Andy Liebman
2013-Nov-03 05:18 UTC
[Samba] Accessing multiple Active Directory accounts simultaneously from a single Linux server
Hello, I have been doing a lot of research on this subject and I'm not finding a clear answer. My company currently makes a video capture and transcoding application that runs on a Linux server. The video application mounts shares from a second Linux storage server for various users at the same time. In other words, we have: A Linux Storage Server with many accounts (for example, user1, user2, user3, etc) and many Samba shares (for example, space1, space2, space3, etc) A Linux Video Server that performs work for various client applications at the same time, mounting different shares from the Storage server, and authenticating each mount as a different user so that it can capture video into the shares the user is allowed to use. (e.g., user1->share1, user2->share2). Imagine we mount each user's home directory and capture video into it. That's roughly what I'm talking about, although typically a single share can be accessed by more than one user. In our current non-Active Directory configuration, the Video server runs commands such as: sudo mount -t cifs //StorageServer/ShareName /path/to/mountpoint -o rw,noperm,user=user1,password={user's password} sudo mount -t cifs //StorageServer/DifferentShareName /path/to/different/mountpoint -o rw,noperm,user=user2,password={user's password} Note -- we mount one share as "user1" and another as "user2". We are now trying to integrate all of this into an Active Directory environment. We have the Storage Server working properly within a Windows Server 2008 R2 domain. After logging into Windows workstations, domain users are able to mount shares from the storage server without supplying any additional credentials (the storage server knows who they are and lets them mount the shares they are authorized to see). The question is, what can we do on the Video Server side? In the context of Active Directory, how can a single Linux Video Server mount different shares from the Storage Server authenticating as different domain users? We can join the Video Server to the Active Directory domain, but we are not logging into the Video Server ITSELF as one particular domain user and we really don't want to start different sessions for each user. We just want to be able to connect to the storage server the way we always have and say, "here are the credentials for user1 and we want to mount this Samba share on user1's behalf so that we can capture video into it". All the mount.cifs options I have tried so far result in errors reported on the Storage server. Is this possible in the context of Active Directory? Do we need to specify some special security options in the mount command? Is there a very specific way we need refer to the "Storage Server" (for example, \\FQDN\ShareName) and to users (for example, \\DOMAIN\username)? I actually tried that and it doesn't work. I get errors on the Storage server to the effect of "Couldn't find user in passdb", not using winbind, etc. Do we have to somehow get a Kerberos ticket on the Video Server for the user that we can then use to mount the shares for that user? Thanks in advance for any good advice. If anybody can refer me to a document that describes how to do this, I would be more than happy to follow the directions! Regards, Andy Liebman EditShare
Andy Liebman
2013-Nov-04 02:42 UTC
[Samba] Accessing multiple Active Directory accounts simultaneously from a single Linux server
I have made some progress. Please see below. Hello, I have been doing a lot of research on this subject and I'm not finding a clear answer. My company currently makes a video capture and transcoding application that runs on a Linux server. The video application mounts shares from a second Linux storage server for various users at the same time. In other words, we have: A Linux Storage Server with many accounts (for example, user1, user2, user3, etc) and many Samba shares (for example, space1, space2, space3, etc) A Linux Video Server that performs work for various client applications at the same time, mounting different shares from the Storage server, and authenticating each mount as a different user so that it can capture video into the shares the user is allowed to use. (e.g., user1->share1, user2->share2). Imagine we mount each user's home directory and capture video into it. That's roughly what I'm talking about, although typically a single share can be accessed by more than one user. In our current non-Active Directory configuration, the Video server runs commands such as: sudo mount -t cifs //StorageServer/ShareName /path/to/mountpoint -o rw,noperm,user=user1,password={user's password} sudo mount -t cifs //StorageServer/DifferentShareName /path/to/different/mountpoint -o rw,noperm,user=user2,password={user's password} Note -- we mount one share as "user1" and another as "user2". We are now trying to integrate all of this into an Active Directory environment. We have the Storage Server working properly within a Windows Server 2008 R2 domain. After logging into Windows workstations, domain users are able to mount shares from the storage server without supplying any additional credentials (the storage server knows who they are and lets them mount the shares they are authorized to see). The question is, what can we do on the Video Server side? In the context of Active Directory, how can a single Linux Video Server mount different shares from the Storage Server authenticating as different domain users? We can join the Video Server to the Active Directory domain, but we are not logging into the Video Server ITSELF as one particular domain user and we really don't want to start different sessions for each user. We just want to be able to connect to the storage server the way we always have and say, "here are the credentials for user1 and we want to mount this Samba share on user1's behalf so that we can capture video into it". All the mount.cifs options I have tried so far result in errors reported on the Storage server. Is this possible in the context of Active Directory? Do we need to specify some special security options in the mount command? Is there a very specific way we need refer to the "Storage Server" (for example, \\FQDN\ShareName) and to users (for example, \\DOMAIN\username)? I actually tried that and it doesn't work. I get errors on the Storage server to the effect of "Couldn't find user in passdb", not using winbind, etc. Do we have to somehow get a Kerberos ticket on the Video Server for the user that we can then use to mount the shares for that user? Doing the following allows me to mount Storage Server shares from any Linux server -- sudo kinit user1 -- enter user1's password -- sudo mount -t cifs //FQDN_of_StorageServer/ShareName /path/to/mountpoint -o rw,noperm,sec=krb5,domain=mydomain However, I can see that trying to do this for multiple different users on the same Linux server could be complicated. Can you "switch users" by going through another "kinit" command to a different user? I have tried it and it seems to work sometimes, but other times when I switch users with a new "kinit" I get a message "Cannot allocate memory". I'm am also worried that there will be confusion about what user has mounted the share because that is important. It seems it would be better to NOT use Kerberos from the Linux server but instead use NTLMv2. NTLMv2 is enabled in my smb.conf file but if I try to mount a share as follows: -- sudo mount -t cifs //FQDN_of_StorageServer/ShareName /path/to/mountpoint -o,rw,noperm,sec=ntlmv2,username=user1,password={his password} I get back "mount error(13): Permission denied. Is it possible to use NTLM here instead of Kerberos? -- Andy