[linux-cifs-client] Improving auto.smb for user mounts
Joe Krahn
krahn at niehs.nih.gov
Mon Jan 28 21:47:06 GMT 2008
simo wrote:
> On Mon, 2008-01-28 at 12:48 -0500, Joe Krahn wrote:
>> I am working on my own version of auto.smb to handle auto-mounting of
>> shares with SMB user access control, and I would like to know if the
>> CIFS developers think my plan is useful, or if there are better
>> alternatives being planned. It seems that there are no really good
>> solutions due to various design incompatibilities, but maybe this is OK,
>> at least for the near future.
>>
>> My idea for auto.smb is to support a key with a @ symbol, in the form
>> "user at host". Shares auto-mounted under that key use that user's
>> credentials, and also sets the file permission options to match that
>> user. This allows system-level auto-mounting, but keeps user-level
>> access control.
>>
>> I have this working right now, except that SElinux is getting in the
>> way. The disadvantage is having to store credentials in a file, but it
>> should be possible come up with an alternative method that requires
>> manual password entry.
>>
>> Thanks for any suggestions,
>> Joe Krahn
>
> I would like to see this working with the new kerberos support if
> possible, at some point.
>
> Another strategy we are pursuing is supporting transparent user
> authentication (also replies on kerberos cached crdentials) on existing
> mount points. IE you mount something like /home and then authentication
> happen transparently (new session setup and all) when a user walks
> in /home giving him proper access to his own and other users directories
> similar to what you can do with NFSv4 too (at least on Solaris, not sure
> what the status of transparent krb5 auth is on Linux).
>
> Simo.
>
Linux support for krb5 is good. I didn't know about the new sec= feature
in mount.cifs. I'll experiment with using krb5.
The complication of transparent authentication is that file permissions
can't just be mapped to POSIX user+group. If one user accesses a share,
how do you manage another user accessing the same share? Do they also
need a password to access the already-mounted directory? It sort of
needs something like PAM for file access control. Maybe some of the
NFSv4 features will make this possible?
Joe
More information about the linux-cifs-client
mailing list