Configuring NAS services (revision 2)

Introduction

This procedure describes how setup network accessible storage services. It presupposes the availablilty of a system (physical or a VM) with adequate storage space.

NFS services

In my case, this is to be run on a VM with large disks, not on the virtualisation servers!

  1. Run: 
    apt-get install nfs-kernel-server
  2. Create the filesytems to share (e.g. use lvcreate to create volumes and mkfs to make filesystem on them).
  3. Add entries to /etc/exports to export them.
  4. Run: 
    exportfs -av
  5. If the NFS server is a VM and on the same physical server there are also NFS clients then some performance increase can be gained by directing NFS traffic over a host-only network. To do this:
    1. On the physical server define a host-only network.
    2. On the NFS server and on the NFS clients add additional NICs connected to the network.
    3. Use the autmounter to specify that the client should first try to communicate over the host-only network and, after a timeout, fall back to the public network (for the case where one of the VMs gets migrated to a different server and has access to a different host-only network by the same name) by adding entries like this (from auto.staging): 
      svn -nordirplus,nfsvers=3,proto=tcp \
       filer-on-storage-net.pasta.net,\
       filer-on-public-net.pasta.net:/vol/small/svn
  6. Certain NFS mounts require special options that should be included in the client’s mount options (possibly via autofs maps):
    • access to a subversion repository requires nolock
    • if there is no need to update access times (not change times or modifcation times) then consider adding options noatime,nodiratime
  7. If the NFS server is not also an autofs client then, depending on what other services are being enabled in the storage server (e.g. SMB) then it may be necessary that users’ homes are accessible in the correct directory location (e.g. my home directory is /home/alexis but on the storage server this is actually /vol/small/home/alexis). If this is the case (and it is for me!) then create some symlinks to make things work. E.g.: 
    rmdir /home
ln -s vol/small/home /home
ln -s vol/pub /pub

SMB services with LDAP authentication

This configuration uses Samba with a (possibly remote) LDAP backend for authentication.

  1. On the Samba server:
    1. Run: 
      apt-get install samba
    2. Copy the file /usr/share/doc/samba/examples/LDAP/samba.ldif.gz to the LDAP server and unzip it into /tmp/samba.ldif.
    3. We will come back to configuring Samba shortly, but for now we just needed that file from the samba package copied to the LDAP server.
  2. On the LDAP server:
    1. Load the Samba schema and verify it was loaded by running: 
      ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/samba.ldif 
ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn
    2. Allow users to change not only their userPassword attribute but also a couple of Samba-password-related attributes as follows:
      1. Locate the database entry (‘DN’) and the attribute definition that specify who can do what to what by running: 
        ldapsearch -W -Y EXTERNAL -H ldapi:/// -z 0     -b "cn=config"     "(objectclass=*)" | grep -B 10 -A 10 'attrs=userPassword'

        (Probably the entry is olcDatabase={1}mdb,cn=config.)

      2. Create /tmp/samba-pw-perms.ldif containing: 
        dn: <whatever-the-dn-was>
changetype: modify
replace: olcAccess
<all-olcAccess-lines-as-outputted-by-ldapsearch-above-yes-all-of-them>

        and then replace attrs=userPassword with attrs=userPassword,sambaNTPassword,sambaLMPassword.

      3. Run: 
        ldapmodify -H ldapi:// -Y EXTERNAL -f /tmp/samba-pw-perms.ldif
  3. Back on the Samba server:
    1. Install and configure smbldap-tools as follows:
      1. Run: 
        apt-get install smbldap-tools
      2. Run: 
        zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz \
    > /etc/smbldap-tools/smbldap.conf
cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf \
    /etc/smbldap-tools/smbldap_bind.conf
      3. Edit /etc/smbldap-tools/smbldap.conf and set: 
        SID="<output-of-net-getlocalsid>"
sambaDomain="<single-upperase-word-description-of-network>"
slaveLDAP="ldap://ziti.pasta.net/"
masterLDAP="ldap://ziti.pasta.net/"
ldapTLS="0"
suffix="dc=pasta,dc=net"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
idmapdn="ou=Users,${suffix}"
      4. Run: 
        chmod 0644 /etc/smbldap-tools/smbldap.conf
chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
    2. The default /etc/samba/smbd.conf is a bit unreadable. Clean it by running: 
      cd /etc/samba
testparam -s > smb.conf.new
systemctl stop smbd
mv smb.conf  smb.conf.orig
mv smb.conf.new smb.conf
systemctl start smbd
    3. Edit /etc/samba/smbd.conf and set/comment-out: 
      [global]
    passdb backend = ldapsam:ldap://ziti.pasta.net/
    ldap admin dn = cn=admin,dc=pasta,dc=net
    ldap suffix = dc=pasta,dc=net
    # Next to lines depend on TLS/SSL availability on LDAP server
    #ldap ssl = start tls
    ldap ssl = no
    ldap passwd sync = yes
    obey pam restrictions = no
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
    ldap idmap suffix = ou=Users
    #  Don't use Samba's internal LDAP syncer
    ldap passwd sync = no
    #  Use an external program
    unix password sync = Yes
    passwd program = /usr/sbin/smbldap-passwd -u %u
    passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
    #  'hide dot files' just sets dot files to be show up with the 'H'
    #  attribute; if you really want to hide them (from smbclient)
    veto files = .*
    4. If you want to do user creation from Windows then see /usr/share/doc/smbldap-tools/README.Debian.gz for details.
    5. Regarding resources, edit /etc/samba/smbd.conf and set: 
      ...

[homes]
...
read only = no
 ...

[pub]
    comment = Public Archive
    browsable = yes
    path = /pub/

#[printers]
#...

#[print$]
#...

      and restart smbd.

    6. Create the necessary structures in the LDAP database by running this (still on the Samba server): 
      smbldap-populate
    7. For each existing user in LDAP that needs SMB access run: 
      smbpasswd -a <username>

      (Note that this will change the user’s Unix password too!)

  4. To test go to a machine with smbclient installed run the following as a normal use: 
    lagane$ smbclient '\\stortini\alexis'
mkdir failed on directory /var/run/samba: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\alexis's password: 
Try "help" to get a list of possible commands.
smb: \> ls
...
smb: \>
  5. Regarding the error messages:
    • mkdir .... Permission denied seems to be cosmetic (if I tell smbclient to contact my old non-LDAP-ised Samba server then it produces the same error message but nonetheless successfully connects to my home directory).
    • Unable to ... is due to a bug in smbclient but may also only be cosmetic; output in BTS#931688 seems to indicate that the smbclient shell can be started even with this message.

DLNA services

  1. Install the server as follows: 
    apt-get install minidlna
systemctl stop minidlna
  2. Edit /etc/minidlna.conf and set: 
    merge_media_dirs=yes
friendly_name=<whatever-you-prefer>
serial=1
wide_links=yes
  3. Create a symlink farm under /var/lib/minidlna to expose only certain parts of your media collection. For example: 
    cd /var/lib/minidlna
mkdir video audio
ln -s /pub/multimedia/video/{cinema,music,television} video/
ln -s /pub/multimedia/audio/{music,spoken/{comedy,drama}} audio/
  4. Wipe the cache, restart minidlna and monitor its CPU usage (which should be high for some length of time, depending how much media there is to index): 
    rm /var/cache/minidlna/files.db; systemctl start minidlna; top

See also