Mounting an SMB Gateway on Linux#
Prerequisites:#
These instructions assume you already have a SMB gateway
SMB gateways are a paid add-on service for Oak spaces. If you'd like to learn more, please visit our gateways page.
Before attempting to mount your SMB Gateway, you will need to complete the following steps in the order they are presented.
- Kerberos RPM installed (krb5-user) https://uit.stanford.edu/service/kerberos/unix_install
- Stanford's
krb5.confcopied to/etc/krb5.confhttp://www.stanford.edu/dept/its/support/kerberos/dist/krb5.conf - The client should have
/sbin/mount.cifs(on CentOS 7, the packagecifs-utilsis required) - Install
walletby following the installation instructions from https://uit.stanford.edu/service/kerberos/wallet - Once Kerberos and Wallet are both configured, you'll need to set up a Host Keytab in Wallet.
Mounting The Gateway#
On the client, to mount Oak SMB, we need a valid kerberos ticket (credential cache). This could be done as root but it's not a best practice. It's better to use the cruid option within mount.cifs. This is provided for by the option cruid=$(USER), where $(USER) is the UID of the owner of the credentials cache.
Using the SUNet ID jdoe as an example and jstanford as the name of the PI:
Switch to a non-root user account (recommended)#
If you are already logged in as root:
# su - jdoe
Get a Kerberos ticket#
$ kinit jdoe@stanford.edu
Create the local mount point#
We recommend using the canonical path for Oak so the experience is consistent from your server to other services like Sherlock.
$ sudo mkdir -p /oak/stanford/groups/jstanford
Mount the share#
As root or using sudo, mount the share (it could be possible to do this from a user context too if users are allowed to mount on your server):
Your GID and UID can be found from a Sherlock login node
To determine your UID and GID, use the command id from a Sherlock login node. This will return the your username and numerical UID value as well as the names of any groups that you're a member of and their associated numerical GID values. Use the GID that corresponds to the group whose gateway you are connecting to.
$ sudo mount -t cifs -o user=jdoe@stanford.edu,cruid=jdoe,sec=krb5,gid=3159,uid=251950 //smb-jstanford.oak.stanford.edu/groups/jstanford /oak/stanford/groups/jstanford
/etc/fstab to mount the share each time your computer is booted. //smb-jstanford.oak.stanford.edu/groups/jstanford /oak/stanford/groups/jstanford cifs user=jdoe@stanford.edu,cruid=jdoe,sec=krb5,uid=307858,gid=3159,user,rw,noperm 0 0`
Command Elements#
Here's a quick explainer for each element in the mount command: user = the user's principal
cruid = the local user owner of the credentials cache (for the ticket) – this could be any local user, even a non Oak user
sec=krb5 = Use Kerberos as the method of authentication
gid and uid: ALL files of this mount will use these gid/uid, but permissions will also be checked server-side with kerberos. If configured correctly, it will allow write access to the share under that user. This means that all files written will be written as jdoe . This is one of the costs of using SMB vs NFS on Linux. It is not something that we have a workaround for at this point in time.
Special Considerations#
If you'd like to share the mount with other users, this will require more work, and we're not sure it's possible at this time. It's also a bit out of scope of our support (but could be fun to investigate). Fundamentally, SMB is not designed to be multi-user like NFS. You can play with local uid/gid if you want, to try to trick the local system and make it work with multiple users. But in the end, permissions are always checked server (Oak) side with Kerberos, so everything you might do while mounted to Oak will be under your SUNet ID as a result of the -o user option.