[Samba] mount.cifs permissions for non-root user via sudo

Lazarevich, Alexander alazarev at illinois.edu
Mon Mar 24 13:50:39 MDT 2014


> -----Original Message-----
> From: steve [mailto:steve at steve-ss.com]
> Sent: Monday, March 24, 2014 2:18 PM
> To: Lazarevich, Alexander
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] mount.cifs permissions for non-root user via sudo
> 
> On Mon, 2014-03-24 at 19:07 +0000, Lazarevich, Alexander wrote:
> > > -----Original Message-----
> > > On Mon, 2014-03-24 at 17:24 +0000, Lazarevich, Alexander wrote:
> > > > I'm not sure this is the proper forum to post to, but I hope
> > > > someone can
> > > point me in the right direction if not have the answers. We have a
> > > RedHat Enterprise 5 AS machine, fully patched, with the most recent
> > > samba RPMs installed. The machine is joined to Active Directory via
> > > a 3rd party program called Centrify. An AD user, when logged into
> > > this system, is given permission to run /bin/mount via sudo, in
> > > order to mount that users' Windows share from a Windows fileserver.
> (2008R2) The exact mount command is:
> > > >
> > > > sudo mount -t cifs //servername/share/user1 /home/user1/network-
> > > mount
> > > > -o domain=domname,username=user1
> > > >
> > > > After the user provides their AD password, the share is mounted:
> > > >
> > > > [user1 at linux1PC]$ df -h
> > > > Filesystem            Size  Used Avail Use% Mounted on
> > > > /dev/sda2              20G  7.3G   12G  40% /
> > > > /dev/sda1              99M   25M   70M  26% /boot
> > > > tmpfs                1006M     0 1006M   0% /dev/shm
> > > > //servername/share/user1 6.0T  5.0T  1.1T  83%
> > > > /home/user1/network-mount
> > > >
> > > > As you can see, the mount worked fine. However, the permissions
> > > > are very
> > > odd. All files/folders are owned by root:
> > > >
> > > > [user1 at linux1PC]$ ls -l
> > > > total 547949
> > > > -rwxrwSrwx 1 root root  70207240 Jul 30  2012
> > > > 5.5.4.0-TIV-TSMBAC-WinX32.exe -rwxrwSrwx 1 root root 157970712 Jun
> > > > 5
> > > > 2013 6.2.3.0-TIV-TSMBAC-WinX32.exe -rwxrwSrwx 1 root root
> > > > 158327144 Jun  5  2013 6.2.5.0-TIV-TSMBAC-WinX32.exe -rwxrwSrwx 1
> > > > root root
> > > > 174554976 Jun  5  2013 6.3.1.0-TIV-TSMBAC-WinX32.exe ...
> > > > ...
> > > >
> > > > After some testing, it seems as though the mount command is
> > > > purposefully mounting the share as root, with 777 perms, so the
> > > > user can have proper access. The user1 is able to read/write all
> > > > files as needed. And other users on the system have no access to the
> share.
> > > > (which is odd because the perms are 777)
> > > >
> > > > I'm hoping someone else in the world has solved this problem: Is
> > > > this the
> > > proper way to mount non-root user Windows shares via command line?
> > > Is there another/better way to mount Windows shares command line for
> > > non- root users? Or are we doing it the correct way and somehow the
> > > system is monitoring the mounted share and translating permissions
> > > from unix to CIFS on the fly. The ACLS on the Windows server are
> > > correct for all created files/folders from that user. We have to
> > > know these permissions are correct and stable before we put this mount
> procedure into production in our labs.
> > > >
> > > > Any ideas?
> > > >
> > > > Thanks!
> > > >
> > > > Alex
> > > Hi
> > > Over cifs, the -rwxrwSrwx part of the listing doesn't bear any
> > > resemblance to the actual ac lists.
> > > HTH
> > > Steve
> > >
> >
> > Thanks Steve, for the reply. So is it safe to say this root owned mount is
> normal behavior for cifs when mounting domain user shares and the share is
> safe to use for the user? I'm tending to think that is correct, but I'd really like
> some confirmation about that.
> >
> > Alex
> Hi
> I can't say for certain because of your non-standard join method and non
> standard (non kerberised) mount command, but from your own
> experimentation:
> ' The user1 is able to read/write all files as  needed. And other users on the
> system have no access to the share.
>  (which is odd because the perms are 777)'
> You have proved it for yourself. Remember that it's not odd because the
> perms are _not_ 777. Try:
> getfacl /home/user1/network-mount
> HTH
> Steve

Fantastic info, thanks Steve. I'm a newbie with Kerberos. If we wanted to go with Kerberised mounts, does this link outline a decent option?

http://brainscraps.wikia.com/wiki/Linux_Auth_with_Active_Directory

(Samba for AD auth and setup Automatic CIFS Home mounts via /etc/request-key.conf and /etc/auto.master, etc.)

Does that sound like (one of) the most reliable ways to accomplish cifs mounts for multiple AD users on linux? It would be nice if we could keep Centrify (Enterprise version) in the mix, because we are used to it and it is also a good solution for our Mac clients, but if we have to ditch Centrify for linux and go with Samba for auth then so be it.

There's also pam_mount as well. I wonder if that is better to use than auto.master mounts? We are wanting to mount shares for both SSH logins as well as gnome logins. They need to both work equally well, when a user logs into a system.

We just want to go with what is most reliable and hopefully functionality won't change (break) for a while.

If this is off topic to Samba and I should be on another forum, please advise. There must be other labs (supporting hundreds/thousands of users) who have win/mac/linix clients all authing to AD and using the same windows server for home dirs, right?

Alex



More information about the samba mailing list