diff --git a/hosts/skydick/DATAPOOL.md b/hosts/skydick/DATAPOOL.md index 15936ec..6216d2e 100644 --- a/hosts/skydick/DATAPOOL.md +++ b/hosts/skydick/DATAPOOL.md @@ -14,9 +14,16 @@ NFS paths are relative to the NFSv4 pseudo-root (`/srv` on the server, exported with `fsid=0`). -The share/export paths above are live. The dedicated `dick/users/*`, `dick/system/*`, and -`dick/templates/*` ZFS datasets are the intended final layout and still require explicit dataset -creation/migration on a host where only the legacy `dick/{share,media,backup,torrent,vm}` tree exists. +The final storage layout is live on `skydick`: + +- `dick/public` mounted at `/srv/public` +- `dick/media` mounted at `/srv/media`, with `data/` and `library/` directories in one hardlink domain +- `dick/users//{files,bt-state,vm}` for per-user private data +- `dick/system/{backup,vm}` for centrally managed system storage +- `dick/templates/vm` for shared read-only VM base images + +The old `dick/{share,backup,torrent,vm}` layout is no longer part of the design. Torrent payload now +lives under `/srv/media/data`, and organized media under `/srv/media/library`. ## Identity and authentication @@ -28,6 +35,9 @@ - Shared `public` / `media` access is carried by the LDAP `posixGroup` `cn=storage,ou=posix_groups,dc=skyw,dc=top` with `gidNumber: 997` - NFS still does not authenticate users; it trusts client IPs and export options +- LDAP remains the password source of truth. After a user's SMB access is bootstrapped once, + password changes should happen through the LDAP password-change flow (the password web UI or + `ldappasswd`), which keeps Samba's `sambaSamAccount` password data aligned. Current admin users on skydick intentionally use the same canonical usernames as their LDAP identities, for example `ye-lw21`. In those collisions, local NSS lookup still wins for the final @@ -48,8 +58,10 @@ \\10.0.1.1\ ``` -When prompted, enter your SMB credentials. Admins provision or reset them on skydick with -`smbpasswd -a `, which now writes the user's `sambaSamAccount` data into LDAP. +When prompted, enter your SMB credentials. For a user's first SMB login, an admin must bootstrap +the account once on skydick with `smbpasswd -a `, which creates the LDAP +`sambaSamAccount` data for that user. After that, change passwords through the LDAP password UI +or `ldappasswd` so LDAP remains authoritative and SMB stays in sync. ### macOS @@ -157,7 +169,8 @@ Private per-user storage. Only you can access your tree. - SMB: Samba `[homes]` share — connect as `\\SKYDICK\`, authenticates with your Samba password -- SMB provisioning: `smbpasswd -a ` on skydick creates or updates your `sambaSamAccount` +- SMB bootstrap: one-time `smbpasswd -a ` on skydick creates your `sambaSamAccount` +- SMB password changes after bootstrap: use the LDAP password UI or `ldappasswd` - NFS: `/users/` export with `all_squash` mapping all operations to your UID/GID Your NFS export maps every client UID to your server-side UID. This means any process on any @@ -273,7 +286,10 @@ sudo git -C /etc/nixos pull && sudo nixos-rebuild switch --flake /etc/nixos ``` -### 5. Create ZFS datasets on skydick +### 5. Create per-user ZFS datasets on skydick + +The shared namespace datasets (`dick/public`, `dick/media`, `dick/system`, `dick/templates`, and +`dick/users`) already exist on the host. For a new user, create only that user's subtree: ```bash # Get the user's UID/GID @@ -294,14 +310,19 @@ done ``` -### 6. Enable SMB login +### 6. Bootstrap SMB login if the user needs SMB ```bash smbpasswd -a ``` -This is required even if the user already exists as a POSIX account in LDAP. `smbpasswd -a` -creates or updates the user's `sambaSamAccount` attributes in LDAP for SMB authentication. +This one-time step is required even if the user already exists as a POSIX account in LDAP. +`smbpasswd -a` creates the user's `sambaSamAccount` attributes in LDAP and sets an initial SMB +password. + +After this bootstrap, future password changes should happen through the LDAP password UI or +`ldappasswd`, not routine `smbpasswd` use. That keeps LDAP as the password source of truth while +the LDAP server updates the Samba password hashes. The user can now connect via SMB and NFS. @@ -372,9 +393,12 @@ ### SMB authentication fails -- Samba uses LDAP-backed `sambaSamAccount` entries for SMB auth, not the Unix login password -- Admin must run `smbpasswd -a ` on skydick to create/reset the Samba SMB password in LDAP +- Samba uses LDAP-backed `sambaSamAccount` entries for SMB auth, not just the Unix `userPassword` - `getent passwd ` succeeding only proves Unix account lookup works; it does not create an SMB login +- If the user has never used SMB before, admin must run `smbpasswd -a ` once on skydick to + bootstrap the `sambaSamAccount` +- After bootstrap, change the password through the LDAP password UI or `ldappasswd` so Unix and + SMB passwords stay aligned - If `public` or `media` access fails but the home share works, check LDAP `storage` membership and verify the `memberUid` list for `cn=storage,ou=posix_groups,dc=skyw,dc=top` diff --git a/hosts/skydick/datapool.nix b/hosts/skydick/datapool.nix index 9613927..78a25ce 100644 --- a/hosts/skydick/datapool.nix +++ b/hosts/skydick/datapool.nix @@ -294,7 +294,7 @@ "ldap group suffix" = "ou=posix_groups"; "ldap machine suffix" = "ou=machines"; "ldap delete dn" = "no"; - "ldap passwd sync" = "no"; + "ldap passwd sync" = "only"; "ldap ssl" = "off"; "ldap server require strong auth" = "no"; "ldap connection timeout" = "5";