[Samba] Using GPO to mount shares on Linux

Rowland Penny rpenny at samba.org
Wed Oct 11 10:09:18 UTC 2017


On Wed, 11 Oct 2017 11:51:02 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland Penny via samba
> > Verzonden: woensdag 11 oktober 2017 11:39
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
> > 
> > On Wed, 11 Oct 2017 11:00:59 +0200
> > Michael Wandel <m.wandel at t-online.de> wrote:
> > 
> > > On 11.10.2017 10:37, Rowland Penny via samba wrote:
> > > > On Wed, 11 Oct 2017 10:13:35 +0200
> > > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > > > 
> > > >> If you mean, Linux <=> Linux , use automounting, of dedicated 
> > > >> mounts. Cifs/nfs, depending on you setup and what you need.
> > > >>
> > > >>
> > > > 
> > > > The problem is, they don't seem to work any more. They 
> > all seem to 
> > > > rely on mount.cifs and you need to be root to run this. When
> > > > the user logs in, the mounting program runs using the users
> > > > creds and fails.
> > > > 
> > > Hi,
> > > 
> > > it can be solved by pam_mount or you can use mount.cifs with the 
> > > multiuser option.
> > > 
> > > 
> > https://www.snia.org/sites/default/orig/SDC2012/presentations/Revision
> > > s/JeffLayton_Multiuser%20Mounts%20with%20Linux%20CIFS_revision.pdf
> > > 
> > > best regards
> > > Michael
> > > 
> > > 
> > > > Rowland
> > > >   
> > > > 
> > > 
> > > 
> > 
> > I have tried to get autofs to work with nfs and cifs as user 
> > mounts, I cannot get these to work and believe me, I really
> > tried ;-)
> > 
> > I cannot get pam_mount to work either, it just tells me there 
> > are no volumes to mount. If I run the mount manually it 
> > doesn't work, I run it again with sudo, it works. I cannot 
> > find a way to get pam_mount to use sudo.
> > 
> > In my opinion 'multiuser' is a possibilty, but again I cannot 
> > get it to work.
> > 
> > I am now considering pam_script, so watch this space ;-)
> > 
> > Rowland
> > 
> I believe you. The trick is. 
> 
> 1) add this to krb5.conf
> ; for Windows 2008 with AES
>     default_tgs_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
> 
> 2) make use of kerberos, add cifs/FQDN to the systemkeytab file.  
> 2a) optional, make use of idmap.conf, something like this. 
> /etc/idmapd.conf
> [General]
> 
> Verbosity = 0
> Pipefs-Directory = /run/rpc_pipefs
> 
> # set your own domain here, if id differs from FQDN minus hostname
> # Domain = localdomain
> Domain = internal.dnsdomain.tld 
> Local-Realm = REALM
> 
> [Mapping]
> 
> Nobody-User = nobody
> Nobody-Group = nogroup
> 
> [Translation]
> Method = static,nsswitch
> GSS-Methods = static,nsswitch
> 
> 
> [Static]
> NETBIOSNAME$@REALM = root
> host/FQDN at ROTTERDAM.BAZUIN.NL = root
> cifs/FQDN at ROTTERDAM.BAZUIN.NL = root
> cifs/FQDN@ = root
> 
> 
> 3) reboot the server, login and try 
> mount -t cifs -o
> sec=krb5i //fileserver.subdomain.doamin.local/share /mnt 
> 
> 
> See if this helps. 
> 

I did all of this, I have read everything I could find on the internet
and I just couldn't make it work.

I am now a leading expert on what doesn't work ;-)

Rowland




More information about the samba mailing list