Seeking help with mounting samba/cifs behind a VPN (currently using autofs)

moritzschaefer · November 14, 2023, 11:44am

Dear all,

I am struggling quite a while to mount my intranet (connected via VPN) samba share in a robust manner. When mounting it via fstab, it leads to hangs on the filesystem when the VPN connection is lost (e.g. when shuting down/rebooting).

Therefore I tried autofs, which should automatically unmount the share when inactive. Yet, this does not work either. While this CLI command works fine:
sudo mount.cifs //msc-smb.hpc.meduniwien.ac.at/mschae83 /mnt/muwhpc/ --options credentials=/home/moritz/muwhpc_credentials.txt,cache=strict,_netdev

, my autofs config fails (I tried a lot already, starting from the example in the NixOS config reference. Current state below)

  services.autofs = {
    enable = true;
    timeout = 30;  # very low
    autoMaster = let
  mapConf = pkgs.writeText "mnt" ''
   server    -fstype=cifs,credentials=/home/moritz/muwhpc_credentials.txt,cache=strict,_netdev    ://msc-smb.hpc.meduniwien.ac.at/mschae83'';
  in ''
    /mnt    ${mapConf}    --ghost
  '';
  };
}

Any suggestions on how to get autofs running, or on how to properly set up a CIFS mount behind VPN would be greatly appreciated!

Note: This is a cross post from r/NixOS, where I got 0 attention unfortunately.

TLATER · November 14, 2023, 8:14pm

I’m going to guess that’s because you’re in pretty uncharted territory.

What errors do you get from journalctl -e autofs?

moritzschaefer · November 15, 2023, 6:09pm

Hey @TLATER,

thank you for thinking into this!

The only targets that exist are the following

journalctl -e /nix/store/0pph7qwdfqbljikzcvb2032wlkfc3xd6-autofs-5.1.6/bin/automount
Nov 15 19:02:43 mopad automount[36566]: failed to open config /etc/autofs.conf
Nov 15 19:02:43 mopad automount[36566]: failed to open old config /autofs

journalctl -u autofs.service
Nov 15 19:02:43 mopad systemd[1]: Starting Automounts filesystems on demand...
Nov 15 19:02:43 mopad automount[36566]: failed to open config /etc/autofs.conf
Nov 15 19:02:43 mopad automount[36566]: failed to open old config /autofs
Nov 15 19:02:43 mopad systemd[1]: Started Automounts filesystems on demand.

I am not sure whether the lack of /etc/autofs.conf is an issue here, as we explicitly configure it to use the automaster file we provide via mapConf.

Also, in response to your comment that this is uncharted territory: I am really surprised about this as it should be a quite common use case to access samba shares, e.g. from your company’s intranet when being in home office. Could you elaborate on your thoughts on this?

All the best
Moritz

TLATER · November 15, 2023, 7:01pm

I get that, but I don’t think as many people as you think are accessing samba shares from their companies’ intranets. Usually when you don’t get responses and your question isn’t extremely specific with little context it’s an uncommon use case.

I think file sharing is done much more commonly with cloud services these days. That’s besides the point though, it’s a valid use case, let’s see if we can figure it out.

Your config doesn’t specify the file: prefix before the file, unlike the one in the module example. Maybe try:

services.autofs = {
  enable = true;
  timeout = 30;  # very low
  autoMaster = let
    mapConf = pkgs.writeText "mnt" ''
      server    -fstype=cifs,credentials=/home/moritz/muwhpc_credentials.txt,cache=strict,_netdev    ://msc-smb.hpc.meduniwien.ac.at/mschae8
    '';
  in ''
    /mnt file:${mapConf} --ghost
  '';
};

The man page is somewhat hard to grok, but that might be it? The NixOS module does not attempt to write anything to /etc, so assuming the module actually works that should not be the problem indeed.

That module has apparently been lying around unmaintained since ~~2012~~ 2017 though, so who knows what bugs and behavior changes are lurking here.

If not, I’d personally do this with a systemd mount and make sure dependencies on the vpn are set correctly.

joehealy · November 15, 2023, 11:03pm

When you say mounting via fstab, do you mean filesystems.MOUNTPOINT or something else?

I’ve been using something like this for several years with no major issues:

  fileSystems."/mnt/company_name" = {
    device = "//192.168.1.100/Company Share";
    fsType = "cifs";
    options = [ "credentials=/home/user/.cifs-creds" "x-systemd.automount" "noauto" "uid=1000" "vers=1.0" "nounix" "x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"];
  };

I occasionally get pauses if I’m disconnected or in transit, but it seems to mostly work. I don’t however shutdown very often at all.

For reference, the above came roughly from Samba - NixOS Wiki

moritzschaefer · November 16, 2023, 5:45pm

Thank you @TLATER and @joehealy!

I also tried with the file: directive and it did not join. The warning about 5 year without maintenance certainly helps.

@joehealy, I’ll try your version. Might be that it’s as simple as that.

dinterface · November 20, 2023, 10:21am

It’s actually not that rare. I am in a similar situation where i want to be able to connect to my companies vpn and access the network drives while connected. Did you have any success with your attempt?

EDIT:
The official samba documentation actually has a line in it to prevent ‘hanging on network split’

{
  # For mount.cifs, required unless domain name resolution is not needed.
  environment.systemPackages = [ pkgs.cifs-utils ];
  fileSystems."/mnt/share" = {
      device = "//<IP_OR_HOST>/path/to/share";
      fsType = "cifs";
      options = let
        # this line prevents hanging on network split
        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";

      in ["${automount_opts},credentials=/etc/nixos/smb-secrets"];
  };
}

dinterface · November 23, 2023, 3:32pm

I added my vpn configuration to the nixos configuration.
Since it is an openvpn configuration i could follow the openvpn documentation for nixos.

I could then use the options from the nixos documentation as well as the parameters from the openvpn documentation to create the following samba config.

Samba shares

  fileSystems."/mnt/share" = {
      device = "//path/to/share";
      fsType = "cifs";
      options = [ "x-systemd.automount" "noauto" "x-systemd.idle-timeout=60" "x-systemd.device-timeout=5s" "x-systemd.mount-timeout=5s" "user" "uid=1000" "gid=100" "credentials=/etc/samba/.credentials" "iocharset=utf8" "x-systemd.requires=openvpn-myvpn.service" ];
  };

This ensures that the drives only mount when i actually try to use them and only if the vpn is running.

I am no expert and there might be issues i haven’t encountered yet, but so far i am very happy with my setup.

TLATER · November 23, 2023, 3:40pm

That’s really cool, did not know about this option. Curious what exactly implements it, should have a look at the mount options again