[Samba] Samba/smbmount Windows-AD Kerberos und PAM

Bernd Kohler kohler at umic.rwth-aachen.de
Thu Dec 4 08:51:12 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi.

As the Subject line discribes nearly all features/possibilities of
interaction bewteen Windows and *nix I will get in detail now ;)

I want to login on a linux-machine an get my home from a Windows share.

On the one hand I use a Windows 2003 RC2 server - fileserver in an AD /
Windows domain.
On the other hand I use a linux PC (Ubuntu 8.04 amd64), that gets all
login-information via kerberos out of the AD/domain.

I added some lines/modified the following files:
/etc/samba/smb.conf
/etc/nsswitch.conf
/etc/krb5.conf
/etc/pam.d/common-auth
/etc/pam.d/common-account

Currently users can log in on the linux-pc using their AD-account.
So far so good, but actually I wanted to provide a home directory that
is mounted (Windows share) during the login-process. I thought pam_mount
would be a good choice.

First I wanted to test, if the share can be mounted manually after login
- - and ups, first problem

A user, who could sucessfully log in using the AD/domain, was able to
mount the share via smbmount, but he could only list the content - no
writing, modifing, ...
My first thought: Might be a problem with the right-managemend, so let'
s check and ply with them:

1. right of the windows share
   - share: everyone - full control
   - NTFS (Security) user, who logs in, has full control
   - I modified the advanced security settings, the user has full
     control on the folder, subfolders and files
   - the user is actually owner of this (shared) folder

2. after (domain)login on the linux machine I created a directory ~/mnt
   with usualy rights and ownership

3. I used the following options for smbmount:
   smbmount //W2K3-Server/share mnt/ -o user=AD-user, /
        domain=AD-Domain,rw,iocharset=utf8,uid=10000, /
        gid=10004,file_mode=0777,dir_mode=0777

The user-information I fetched via "id":
uid=10000(AD-user) gid=10004(domänen-benutzer)
Gruppen=10001(BUILTIN\users),10004(domänen-benutzer),10005(AD-Gruppe1),10006(AD-Gruppe2)

Now just a quick look at the lokal rights:

ls -ld *
drwxrwxrwx 1 AD-user domänen-benutzer  0 2008-11-17 17:01 mnt

ls -l mnt
- -rwxrwxrwx 1 AD-user domänen-benutzer 0 2008-11-17 17:00 /
                                               copy-test.txt.txt
drwxrwxrwx 1 AD-user domänen-benutzer 0 2008-09-26 15:22 test123

As smbmount did not work the way I intended - no writing, modifing, ...
- - I actually did not try to get lucky with smp_mount. i will try if
smbmount works the way I want it to.

I tried to  mount (smbmount and mount -t smbfs/cifs) as root - surprise,
surprise this works. So let's try to write/modify - no chance, neither
writing nor modifing :(

A quick look at /etc/mtab: more than one line with my mounted windows
share exists. How could this happen ?!?

I think nearly everyone can use the provided windows share, but not me ;)

I tried to solve this problem for one day using google etc. - but could
not find a good hint. Does anybody know what goes wrong and give me he hint?

Thanks for help/advise

best regards

Bernd Kohler



- --
UMIC - RWTH Aachen
http://www.umic.rwth-aachen.de

Otto-Blumenthal-Str. 2
52074 Aachen

Tel.:   +49 241 80 20680
Fax:    +49 241 80 22640
E-Mail: kohler at umic.rwth-aachen.de

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkk3mgAACgkQOiq/E1Lch49ZggCgg7Y3s+bQCX7MIy52TDMxTqhf
rLEAn3sYFcjuVuOPuzneQxTdlrLjIfEb
=k/SJ
-----END PGP SIGNATURE-----

More information about the samba mailing list