suse init script for DFS Mount with kerberos and AD Login

#! /bin/bash
#
# This script is used to control during bootup.
#
# usage: nasmount [start|stop]
#
# start
# stop
# modified by Yingding Wang 06.11.2012

### BEGIN INIT INFO
# Provides:          nasmount
# Required-Start:    $network
# Required-Stop:
# Default-Start:     3 5
# Default-Stop:      0 1 2 6
# Short-Description: init script for nas mount
# Description: this script mount the DFS (NAS) with Kerberos User from AD during the starting up
### END INIT INFO

mountDIR=/nas #your mount point in your linux system
mountingDIR=//nas/subdirectory #your mounting point in your window DFS or NAS

# AD User and AD password
ad_user=<your ad_user>
ad_password=<your ad_user_pw>
# Access User for Mounting Directory in DFS
user=$ad_user
password=$ad_password

# DFS Domin
dom=Your_Realm

# Access Richts Setting for Mount Point
ac_user_name=<access username>
ac_group_name=<access groupname>
uid=`id -u $ac_user_name`
gid=`getent group $ac_group_name | cut -d: -f3`

# Logging prefix
prompt=Logging:

#
# Main
#
case $1 in
  start)
   #creat mount point directory
   if [ ! -d $mountDIR ]
   then
     echo "$prompt mount point $mountDIR doesn't exist"
     mkdir $mountDIR;
     echo "$prompt mount point $mountDIR is created"
   else
   #checking if mountDIR is amountpoint
     if /bin/mountpoint -q $mountDIR
     then
       echo "$prompt Directory exist, it will be unmounted"
       /bin/umount $mountDIR
     else
     # do nothing
     echo "$prompt Directory not mounted"
     fi
   fi

   if [ $? -gt 0 ]; then
      echo "cached error"
      $?=0
   fi

   # get kerbos granting ticket from AD, the user AD_USER muss be a memeber of Realm in AD
   echo "$prompt getting kerberos ticket with kinit"
   echo $ad_password | kinit $ad_user;

   # after the ticket successfully granted, mount nas Directory to mount point /nas1
   # use uid and gid option to specify the user id and group id for mount point access rights
   /sbin/mount.cifs $mountingDIR $mountDIR -o user=$user,dom=$dom,password=$password,uid=$uid,gid=$gid
   if [ $? -gt 0 ]; then
     echo "catched error"
     $?=0
   fi

   #Log output line
   #echo `date` >> /var/log/nasmount.log
   #echo "mount successful" >> /var/log/nasmount.log
   echo "$prompt done."
  ;;

  stop)
   #checking if mountDIR is a mountpoint
   if /bin/mountpoint -q $mountDIR
   then
     echo "$prompt Directory exist, it will be unmounted"
     /bin/umount $mountDIR
   else
   #do nothing
     echo "$prompt Directory not mounted"
   fi
   if [ $? -gt 0 ]; then
     echo "cached error";
     $?=0
   fi
   echo "$prompt done."
  ;;

  *)
  ## If no parameters are given, print which are availabel.
   echo "Usage: $0 {start|stop}"
   exit 1
  ;;
esac

exit
Advertisements

A bash script for WindowsDFS mount in Linux

[Purpose]
Since the Kerberos Tickets only works for 24 hours in our system,
i wrote a bash script for crontab to automatically remount a windows DFS
directory in our linux system.

[Prerequisite]
Please sieh my post: Mount Windows DFS in Linux with Kerberos

[Advice]
You should run this bash as “root” or root user. If you want to use it for other users,
your should check the rights for your users.

[Results]
this script only need to be called once, even the kerberos tickets is invalid after
24hours the mount  point is still working. you still have write and read access
to the mounting point (Windows DFS Directory).
Just make sure after server reboot,
this script will be called.

[Codes]

#!bin/sh
#Editted in 10.05.2012
mountDIR=<your mount point in linux system>
mountingDIR=<your directory in windows DFS //windows/directory >
# AD User and AD password
ad_user=<your Active Directory user, who can be authenticated in AD>
ad_password=<AD user password>
# Access User for Mounting Directory in DFS
user=< User who has the access and write rights in Windows DFS directory, $ad_use >
password=< User password for DFS directory ,$ad_password >
# DFS Domain
dom=<Your DFS directory Domain, XXX >
# Access Richts Setting for Mount Point
uid=< The user who should have access from Linux to access the Mount Point, 
      your DFS after mounting >
gid=< The Group who should have access from Linux to access the Mount Point >

