Using file server/Samba shares with external NFS storage

NethServer Version: 7.9
Module: file server

Hi guys,

first of all I would like to say Hello to the Nethserver community and big thanks to the Nethserver developers. This product is absolutely awesome. I’m from the north of Germany an working for an IT company. My experience in Linux is medium, I’m not a beginner but also not as specialist. Most experience with Linux is on virtualization like QEMU/KVM.

We are planning to use Nethserver 7.9 as all-in-one cloud solution for small business customers. We are currently in proof of concept stage and testing all the necessary features like AD, File Server, VPN and Nextcloud. Once the testing is finished, we will of course do a subscription for every Nethserver that is in production use, so we can support the developers for all the hard work on this project.

The Nethserver solution should run on IONOS dedicated servers (Ryzen 5/7). As special thing, we would like to have the file server section scalable and not end up with full disks on the host system, so we decided to use shared storage that is provided by IONOS within their data center and mount these as NFS shares to the Linux file system. Theses shares can grow step by step from 50Gb to 2TB, so we can adjust the storage depending on the needs of our customers.

To use the shared storage on Linux machines, they can be mounted as NFS shares with Kerberos tickets. The Kerberos ticket will provided by IONOS and can be downloaded once the storage is created on the IONOS cloud panel. After some time I was able to mount this storage to the Nethserver. To use it with Samba I used the mount point is /var/lib/nethserver/ibay – so the Samba shares will be generated on file system of the external storage. Till this stage everything works fine.

My issue: I can setup new shares and can see them on the Windows Server but when I try to map them to a drive letter, I got an error message that this share is not accessible (access not permitted). When I’m using the filesystem of the Nethserver for the shares everything works fine.

Anybody an idea what’s going wrong? Maybe there is also a better solution how to make the file server scaleable by using external storage. Due to the fact that the server is bare metal and not a cloud VM, it’s not possible to add block storage to the machine.

Thanks, Martin

@MaLeCo

Hi Martin

And Welcome to the NethServer Community!
I’m from north Switzerland - Grüsse an Norddeutschland!

As this is an english community, I’ll stick to english here.
More people may find solutions here, or can help with knowhow.

Forwarding a NFS mounted Share (With Kerberos restrictions, no less!) via Samba (CIFS/SMB) can entail several “Tripwires” (Fallstricke!):

  • Kerberos Time limits
  • NFS Permissions from the sharing device
  • No direct access to the IONOS NFS Share / Logs for Troubleshooting
  • CIFS/SMB restrictions / permission mapping
  • Maybe other issues not mentioned yet…

A maybe better option with less headache:
Do you have a possibility with IONOS to use something like iSCSI?

This would still be hosted on IONOS, but the File System and Permissions are controlled by NethServer… I’d suggest also using XFS, as NethServer uses XFS. And put it in a LVM, so enlargement would be possible! (XFS supports on the fly enlargement - but not making it smaller!).

Maybe also specifically enquire if IONOS support VMs on Proxmox, like eg. Hetzner (Also Germany) does. Would be a lot better in the medium/long run, but also short term, as you do have experience with KVM:

  • Online fast Backups
  • Full external VM Backups with PBS
  • Fast Snapshots of VMs before critical Updates/Upgrades/Testing…
  • a lot more features!

My 2 cents
Andy

PS: If you have deeper questions, you can PM me (Also in German…)

@Andy_Wismer

Hi Andy,

many thanks for the reply and your suggestions. Unfortunately there is no way to connect with iSCSI to the shared storage, only CFIS or NFS are supported. But nevertheless it’s an good idea to use iSCSI. In IONOS cloud panel it’s possible to build dedicated and cloud servser beside in same data center, so why not setup an cloud server with small CPU/RAM and big storage that can be resized at any time. This machine could run an Linux turnkey NAS solution that supports iSCSI (for example OMV) and with restricted access only for the Nethserver system. I will give it a try.

Regards,
Martin

@MaLeCo

Hi Martin

You could try eg RockStor…
I’ve used that distro for a few things, but haven’t tested iSCSI there yet…

My 2 cents
Andy

@MaLeCo

Also, as you’re running a hosted, bare metal server, probably with only a single LAN NIC, I’d suggest to read this:

https://wiki.nethserver.org/doku.php?id=virtual_network_interface&s[]=dummy

Make sure to adapt your internal IP accordingly. If I understand you right, you’re planning to use this setup for clients, each client will get their own NethServer…
So give each one their own Internal IP, and keep a track of these (eg using an XL table). This will keep headaches from overlapping IPs when you need to setup OpenVPN… :slight_smile:

Additional Tip:
For OpenVPN, I’d suggest using 10.99.XXX.0/24 as the OpenVPN internal Network. Here, XXX corresponds to whatever you use as third octet for the internal LAN IP on that Nethserver (The virtual NIC IP eentionned): eg: 192.168.XXX.1

My 2 cents
Andy

@Andy_Wismer

Hi Andy,

thanks again for your suggestions. The dedicated server has two ethernet interfaces, the first one is connected to the data center network and the second one ist not connected. So I decided to use the second one as green interface br0 for the internal Nethserver services. The virtual interface for the VMs also bridged via virbr0 to this network. From this side everything is working perfect without any issues since many weeks of testing. Do you think it would be better practice to use a dummy interface for the internal network?

As the second NIC is probably NOT connected to any switch, it will show as down.
From that, it would make sense to use a virtual NIC…

My 2 cents
Andy

Yes, that was one of my concerns but after building bridge and connect Nethserver services like AD & Firewall the interface came up. But nevertheless I don’t know if this is a good practice to run the internal network. I will get in touch to you via PM and let you know the complete setup, maybe we can discuss how to optimize some things. At the end the production environment should be save and reliable.

1 Like

@Andy_Wismer and @MaLeCo
Greetings from West Germany.
Please share the solution which works for you with the community. I know it’s much easier to write in your native language, but some ideas and the solution could be helpful for the community. If you need some help with translation I think Andy and me can help you.

@m.traeumner

Hi Michael

As to this:

See my first post here:

:slight_smile:

But if we need to exchange IPs and other confidential (Not for everyone) infos, a PM is the way to go…

Add to that the fact: My mother tongue IS english!
I first learned german with 12… :slight_smile:

Note: I’m not taking any offence here, just stating the reasons, in my option they’re valid…

My 2 cents
Andy

1 Like