[Samba] CIFS proxy

Maximiliano Bertacchini maxiberta at gmail.com
Wed Jul 6 14:25:11 MDT 2011


I need to run a Samba CIFS proxy (not DFS) in an AD environment. What we 
tried so far is mounting the remote share with mount.cifs and "-o 
sec=krb5i,multiuser" and share it through samba. But mount.cifs's 
multiuser option requires local access to the domain user's kerberos 
tickets, i.e, if I login as a domain user and run kinit to get a ticket, 
everything works. If the multiuser option is not used the permission 
checks done by the server will always correspond to the credentials used 
to mount the share, and not necessarily to the user who is accessing the 
share (quoted from man mount.cifs). The question is how to make this 
work automatically as to not require each domain user to login into the 
samba server and kinit manually.

Winbind is configured and running correctly (wbinfo -u/-g lists domain 
users/groups). I can su - into a domain user and login as a domain user 
(locally and ssh).

I've checked samba4's ntvfs cifs module but it won't even compile and I 
guess it's not ready for production.

Here's smb.conf:

    workgroup = MYDOMAIN
    realm = MYDOMAIN.COM
    server string = %h server (Samba, Ubuntu)
    dns proxy = no
    log file = /var/log/samba/log.%m
    log level = 2
    max log size = 1000
    syslog = 0
    security = ADS
    password server = server01.mydomain.com
    encrypt passwords = yes
    passdb backend = tdbsam
    load printers = no
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum groups = yes
    winbind enum users = yes
    winbind separator = .
    winbind use default domain = yes
    winbind refresh tickets = true
    template shell = /bin/bash

    comment = cifs mountpoint
    path = /mnt/cifs
    public = yes
    writable = yes
    browseable = yes



More information about the samba mailing list