[Samba] Access Windows files with individual user credentials

B Martin samba-ml1 at martinconsulting.com
Tue Mar 15 00:24:38 UTC 2016 

Awesome.  Thank you.

                -B.

On 03/14/2016 04:51 PM, Jeremy Allison wrote:
> On Mon, Mar 14, 2016 at 04:17:59PM -0700, B Martin wrote:
>> Dear fellow Samba fans,
>>
>> This seems like a blatantly obvious need, but I'm not finding
>> anything in the Samba literature addressing it.  Maybe my search-fu
>> is just failing me.
>>
>> I have a collection of Linux machines with multiple simultaneous
>> users.  The Linux machines are all running Samba 4.1.7, compiled
>> from the source since my distro (CentOS 6.6) isn't that current.  We
>> are operating in a Windows A/D domain via Winbind, and everything in
>> that area seems to be working great.  Linux can see all the user
>> accounts, knows their group memberships, etc., and their Windows
>> login passwords work fine on the Linux boxes.
>>
>> The Linux users want to access Windows network shares, which I
>> currently implement using the automounter and a bit of code commonly
>> floating around the Internet to mount it via smbclient.  The problem
>> with this approach is that smbclient needs login credentials at the
>> time it sets up the mount.  Everyone using that mount is then being
>> treated as if they were using the same login credentials.  They
>> don't gain their own individual access rights to files on the
>> Windows share.  That's been OK so far, but the users are becoming
> http://linux.die.net/man/8/mount.cifs
>
> "multiuser
>
> Map user accesses to individual credentials when accessing the server.
> By default, CIFS mounts only use a single set of user credentials (the
> mount credentials) when accessing a share. With this option, the client
> instead creates a new session with the server using the user's credentials
> whenever a new user accesses the mount. Further accesses by that user
> will also use those credentials. Because the kernel cannot prompt for
> passwords, multiuser mounts are limited to mounts using sec= options
> that don't require passwords."
>
> Which means use kerberos tickets, gotten from the kdc on login.

More information about the samba mailing list