I use symlinks from a Linux client (it’s required for various software like Nextflow). I’ve been using NFS with sec=sys on my home network, but it needs to go, because the network isn’t fully trusted. sec=sys is effectively authenticating based on the IP address. I don’t have the infrastructure to setup a dedicated VLAN for NFS.
I recently enabled the Apple extensions in SMB sevice settings, and it seemed possible to create symlinks on the client, but checking again today I can’t. Maybe I was wrong the first time, or it’s unstable.
To summarize, I’m looking for:
Protocol with authentication support
Symlink support
Options:
The best option is to get SMB symlinks to work – this is why I’m asking for help.
SMBv1 may work, but I think the performance and security is sub-optimal.
I could set up a Kerberos realm and use NFS. It may be a good learning experience, but I feel it’s a bit complex for my use case.
[Added later in an edit] I also have a small problem with “mfsymlinks”, that I also access the files directly on the TrueNAS server in a container. So if I use mfsymlinks mount option, they would not look like symlinks locally on the TrueNAS server.
I use some tools that require symlinks, so hardlinks is not a complete solution for me. My workflow also involves linking to a directory, which is a bit more confusing with hardlinks (though "cp -rl " is pretty handy)
Here is some more information about other systems (it may be interesting, but it’s probably not useful, at least not to me). These were tested with a Mac client, but it’s similar to Linux except that it falls back to mfsymlinks automatically.
Windows 2019 server: It creates something that looks like a symlink, and works like a symlink even locally on the windows server.
Dell PowerScale: It’s possible to create symlinks with an SMB2 or SMB3.11 session (I get different version outputs on the client and the server). These are real symlinks that are also usable over NFS. This uses Likewise Input Output (lwio), not Samba, so I can’t just copy the config.
QNAP: When I create symlinks, they seem to be mfsymlinks only, not real symlinks. There is an option in the config UI to enable symbolic links, but it seems to be for following symbolic links.
I also tried to set an extended option in TrueNAS SMB “smb3 unix extensions = yes”, without any luck.
Given that I didn’t find any examples of samba configs that work with this, I will probably look into a simple Kerberos setup and NFS instead.
Apologies for reviving an old thread. Like you, being able to use symbolic links matters to me. Unfortunately, Samba software, and Apple’s client SMB software, do not currently support presenting symbolic links to clients (link is to a thread on the Samba mailing list). Instead, Samba presents the server file system’s symbolic links as copies of the directories linked to. That means my client-side tools which recursively search directories, but pass over symbolic links, get fooled into following infinite trails of apparent directories.
So will I. I would appreciate your posting any helpful guidance about Kerberos + NFS.
I’ve set up NFS with Kerberos, but it required some trial and error. I am using a docker-based Kerberos server - gcavalcante8808/krb5-server (I’m fine to put my auth DB in the hands of some random person on Github, make this judgement for yourself). I don’t run a DNS server, but I have pfSense as the router and DNS cache, so I added DNS pointers in it for the kerberos server, the NAS and the client.
In the Credentials config in TrueNAS I’ve added the kerberos realm and a kerberos keytab. I don’t run LDAP, so the users are created locally on each host, with the same name, UID and GID. Also added “Libdefaults Auxiliary Parameters”:default_realm = LAN.FA2K.NET
There were a lot of issues with getting ID mapping working. The files would look like they have the correct ownership from the client, but I would still get “permission denied” errors when accessing them. I’m not sure what fixed it in the end, this is why I haven’t made a blog post or forum post describing the setup. I don’t have the client’s idmap config available at the moment, but if I remember I’ll post it below next time I’m using it.
Every time I log on to the client (GUI login) I have to type the kinit command in a terminal to authenticate. I’ve tried and failed to automatically get a ticket on login, but I think it’s is only a minor nuisance, so I’m fine the way it is.
Let me know if you have some specific questions. (If it goes smoothly for you with less issues, maybe you could even share the procedure, there may be even more people interested)
Some config on the client. Sorry I don’t remember if I had to edit any other files.
/etc/idmapd.conf
Domain = lan.fa2k.net
/etc/krb5.conf
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 36h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
dns_canonicalize_hostname = fallback
qualify_shortname = ""
default_realm = LAN.FA2K.NET
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
LAN.FA2K.NET = {
kdc = 192.168.1.4
admin_server = 192.168.1.4
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
[domain_realm]
.lan.fa2k.net = LAN.FA2K.NET
lan.fa2k.net = LAN.FA2K.NET
I needed to create keytabs for the NAS (e.g. nfs/jonas.lan.fa2k.net) and client (host/nepe.lan.fa2k.net) and put the client one in /etc/krb5.keytab.
Most guides recommend to access kadmin on the Kerberos server with kadmin.local, but when it’s in a container, I found it easier to connect from other hosts -
