[Samba] Access Windows files with individual user credentials
Sketch
smblist at rednsx.org
Tue Mar 15 12:34:05 UTC 2016
On Mon, 14 Mar 2016, Jeremy Allison wrote:
> On Mon, Mar 14, 2016 at 04:17:59PM -0700, B Martin wrote:
>> users. The Linux machines are all running Samba 4.1.7, compiled
>> from the source since my distro (CentOS 6.6) isn't that current. We
>> are operating in a Windows A/D domain via Winbind, and everything in
>> that area seems to be working great. Linux can see all the user
>> accounts, knows their group memberships, etc., and their Windows
>> login passwords work fine on the Linux boxes.
>>
>> The Linux users want to access Windows network shares, which I
>> currently implement using the automounter and a bit of code commonly
> http://linux.die.net/man/8/mount.cifs
>
> "multiuser
>
> Which means use kerberos tickets, gotten from the kdc on login.
This is the way to go. Note that for EL6, Redhat recommends you use
/etc/fstab due to a bug in the way kerberos credentials are handled by the
kernel. Using automount (especially with a short timeout) will cause the
kernel keyring to fill up and run out of space, and eventually your users
will be unable to remount the filesystem. Redhat doesn't want to fix it
(at least as of EL6.5), because it requires an API change, so the fix is
to upgrade to EL7. I think I looked at EL6.6 and they had not fixed it,
though I haven't looked at EL6.7. I can't find a link for this now, but
I'm pretty sure I read it in a Redhat RHEL support-contract-required bug.
There is a workaround where adding the following to sysctl.conf will help
avoid the problem somewhat, but won't solve it entirely:
kernel.keys.root_maxkeys = 1000000
kernel.keys.root_maxbytes = 25000000
Unless your users reboot often, you probably don't want to go this route.
The alternative to rebooting is to restart autofs (requires root), and
then have the user run kinit (requires the user type their password), so
it's not something easy to automate.
Redhat has a good tutorial on how to use /etc/fstab to set up a permanent
multiuser mount, but it requires a support contract:
https://access.redhat.com/solutions/279183
If you don't have one, the short version is: create a dummy "cifs" user,
export its keytab, copy it to all the machines; set up the fstab entry
with noauto; use a script at boot time to kinit using the exported keytab
then run mount.
More information about the samba
mailing list