Web lists-archives.com

Re: [Samba] Using GPO to mount shares on Linux




 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Rowland Penny via samba
> Verzonden: woensdag 11 oktober 2017 11:39
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
> 
> On Wed, 11 Oct 2017 11:00:59 +0200
> Michael Wandel <m.wandel@xxxxxxxxxxx> wrote:
> 
> > On 11.10.2017 10:37, Rowland Penny via samba wrote:
> > > On Wed, 11 Oct 2017 10:13:35 +0200
> > > "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> > > 
> > >> If you mean, Linux <=> Linux , use automounting, of dedicated 
> > >> mounts. Cifs/nfs, depending on you setup and what you need.
> > >>
> > >>
> > > 
> > > The problem is, they don't seem to work any more. They 
> all seem to 
> > > rely on mount.cifs and you need to be root to run this. When the 
> > > user logs in, the mounting program runs using the users creds and 
> > > fails.
> > > 
> > Hi,
> > 
> > it can be solved by pam_mount or you can use mount.cifs with the 
> > multiuser option.
> > 
> > 
> https://www.snia.org/sites/default/orig/SDC2012/presentations/Revision
> > s/JeffLayton_Multiuser%20Mounts%20with%20Linux%20CIFS_revision.pdf
> > 
> > best regards
> > Michael
> > 
> > 
> > > Rowland
> > >   
> > > 
> > 
> > 
> 
> I have tried to get autofs to work with nfs and cifs as user 
> mounts, I cannot get these to work and believe me, I really tried ;-)
> 
> I cannot get pam_mount to work either, it just tells me there 
> are no volumes to mount. If I run the mount manually it 
> doesn't work, I run it again with sudo, it works. I cannot 
> find a way to get pam_mount to use sudo.
> 
> In my opinion 'multiuser' is a possibilty, but again I cannot 
> get it to work.
> 
> I am now considering pam_script, so watch this space ;-)
> 
> Rowland
> 
I believe you. The trick is. 

1) add this to krb5.conf
; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

2) make use of kerberos, add cifs/FQDN to the systemkeytab file.  
2a) optional, make use of idmap.conf, something like this. 
/etc/idmapd.conf
[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs

# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.dnsdomain.tld 
Local-Realm = REALM

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch


[Static]
NETBIOSNAME$@REALM = root
host/FQDN@xxxxxxxxxxxxxxxxxxx = root
cifs/FQDN@xxxxxxxxxxxxxxxxxxx = root
cifs/FQDN@ = root


3) reboot the server, login and try 
mount -t cifs -o sec=krb5i //fileserver.subdomain.doamin.local/share /mnt 


See if this helps. 

Greetz, 

Louis





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba