user file access - BYUHPC/7lbd GitHub Wiki
Using 7lbd, users have access to all of their network files from inside of the Windows VM.
7lbd launches smbd inside the network namespace as the user who ran the Open OnDemand job. There are two key reasons why smbd is run inside a network namespace using Spank ISO NetNS:
-
It will not be possible to run smbd as a non-root user on the standard port unless launched inside a network namespace using spank_iso_netns. This Spank plugin sets
ipv4.ip_unprivileged_port_startto0, allowing unprivileged users to open ports on any number inside their own namespace. These ports will not be available outside of the namespace. -
The smbd process running as the user inside the network namespace shares these samba shares with wide open permissions... to all processes running inside the network namespace, most importantly to the Windows VM also running in the namespace. This means that the generic "user1" on the Windows VM with a randomly generated password for the job can access the user's files. It is not possible for any other user to access that samba server on that network. In fact, even the user who ran the Open OnDemand job cannot access that samba server except for their processes running in that network namespace as part of that job. Being the correct user on the same machine is not good enough. You must enter the namespace to gain access.
The smbd server running in the OOD job has no access to network resources outside the namespace, BUT it does have has access to all files on the host compute node that the job owner has access to. The smbd process is very locked down as far as network communication, but it can access every file on that server that the job owner has access to. This is a very similar paradigm to how file access through Globus works.
When smbd is run on a host that uses FIPS, then smbd is going to be held to certain standards for authentication and encryption. In our case, smbd is indeed running on a host that is running in FIPS mode, but the network SMBD is talking on is an isolated network namespace with no external routes. In this case, we allow connections to smbd inside the network namespace without any authentication. Smbd does not allow this behavior when it detects FIPS mode, so in this case we used a library that overrides this behavior and allows smbd to operate without authentication while in FIPS mode. We urge extreme caution when setting this up. We are not your compliance officer or auditor and make no guarantees.
That said, here is the comment from the header of gnutls_fips_override.c:
This disables FIPS mode compliance in smbd. This is not intended to cheat on compliance requirements. This is only to be used in situations where CUI is not and cannot be involved. Alternatively, if you have sufficient other controls in place that protect the confidentiality of the CUI, this may be appropriate to use. An example would be smbd inside of an isolated network namespace where a Windows VM, also inside the isolated namespace, needs to talk to Samba to gain access to files hosted on Linux. This has not been tested with Windows in FIPS mode and is assumed to not work in that case. The "correct" solution in that case is Kerberos/AD authentication.
According to "SC.L2-3.13.11 – CUI ENCRYPTION", CMMC Assessment Guide – Level 2 Version 2.13:
Encryption used for other purposes, such as within applications or devices within the protected environment of the covered OSA information system, would not need to use FIPS-validated cryptography.
Retrieved from https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf on March 5, 2025
YMMV. This may break things, delete files, send your files to agents from $BAD_COUNTRY, make you non-compliant, drain your bank account, send you to jail, burn down your data center, or simply just not work right. Use only as directed. Ask legal counsel and auditors if gnutls_fips_override is right for you.
The samba_start.sh script is run as part of the Open OnDemand job. it creates a samba config and starts smbd as the user inside the network namespace. Edit the shares in the generated config to match whatever shares you want to create for your users.