[Samba] Samba/smbmount Windows-AD Kerberos und PAM
Bernd Kohler
kohler at umic.rwth-aachen.de
Thu Dec 4 08:51:12 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi.
As the Subject line discribes nearly all features/possibilities of
interaction bewteen Windows and *nix I will get in detail now ;)
I want to login on a linux-machine an get my home from a Windows share.
On the one hand I use a Windows 2003 RC2 server - fileserver in an AD /
Windows domain.
On the other hand I use a linux PC (Ubuntu 8.04 amd64), that gets all
login-information via kerberos out of the AD/domain.
I added some lines/modified the following files:
/etc/samba/smb.conf
/etc/nsswitch.conf
/etc/krb5.conf
/etc/pam.d/common-auth
/etc/pam.d/common-account
Currently users can log in on the linux-pc using their AD-account.
So far so good, but actually I wanted to provide a home directory that
is mounted (Windows share) during the login-process. I thought pam_mount
would be a good choice.
First I wanted to test, if the share can be mounted manually after login
- - and ups, first problem
A user, who could sucessfully log in using the AD/domain, was able to
mount the share via smbmount, but he could only list the content - no
writing, modifing, ...
My first thought: Might be a problem with the right-managemend, so let'
s check and ply with them:
1. right of the windows share
- share: everyone - full control
- NTFS (Security) user, who logs in, has full control
- I modified the advanced security settings, the user has full
control on the folder, subfolders and files
- the user is actually owner of this (shared) folder
2. after (domain)login on the linux machine I created a directory ~/mnt
with usualy rights and ownership
3. I used the following options for smbmount:
smbmount //W2K3-Server/share mnt/ -o user=AD-user, /
domain=AD-Domain,rw,iocharset=utf8,uid=10000, /
gid=10004,file_mode=0777,dir_mode=0777
The user-information I fetched via "id":
uid=10000(AD-user) gid=10004(domänen-benutzer)
Gruppen=10001(BUILTIN\users),10004(domänen-benutzer),10005(AD-Gruppe1),10006(AD-Gruppe2)
Now just a quick look at the lokal rights:
ls -ld *
drwxrwxrwx 1 AD-user domänen-benutzer 0 2008-11-17 17:01 mnt
ls -l mnt
- -rwxrwxrwx 1 AD-user domänen-benutzer 0 2008-11-17 17:00 /
copy-test.txt.txt
drwxrwxrwx 1 AD-user domänen-benutzer 0 2008-09-26 15:22 test123
As smbmount did not work the way I intended - no writing, modifing, ...
- - I actually did not try to get lucky with smp_mount. i will try if
smbmount works the way I want it to.
I tried to mount (smbmount and mount -t smbfs/cifs) as root - surprise,
surprise this works. So let's try to write/modify - no chance, neither
writing nor modifing :(
A quick look at /etc/mtab: more than one line with my mounted windows
share exists. How could this happen ?!?
I think nearly everyone can use the provided windows share, but not me ;)
I tried to solve this problem for one day using google etc. - but could
not find a good hint. Does anybody know what goes wrong and give me he hint?
Thanks for help/advise
best regards
Bernd Kohler
- --
UMIC - RWTH Aachen
http://www.umic.rwth-aachen.de
Otto-Blumenthal-Str. 2
52074 Aachen
Tel.: +49 241 80 20680
Fax: +49 241 80 22640
E-Mail: kohler at umic.rwth-aachen.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkk3mgAACgkQOiq/E1Lch49ZggCgg7Y3s+bQCX7MIy52TDMxTqhf
rLEAn3sYFcjuVuOPuzneQxTdlrLjIfEb
=k/SJ
-----END PGP SIGNATURE-----
More information about the samba
mailing list