Re: [Samba] Using GPO to mount shares on Linux
- Date: Wed, 11 Oct 2017 11:51:02 +0200
- From: "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Using GPO to mount shares on Linux
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> Rowland Penny via samba
> Verzonden: woensdag 11 oktober 2017 11:39
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
> On Wed, 11 Oct 2017 11:00:59 +0200
> Michael Wandel <m.wandel@xxxxxxxxxxx> wrote:
> > On 11.10.2017 10:37, Rowland Penny via samba wrote:
> > > On Wed, 11 Oct 2017 10:13:35 +0200
> > > "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> > >
> > >> If you mean, Linux <=> Linux , use automounting, of dedicated
> > >> mounts. Cifs/nfs, depending on you setup and what you need.
> > >>
> > >>
> > >
> > > The problem is, they don't seem to work any more. They
> all seem to
> > > rely on mount.cifs and you need to be root to run this. When the
> > > user logs in, the mounting program runs using the users creds and
> > > fails.
> > >
> > Hi,
> > it can be solved by pam_mount or you can use mount.cifs with the
> > multiuser option.
> > s/JeffLayton_Multiuser%20Mounts%20with%20Linux%20CIFS_revision.pdf
> > best regards
> > Michael
> > > Rowland
> > >
> > >
> I have tried to get autofs to work with nfs and cifs as user
> mounts, I cannot get these to work and believe me, I really tried ;-)
> I cannot get pam_mount to work either, it just tells me there
> are no volumes to mount. If I run the mount manually it
> doesn't work, I run it again with sudo, it works. I cannot
> find a way to get pam_mount to use sudo.
> In my opinion 'multiuser' is a possibilty, but again I cannot
> get it to work.
> I am now considering pam_script, so watch this space ;-)
I believe you. The trick is.
1) add this to krb5.conf
; for Windows 2008 with AES
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
2) make use of kerberos, add cifs/FQDN to the systemkeytab file.
2a) optional, make use of idmap.conf, something like this.
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.dnsdomain.tld
Local-Realm = REALM
Nobody-User = nobody
Nobody-Group = nogroup
Method = static,nsswitch
GSS-Methods = static,nsswitch
NETBIOSNAME$@REALM = root
host/FQDN@xxxxxxxxxxxxxxxxxxx = root
cifs/FQDN@xxxxxxxxxxxxxxxxxxx = root
cifs/FQDN@ = root
3) reboot the server, login and try
mount -t cifs -o sec=krb5i //fileserver.subdomain.doamin.local/share /mnt
See if this helps.
To unsubscribe from this list go to the following URL and read the