[Samba] Access Windows files with individual user credentials

[Jeremy Allison]

On Mon, Mar 14, 2016 at 04:17:59PM -0700, B Martin wrote:
> Dear fellow Samba fans,
> 
> This seems like a blatantly obvious need, but I'm not finding
> anything in the Samba literature addressing it.  Maybe my search-fu
> is just failing me.
> 
> I have a collection of Linux machines with multiple simultaneous
> users.  The Linux machines are all running Samba 4.1.7, compiled
> from the source since my distro (CentOS 6.6) isn't that current.  We
> are operating in a Windows A/D domain via Winbind, and everything in
> that area seems to be working great.  Linux can see all the user
> accounts, knows their group memberships, etc., and their Windows
> login passwords work fine on the Linux boxes.
> 
> The Linux users want to access Windows network shares, which I
> currently implement using the automounter and a bit of code commonly
> floating around the Internet to mount it via smbclient.  The problem
> with this approach is that smbclient needs login credentials at the
> time it sets up the mount.  Everyone using that mount is then being
> treated as if they were using the same login credentials.  They
> don't gain their own individual access rights to files on the
> Windows share.  That's been OK so far, but the users are becoming

http://linux.die.net/man/8/mount.cifs

"multiuser

Map user accesses to individual credentials when accessing the server.
By default, CIFS mounts only use a single set of user credentials (the
mount credentials) when accessing a share. With this option, the client
instead creates a new session with the server using the user's credentials
whenever a new user accesses the mount. Further accesses by that user
will also use those credentials. Because the kernel cannot prompt for
passwords, multiuser mounts are limited to mounts using sec= options
that don't require passwords."

Which means use kerberos tickets, gotten from the kdc on login.