu 16 or later. (Other Linux variants are left as an exercise). You will need an account which has permission to read (at minimum) the location in DartFS that you wish to mount, and for which a keytab file can be created. In general, this will be a service account with limited access. Request a service account
You will also join the system to the Dartmouth domain, which permits the keytab file to be validated. This does not grant other access to domain administrators.
Requirements
Kerberos client tools; Active Directory client tools; kstart. Listed below are packages which may need to be added to a system.
- RHEL
- krb5-workstation
- krb5-libs
- adcli
- kstart
- Ubuntu
- libsas12-modules-gssapi-mit
- krb5-config
- krb5-user
- adcli
- kstart
Configure and Test
Edit /etc/krb5.conf and set the default authentication realm and other parameters as follows:
[libdefaults]
default_realm = KIEWIT.DARTMOUTH.EDU
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 30d
renew_lifetime = 30d
forwardable = true
rdns = false
Next, we need to create a computer record for the system in Active Directory (AD), if it hasn't already been done. This creates a file /etc/krb5.keytab containing a key that can be used to validate operations with our AD. You need the adcli tool, from the adcli RPM.
Make sure that hostname
returns a fully qualified domain name (XXX.dartmouth.edu), or the adcli join
won't get the correct host principals that are needed later.
Get a kerberos ticket as a regular NetD, storing the credential cache in a temporary place (krb5cc_0_join) we can give to adcli
kinit -c /tmp/krb5cc_0_join NetID@KIEWIT.DARTMOUTH.EDU
(enter password for <NetID>)
Now run adcli using this credential. You need to explicitly give it one of the AD domain controllers - in this case kiewit-dc01
adcli join kiewit.dartmouth.edu -S kiewit-dc01.kiewit.dartmouth.edu --login-ccache=/tmp/krb5cc_0_join --verbose
You should now have a small file /etc/krb5.keytab. Discard that temporary credential:
kdestroy -c /tmp/krb5cc_0_join
If you have not already done so, create a keytab file for your service account (service-NetID -- see related article) and store in a local filesystem and readable only by root, e.g. /usr/local/private/mykeytab Make sure service-NetID has been put in the appropriate group or otherwise granted access to the part of DartFS that you will be mounting.
Test ticket generation with:
# kinit -k -t /usr/local/private/mykeytab service-NetID@KIEWIT.DARTMOUTH.EDU
# klist
If klist
shows that you have a credential for service-NetID@KIEWIT.DARTMOUTH.EDU, now test SMB mount using this credential. Substitute your values for service-NetID, and also local-UID (the user who will apparently own the files on this system) and local-GID (the group for the files as seen by this system), and the path/to/DartFS/share -- full path to the location in DartFS that you wish to use. The last argument is the local mount point, which should be an existing empty directory. The local UID and GID numbers must exist. If your share is on DartFS tier-4, substitute dartfs for dartfs-hpc in the server name. Do not append the domain .dartmouth.edu to the server name.
# mount -t cifs --verbose -o username=service-NetID,domain=KIEWIT.DARTMOUTH.EDU -o vers=3.0,file_mode=0664,dir_mode=0774,uid=local-UID,gid=local-GID,sec=krb5 //dartfs-hpc/path/to/DartFS/share /mnt/dartfs
Run at boot time
Directory /mnt/dartfs and everything below it will appear to be owned by local-UID:local-GID. On other clients, the files will be owned by service-NetID. If /mnt/dartfs now goes to the desired location in DartFS and you have the expected access, you need to arrange for the k5start
and mount
commands to be run at boot time. There are various options for this, but one place is in the file /etc/rc.local, run at the end of the boot sequence. You need to use k5start
from the kstart package, which obtains a credential from the keytab file like kinit
but then keeps renewing it. Without k5start
, the credential expires after 10 hours, and the mount will be dropped.
# This is run at the end of the boot sequence, when all system services should be started
# Authenticate to DartFS with a service account keytab
k5start -b -K 60 -L -f /usr/local/private/mykeytab service-NetID@KIEWIT.DARTMOUTH.
# Now mount SMB using these credentials.
mount -t cifs --verbose -o username=service-NetID,domain=KIEWIT.DARTMOUTH.EDU -o vers=3.0,file_mode=0664,dir_mode=0774,uid=local-UID,gid=local-GID,sec=krb5 //dartfs-hpc.dartmouth.edu/path/to/DartFS/share /mnt/dartfs
These commands can also be run at the start of a cron script. To unmount DartFS, use
umount /mnt/dartfs