Andy Liebman
2013-Nov-03 05:18 UTC
[Samba] Accessing multiple Active Directory accounts simultaneously from a single Linux server
Hello,
I have been doing a lot of research on this subject and I'm not finding a
clear answer. My company currently makes a video capture and transcoding
application that runs on a Linux server. The video application mounts shares
from a second Linux storage server for various users at the same time. In other
words, we have:
A Linux Storage Server with many accounts (for example, user1, user2, user3,
etc) and many Samba shares (for example, space1, space2, space3, etc)
A Linux Video Server that performs work for various client applications at the
same time, mounting different shares from the Storage server, and authenticating
each mount as a different user so that it can capture video into the shares the
user is allowed to use. (e.g., user1->share1, user2->share2). Imagine we
mount each user's home directory and capture video into it. That's
roughly what I'm talking about, although typically a single share can be
accessed by more than one user. In our current non-Active Directory
configuration, the Video server runs commands such as:
sudo mount -t cifs //StorageServer/ShareName /path/to/mountpoint -o
rw,noperm,user=user1,password={user's password}
sudo mount -t cifs //StorageServer/DifferentShareName
/path/to/different/mountpoint -o rw,noperm,user=user2,password={user's
password}
Note -- we mount one share as "user1" and another as
"user2".
We are now trying to integrate all of this into an Active Directory environment.
We have the Storage Server working properly within a Windows Server 2008 R2
domain. After logging into Windows workstations, domain users are able to mount
shares from the storage server without supplying any additional credentials (the
storage server knows who they are and lets them mount the shares they are
authorized to see).
The question is, what can we do on the Video Server side? In the context of
Active Directory, how can a single Linux Video Server mount different shares
from the Storage Server authenticating as different domain users? We can join
the Video Server to the Active Directory domain, but we are not logging into the
Video Server ITSELF as one particular domain user and we really don't want
to start different sessions for each user. We just want to be able to connect to
the storage server the way we always have and say, "here are the
credentials for user1 and we want to mount this Samba share on user1's
behalf so that we can capture video into it". All the mount.cifs options I
have tried so far result in errors reported on the Storage server.
Is this possible in the context of Active Directory? Do we need to specify some
special security options in the mount command? Is there a very specific way we
need refer to the "Storage Server" (for example, \\FQDN\ShareName)
and to users (for example, \\DOMAIN\username)? I actually tried that and it
doesn't work. I get errors on the Storage server to the effect of
"Couldn't find user in passdb", not using winbind, etc. Do we have
to somehow get a Kerberos ticket on the Video Server for the user that we can
then use to mount the shares for that user?
Thanks in advance for any good advice. If anybody can refer me to a document
that describes how to do this, I would be more than happy to follow the
directions!
Regards,
Andy Liebman
EditShare
Andy Liebman
2013-Nov-04 02:42 UTC
[Samba] Accessing multiple Active Directory accounts simultaneously from a single Linux server
I have made some progress. Please see below.
Hello,
I have been doing a lot of research on this subject and I'm not finding a
clear answer. My company currently makes a video capture and transcoding
application that runs on a Linux server. The video application mounts shares
from a second Linux storage server for various users at the same time. In other
words, we have:
A Linux Storage Server with many accounts (for example, user1, user2, user3,
etc) and many Samba shares (for example, space1, space2, space3, etc)
A Linux Video Server that performs work for various client applications at the
same time, mounting different shares from the Storage server, and authenticating
each mount as a different user so that it can capture video into the shares the
user is allowed to use. (e.g., user1->share1, user2->share2). Imagine we
mount each user's home directory and capture video into it. That's
roughly what I'm talking about, although typically a single share can be
accessed by more than one user. In our current non-Active Directory
configuration, the Video server runs commands such as:
sudo mount -t cifs //StorageServer/ShareName /path/to/mountpoint -o
rw,noperm,user=user1,password={user's password}
sudo mount -t cifs //StorageServer/DifferentShareName
/path/to/different/mountpoint -o rw,noperm,user=user2,password={user's
password}
Note -- we mount one share as "user1" and another as
"user2".
We are now trying to integrate all of this into an Active Directory environment.
We have the Storage Server working properly within a Windows Server 2008 R2
domain. After logging into Windows workstations, domain users are able to mount
shares from the storage server without supplying any additional credentials (the
storage server knows who they are and lets them mount the shares they are
authorized to see).
The question is, what can we do on the Video Server side? In the context of
Active Directory, how can a single Linux Video Server mount different shares
from the Storage Server authenticating as different domain users? We can join
the Video Server to the Active Directory domain, but we are not logging into the
Video Server ITSELF as one particular domain user and we really don't want
to start different sessions for each user. We just want to be able to connect to
the storage server the way we always have and say, "here are the
credentials for user1 and we want to mount this Samba share on user1's
behalf so that we can capture video into it". All the mount.cifs options I
have tried so far result in errors reported on the Storage server.
Is this possible in the context of Active Directory? Do we need to specify some
special security options in the mount command? Is there a very specific way we
need refer to the "Storage Server" (for example, \\FQDN\ShareName)
and to users (for example, \\DOMAIN\username)? I actually tried that and it
doesn't work. I get errors on the Storage server to the effect of
"Couldn't find user in passdb", not using winbind, etc. Do we have
to somehow get a Kerberos ticket on the Video Server for the user that we can
then use to mount the shares for that user?
Doing the following allows me to mount Storage Server shares from any Linux
server
-- sudo kinit user1
-- enter user1's password
-- sudo mount -t cifs //FQDN_of_StorageServer/ShareName /path/to/mountpoint
-o rw,noperm,sec=krb5,domain=mydomain
However, I can see that trying to do this for multiple different users on the
same Linux server could be complicated. Can you "switch users" by
going through another "kinit" command to a different user? I have
tried it and it seems to work sometimes, but other times when I switch users
with a new "kinit" I get a message "Cannot allocate memory".
I'm am also worried that there will be confusion about what user has mounted
the share because that is important.
It seems it would be better to NOT use Kerberos from the Linux server but
instead use NTLMv2. NTLMv2 is enabled in my smb.conf file but if I try to mount
a share as follows:
-- sudo mount -t cifs //FQDN_of_StorageServer/ShareName /path/to/mountpoint
-o,rw,noperm,sec=ntlmv2,username=user1,password={his password}
I get back "mount error(13): Permission denied. Is it possible to use
NTLM here instead of Kerberos?
-- Andy