[Samba] Access Windows files with individual user credentials
Jeremy Allison
jra at samba.org
Mon Mar 14 23:51:56 UTC 2016
On Mon, Mar 14, 2016 at 04:17:59PM -0700, B Martin wrote:
> Dear fellow Samba fans,
>
> This seems like a blatantly obvious need, but I'm not finding
> anything in the Samba literature addressing it. Maybe my search-fu
> is just failing me.
>
> I have a collection of Linux machines with multiple simultaneous
> users. The Linux machines are all running Samba 4.1.7, compiled
> from the source since my distro (CentOS 6.6) isn't that current. We
> are operating in a Windows A/D domain via Winbind, and everything in
> that area seems to be working great. Linux can see all the user
> accounts, knows their group memberships, etc., and their Windows
> login passwords work fine on the Linux boxes.
>
> The Linux users want to access Windows network shares, which I
> currently implement using the automounter and a bit of code commonly
> floating around the Internet to mount it via smbclient. The problem
> with this approach is that smbclient needs login credentials at the
> time it sets up the mount. Everyone using that mount is then being
> treated as if they were using the same login credentials. They
> don't gain their own individual access rights to files on the
> Windows share. That's been OK so far, but the users are becoming
http://linux.die.net/man/8/mount.cifs
"multiuser
Map user accesses to individual credentials when accessing the server.
By default, CIFS mounts only use a single set of user credentials (the
mount credentials) when accessing a share. With this option, the client
instead creates a new session with the server using the user's credentials
whenever a new user accesses the mount. Further accesses by that user
will also use those credentials. Because the kernel cannot prompt for
passwords, multiuser mounts are limited to mounts using sec= options
that don't require passwords."
Which means use kerberos tickets, gotten from the kdc on login.
More information about the samba
mailing list