You might face the same issue I had. vfs_ceph wants to have a key for the root of the cephfs, it is cutrently not possible to restrict access to a sub-directory mount. For this reason, I decided to go for a re-export of a kernel client mount.
I consider this a serious security issue in vfs_ceph and will not use it until it is possible to do sub-directory mounts.
I don't think its difficult to patch the vfs_ceph source code, if you need to use vfs_ceph and cannot afford to give access to "/" of the cephfs.
Best regards,
=================
Frank Schilder
AIT Risø Campus
Bygning 109, rum S14
________________________________________
From: Matt Larson <larsonmattr@xxxxxxxxx>
Sent: 12 November 2020 00:40:21
To: ceph-users
Subject: Unable to clarify error using vfs_ceph (Samba gateway for CephFS)
I am getting an error in the log.smbd from the Samba gateway that I
don’t understand and looking for help from anyone who has gotten the
vfs_ceph working.
Background:
I am trying to get a Samba gateway with CephFS working with the
vfs_ceph module. I observed that the default Samba package on CentOS
7.7 did not come with the ceph.so vfs_ceph module, so I tried to
compile a working Samba version with vfs_ceph.
Newer Samba versions have a requirement for GnuTLS >= 3.4.7, which is
not an available package on CentOS 7.7 without a custom repository. I
opted to build an earlier version of Samba.
On CentOS 7.7, I built Samba 4.11.16 with
[global]
security = user
map to guest = Bad User
username map = /etc/samba/smbusers
log level = 4
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[cryofs_upload]
public = yes
read only = yes
guest ok = yes
vfs objects = ceph
path = /upload
kernel share modes = no
ceph:user_id = samba.upload
ceph:config_file = /etc/ceph/ceph.conf
I have a file at /etc/ceph/ceph.conf including:
fsid = redacted
mon_host = redacted
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
I have an /etc/ceph/client.samba.upload.keyring /w key for the user
`samba.upload`
However, connecting fails:
smbclient \\\\localhost\\cryofs_upload -U guest
Enter guest's password:
tree connect failed: NT_STATUS_UNSUCCESSFUL
The log.smbd gives these errors:
Initialising custom vfs hooks from [ceph]
[2020/11/11 17:24:37.388460, 3]
../../lib/util/modules.c:167(load_module_absolute_path)
load_module_absolute_path: Module '/usr/local/samba/lib/vfs/ceph.so' loaded
[2020/11/11 17:24:37.402026, 1]
../../source3/smbd/service.c:668(make_connection_snum)
make_connection_snum: SMB_VFS_CONNECT for service 'cryofs_upload' at
'/upload' failed: No such file or directory
There is an /upload directory for which the samba.upload user has read
access to in the CephFS.
What does this error mean: ‘no such file or directory’ ? Is it that
vfs_ceph isn’t finding `/upload` or is some other file depended by
vfs_ceph not been found? I have also tried to specify a local path
rather than a CephFS path and will get the same error.
Is there any good guide that describes not just the Samba smb.conf,
but also what should be in /etc/ceph/ceph.conf, and how to provide the
key for the ceph:user_id ? I am really struggling to find good
first-hand documentation for this.
Thanks,
Matt
--
Matt Larson, PhD
Madison, WI 53705 U.S.A.
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
