[Samba] Accessing multiple Active Directory accounts simultaneously from a single Linux server

Andy Liebman andyliebman at aol.com
Sat Nov 2 23:18:41 MDT 2013 

Hello, 


I have been doing a lot of research on this subject and I'm not finding a clear answer.  My company currently makes a video capture and transcoding application that runs on a Linux server.  The video application mounts shares from a second Linux storage server for various users at the same time.  In other words, we have: 


A Linux Storage Server with many accounts (for example, user1, user2, user3, etc) and many Samba shares (for example, space1, space2, space3, etc)
A Linux Video Server that performs work for various client applications at the same time, mounting different shares from the Storage server, and authenticating each mount as a different user so that it can capture video into the shares the user is allowed to use.  (e.g., user1->share1,  user2->share2). Imagine we mount each user's home directory and capture video into it.  That's roughly what I'm talking about, although typically a single share can be accessed by more than one user.  In our current non-Active Directory configuration, the Video server runs commands such as: 



sudo mount -t cifs  //StorageServer/ShareName  /path/to/mountpoint -o rw,noperm,user=user1,password={user's password}
sudo mount -t cifs  //StorageServer/DifferentShareName   /path/to/different/mountpoint -o  rw,noperm,user=user2,password={user's password}



Note -- we mount one share as "user1" and another as "user2". 


We are now trying to integrate all of this into an Active Directory environment. We have the Storage Server working properly within a Windows Server 2008 R2 domain.  After logging into Windows workstations, domain users are able to mount shares from the storage server without supplying any additional credentials (the storage server knows who they are and lets them mount the shares they are authorized to see). 


The question is, what can we do on the Video Server side?  In the context of Active Directory, how can a single Linux Video Server mount different shares from the Storage Server authenticating as different domain users?  We can join the Video Server to the Active Directory domain, but we are not logging into the Video Server ITSELF as one particular domain user and we really don't want to start different sessions for each user. We just want to be able to connect to the storage server the way we always have and say, "here are the credentials for user1 and we want to mount this Samba share on user1's behalf so that we can capture video into it".  All the mount.cifs options I have tried so far result in errors reported on the Storage server.  


Is this possible in the context of Active Directory?  Do we need to specify some special security options in the mount command? Is there a very specific way we need refer to the "Storage Server"  (for example, \\FQDN\ShareName) and to users (for example, \\DOMAIN\username)?  I actually tried that and it doesn't work.  I get errors on the Storage server to the effect of "Couldn't find user in passdb", not using winbind, etc. Do we have to somehow get a Kerberos ticket on the Video Server for the user that we can then use to mount the shares for that user? 


Thanks in advance for any good advice.  If anybody can refer me to a document that describes how to do this, I would be more than happy to follow the directions! 


Regards, 


Andy Liebman
EditShare

More information about the samba mailing list