Mounting an SMB Gateway on Linux#
Prerequisites:#
These instructions assume you already have a SMB gateway
SMB gateways are a paid add-on service for Oak spaces. If you'd like to learn more, please visit our SMB Gateways page.
Please complete the following steps in the order they are presented.
- Install Kerberos (
krb5-user) https://uit.stanford.edu/service/kerberos/unix_install - Copy Stanford's
krb5.confto/etc/krb5.confhttp://www.stanford.edu/dept/its/support/kerberos/dist/krb5.conf and ensure its permissions are set to644 - Install the
cifs-utilspackage for your system.
Mounting The Gateway#
On the client, to mount Oak SMB, we need a valid kerberos ticket (credential cache). This could be done as root but it's not a best practice. It's better to use the cruid option within mount.cifs. This is provided for by the option cruid=$(USER), where $(USER) is the UID of the owner of the credentials cache.
Using the SUNet ID jdoe as an example and jstanford as the name of the PI:
Switch to a non-root user account (recommended)#
If you are already logged in as root:
# su - jdoe
Get a Kerberos ticket#
$ kinit jdoe@stanford.edu
Create the local mount point#
We recommend to create a path on your endpoint that is identical to the canonical path we use for Oak so your experience is consistent across systems.
$ sudo mkdir -p /oak/stanford/groups/jstanford
Mount the share#
As root or using sudo, mount the share (it could be possible to do this from a user context too if users are allowed to mount on your server):
Your GID and UID can be found from a Sherlock login node
To determine your UID and GID, use the command id from a Sherlock login node. This will return the your username and numerical UID value as well as the names of any groups that you're a member of and their associated numerical GID values. Use the GID that corresponds to the Oak group whose gateway you are connecting to. Substite these values into the commands below. For cruid, use the UID of your account on the system where you're mounting Oak.
$ sudo mount -t cifs -o user=jdoe@stanford.edu,cruid=jdoe,sec=krb5,gid=3159,uid=251950 //smb-jstanford.oak.stanford.edu/groups/jstanford /oak/stanford/groups/jstanford
/etc/fstab to mount the share each time your computer is booted. //smb-jstanford.oak.stanford.edu/groups/jstanford /oak/stanford/groups/jstanford cifs user=jdoe@stanford.edu,cruid=jdoe,sec=krb5,uid=307858,gid=3159,user,rw,noperm 0 0`
Command Elements#
Here's a quick explainer for each element in the mount command: user = the user's principal
cruid = the local user owner of the credentials cache (for the ticket) – this could be any local user, even a non Oak user
sec=krb5 = Use Kerberos as the method of authentication
gid and uid: ALL files of this mount will use these gid/uid, but permissions will also be checked server-side with kerberos. If configured correctly, it will allow write access to the share under that user. This means that all files written will be written as jdoe . This is one of the costs of using SMB vs NFS on Linux. It is not something that we have a workaround for at this point in time.
Special Considerations#
If you'd like to share the mount with other users, this will require more work, and we're not sure it's possible at this time. It's also a bit out of scope of our support (but could be fun to investigate). Fundamentally, SMB is not designed to be multi-user like NFS. You can play with local uid/gid if you want, to try to trick the local system and make it work with multiple users. But in the end, permissions are always checked server (Oak) side with Kerberos, so everything you might do while mounted to Oak will be under your SUNet ID as a result of the -o user option.