[opensuse] Permissions on cifs mounted volumes
I have no problems mounting cifs file systems and assigning ownership to the files to some user (via mount command parameters). I am now hoping to set up something a bit more complex and am unsure how best to proceed. I have an openSUSE 11.2 system that authenticates users via an MS Active Directory. This works fine. Users log in and a home is created on the fly. It literally has a life of it's own. Which is great. In this setup, there are a number of shared drives that all users attach to on their Windows PCs. They want the same capability when they log in on Linux. The drives are the same for all users. The permissions for reading and writing are maintained in the AD based on the user. And there is the problem: on a Windows PC, only one person is usually logged in and thus gets the correct permissions on that PC. On the Linux box, perhaps more than one person will log in at a time. How to sort out the cifs file system permissions? I am guessing that such sharing is not really part of the cifs client mount capabilities. So, I have been considering doing the following. All the AD logins are in the Linux 'users' group. If I set the default file permissions so that the group has the permissions I am after, the members of the group should be able to play nice together. The limitations I see are: 1. no one gets more permissions than the user cifs used to mount the file system, independent of their AD permissions. 2. some users who might not have permissions in the AD will get them if the user cifs used when mounting the file system had those extra permissions. Is there perhaps a more obvious way that I have not figured out? Like mounting these cifs file systems multiple times, one for each user, using their AD authentication? I really want these to be mounted automatically when the user logs in. The password for the remote cifs will be the same as the one they logged in with (as they were authenticated in that AD), but I am guessing they will have to enter it again for the mounting, right? I usually see autofs mentioned in these parts. How does that deal with the authentication? I think this is the last major part of the puzzle for me using AD with Linux. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi Roger There are two sets of permissions, there are also two users involved. 1. the local permissions of the local user (assigned at mounttime). 2. The remote permissions of the remote user you use to login on the file server. And additional the restrictions you have set in the sambaserver. The local permissions are handled local. Stop The remote permisions are handled remote. Stop The lesser privs win ! Succes, Hans On 19/03/10 16:31, Roger Oberholtzer wrote:
I have no problems mounting cifs file systems and assigning ownership to the files to some user (via mount command parameters). I am now hoping to set up something a bit more complex and am unsure how best to proceed.
I have an openSUSE 11.2 system that authenticates users via an MS Active Directory. This works fine. Users log in and a home is created on the fly. It literally has a life of it's own. Which is great.
In this setup, there are a number of shared drives that all users attach to on their Windows PCs. They want the same capability when they log in on Linux. The drives are the same for all users. The permissions for reading and writing are maintained in the AD based on the user. And there is the problem: on a Windows PC, only one person is usually logged in and thus gets the correct permissions on that PC. On the Linux box, perhaps more than one person will log in at a time. How to sort out the cifs file system permissions?
I am guessing that such sharing is not really part of the cifs client mount capabilities.
So, I have been considering doing the following. All the AD logins are in the Linux 'users' group. If I set the default file permissions so that the group has the permissions I am after, the members of the group should be able to play nice together. The limitations I see are:
1. no one gets more permissions than the user cifs used to mount the file system, independent of their AD permissions.
2. some users who might not have permissions in the AD will get them if the user cifs used when mounting the file system had those extra permissions.
Is there perhaps a more obvious way that I have not figured out? Like mounting these cifs file systems multiple times, one for each user, using their AD authentication? I really want these to be mounted automatically when the user logs in. The password for the remote cifs will be the same as the one they logged in with (as they were authenticated in that AD), but I am guessing they will have to enter it again for the mounting, right? I usually see autofs mentioned in these parts. How does that deal with the authentication?
I think this is the last major part of the puzzle for me using AD with Linux.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2010-03-19 at 16:57 +0100, Hans de Faber wrote:
Hi Roger
There are two sets of permissions, there are also two users involved. 1. the local permissions of the local user (assigned at mounttime). 2. The remote permissions of the remote user you use to login on the file server. And additional the restrictions you have set in the sambaserver.
The local permissions are handled local. Stop The remote permisions are handled remote. Stop
The lesser privs win !
That was what I was trying to say. Since that post, I am looking at pam_mount (I saw a reference in the 11.3 milestone 3 release notes, which was a nice coincidence). We will see how that works out. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Freitag, 19. März 2010 schrieb Roger Oberholtzer:
[...] I usually see autofs mentioned in these parts. How does that deal with the authentication? [...]
I do not know whether autofs will help you in this case. However, I use it to mount the private user shares of my NAS. Theses shares are only provided using cifs. But, I do not use AD! My /etc/auto.cifs looks like this: * -fstype=cifs,user=${USER},credentials=${HOME}/.cifs_credentials ://nas.local/& '*' is the wildcard key and '&' gets replaced by the provided key. "${USER}" gets replaced by the user login name and "${HOME}" by their home directory. So, each user has its share password saved in their home directory, e.g., /home/foo/.cifs_credentials looks like this: password=12345 Now, if a user accesses any sub-directory of the master directory, autofs tries to mount the share with this name with the credentials consisting of the user's login name and the password provided in their home directory. So, if you remove the '&' and replace it by a constant share name, each user will get their own view of the share since when accessing the directory consisting of their user name, including correct permissions, in case the samba server supports CIFS Unix extensions. However, using pam_mount could avoid the need for saving each user's password in their home directory. But since I do not use AD ... I found some threads via google, e.g.: http://forums.opensuse.org/network-internet/393343-authenticate-mount-ad- shares-pam_mount.html Gruß Jan -- You can't expect to hit the jackpot if you don't put a few nickels in the machine. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Hans de Faber -
Jan Ritzerfeld -
Roger Oberholtzer