#creat mount point directory
if [ ! -d $mountDIR ]
then
        echo "Directory doesn't exist"
        mkdir $mountDIR       
else
        echo "Directory exist, it will be unmounted"
        /sbin/umount.cifs $mountDIR
fi

# get kerbos granting ticket from AD, the user must be a memeber of AD
kinit $ad_user $ad_password;

# after the ticket successfully granted, mount nas Directory to mount point
# use uid and gid option to specify the user id and group id'
# for mount point access rights
/sbin/mount.cifs $mountingDIR $mountDIR -o user=$user,dom=$dom,
password=$password,uid=$uid,gid=$gid

Mount Windows DFS in Linux with Kerberos

1. Use case:
some time you need to transfer large data files (e.g. vmware image files) between a windows system and a linux system, what i did before is to use the winscp client to transfer the data from windows to linux, or use winscp client to get the data from linux to windows. Since it is a big sized file (2 GB), it will take about 30-60 minutes depending on your LAN speed.
The new Solution is to use a windows DFS shared drive in windows environment, and mount the windows DFS with kerberos in Linux Systems. So you can write and get the file from all of your systems. And it is very fast (10MB/s) in the file transfer.

2. Package needed:
smbclient, pam_krb5, krb5-client are needed for using kerberos to mount DFS.
In SLES11 just click kerberos client and smbclient in yast2, the package will be installed automatically.

3. Configure Kerberos in Linux:
/etc/krb5.conf:

[libdefaults]
default_realm = <your domain name in upper case>
udp_preference_limit = 0
[realms]
<your domain name in upper case> = {
kdc = <your Active Directory server name>.<your domain name>
}
[logging]
kdc = <FILE:/var/log/krb5/krb5kdc.log>
admin_server =<FILE:/var/log/krb5/kadmind.log>
default = SYSLOG:NOTICE:DAEMON

4. To apply for a TGT  in Shell:
$root> kinit <Username>
Mostly the first letter of your active directory Username should be in Uppercase.
klist checks, if you have a TGT (ticket granting ticket),  as result you should get the following in shell:
klist
Ticket cache:
<FILE:/tmp/krb5cc_500>
Default principal: < your username >@ < your domain name >
Valid starting           Expires                        Service principal
08/30/10 12:21:22  08/30/10 22:21:25  krbtgt/<your domain name>@<your domain name>
renew until 08/31/10 12:21:22

Becarefull in using the tgt for authetication, the client should have the same NTP time Server as the TGT Server.

5.a Mount as “root” Windows DFS shared drive with mount.cifs :
Mount Command:

/sbin/mount.cifs <share path> <mount path> -o user=<Username>,dom=<domain name in Uppercase>,{sec=krb5|password=xxxxxx}

e.g. /sbin/mount.cifs //dfs/Home/Dummy /windowsShare -o user=Dummy,dom=DOMAIN1,sec=krb5
in this case die windows share is unter “//dfs/Home/Dummy” reachable, and the mount path is /windowsShare in your linux, which should be created with “mkdir” before you mount DFS share, the user has the name “Dummy”. There should be NO files in the /windowsShare directory, otherwise the share directory will NOT be mounted.

5.b Access the Windows DFS shared drive as “no root user”:
If you don’t want to use root, you have to run “chmod u+s /sbin/mount.cifs” to allow user to call mount.cifs with setting the setuid-Bit (there should be no security issues about using this setuid-Bit). And then you can mount as “no root user” the windows DFS shared drive following the steps which are discripted in section 4.
If it is still not working for your linux system. Mount the DFS shared drive as “root” with the following command:

/sbin/mount.cifs <share path> <mount path> -o user=<Username>,dom=<domain name in Uppercase>,{sec=krb5|password=xxxxxx},uid=<read/write userid>
e.g.: /sbin/mount.cifs //dfs/Home/Dummy /windowsShare -o user=Dummy,dom=DOMAIN1,sec=krb5,uid=Dummy
In this Example the option “uid=Dummy” allowed user Dummy to access the DFS shared drive after the root user managed to mount it.

6. Make alias for the mount commands
in Dummy/home/.alias
$Dummy> vi .alias
insert the followint line to the .alias file:
alias mws=”/sbin/mount.cifs //dfs1/Home/Dummy /windowsShare -o user=Dummy,dom=DOMAIN1,sec=krb5″
alias ad=”kinit Dummy”
with this alias you only need to use the following commands to mount a windows DFS share:
$ Dummy> ad
$ Dummy> mws