Hi,
I need to run a Samba CIFS proxy (not DFS) in an AD environment. What we
tried so far is mounting the remote share with mount.cifs and "-o
sec=krb5i,multiuser" and share it through samba. But mount.cifs's
multiuser option requires local access to the domain user's kerberos
tickets, i.e, if I login as a domain user and run kinit to get a ticket,
everything works. If the multiuser option is not used the permission
checks done by the server will always correspond to the credentials used
to mount the share, and not necessarily to the user who is accessing the
share (quoted from man mount.cifs). The question is how to make this
work automatically as to not require each domain user to login into the
samba server and kinit manually.
Winbind is configured and running correctly (wbinfo -u/-g lists domain
users/groups). I can su - into a domain user and login as a domain user
(locally and ssh).
I've checked samba4's ntvfs cifs module but it won't even compile
and I
guess it's not ready for production.
Here's smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
log level = 2
max log size = 1000
syslog = 0
security = ADS
password server = server01.mydomain.com
encrypt passwords = yes
passdb backend = tdbsam
load printers = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind separator = .
winbind use default domain = yes
winbind refresh tickets = true
template shell = /bin/bash
[cifs]
comment = cifs mountpoint
path = /mnt/cifs
public = yes
writable = yes
browseable = yes
Thanks,
Max