Lazarevich, Alexander
2014-Mar-24 17:24 UTC
[Samba] mount.cifs permissions for non-root user via sudo
I'm not sure this is the proper forum to post to, but I hope someone can point me in the right direction if not have the answers. We have a RedHat Enterprise 5 AS machine, fully patched, with the most recent samba RPMs installed. The machine is joined to Active Directory via a 3rd party program called Centrify. An AD user, when logged into this system, is given permission to run /bin/mount via sudo, in order to mount that users' Windows share from a Windows fileserver. (2008R2) The exact mount command is: sudo mount -t cifs //servername/share/user1 /home/user1/network-mount -o domain=domname,username=user1 After the user provides their AD password, the share is mounted: [user1 at linux1PC]$ df -h Filesystem Size Used Avail Use% Mounted on /dev/sda2 20G 7.3G 12G 40% / /dev/sda1 99M 25M 70M 26% /boot tmpfs 1006M 0 1006M 0% /dev/shm //servername/share/user1 6.0T 5.0T 1.1T 83% /home/user1/network-mount As you can see, the mount worked fine. However, the permissions are very odd. All files/folders are owned by root: [user1 at linux1PC]$ ls -l total 547949 -rwxrwSrwx 1 root root 70207240 Jul 30 2012 5.5.4.0-TIV-TSMBAC-WinX32.exe -rwxrwSrwx 1 root root 157970712 Jun 5 2013 6.2.3.0-TIV-TSMBAC-WinX32.exe -rwxrwSrwx 1 root root 158327144 Jun 5 2013 6.2.5.0-TIV-TSMBAC-WinX32.exe -rwxrwSrwx 1 root root 174554976 Jun 5 2013 6.3.1.0-TIV-TSMBAC-WinX32.exe ... ... After some testing, it seems as though the mount command is purposefully mounting the share as root, with 777 perms, so the user can have proper access. The user1 is able to read/write all files as needed. And other users on the system have no access to the share. (which is odd because the perms are 777) I'm hoping someone else in the world has solved this problem: Is this the proper way to mount non-root user Windows shares via command line? Is there another/better way to mount Windows shares command line for non-root users? Or are we doing it the correct way and somehow the system is monitoring the mounted share and translating permissions from unix to CIFS on the fly. The ACLS on the Windows server are correct for all created files/folders from that user. We have to know these permissions are correct and stable before we put this mount procedure into production in our labs. Any ideas? Thanks! Alex
On Mon, 2014-03-24 at 17:24 +0000, Lazarevich, Alexander wrote:> I'm not sure this is the proper forum to post to, but I hope someone can point me in the right direction if not have the answers. We have a RedHat Enterprise 5 AS machine, fully patched, with the most recent samba RPMs installed. The machine is joined to Active Directory via a 3rd party program called Centrify. An AD user, when logged into this system, is given permission to run /bin/mount via sudo, in order to mount that users' Windows share from a Windows fileserver. (2008R2) The exact mount command is: > > sudo mount -t cifs //servername/share/user1 /home/user1/network-mount -o domain=domname,username=user1 > > After the user provides their AD password, the share is mounted: > > [user1 at linux1PC]$ df -h > Filesystem Size Used Avail Use% Mounted on > /dev/sda2 20G 7.3G 12G 40% / > /dev/sda1 99M 25M 70M 26% /boot > tmpfs 1006M 0 1006M 0% /dev/shm > //servername/share/user1 6.0T 5.0T 1.1T 83% /home/user1/network-mount > > As you can see, the mount worked fine. However, the permissions are very odd. All files/folders are owned by root: > > [user1 at linux1PC]$ ls -l > total 547949 > -rwxrwSrwx 1 root root 70207240 Jul 30 2012 5.5.4.0-TIV-TSMBAC-WinX32.exe > -rwxrwSrwx 1 root root 157970712 Jun 5 2013 6.2.3.0-TIV-TSMBAC-WinX32.exe > -rwxrwSrwx 1 root root 158327144 Jun 5 2013 6.2.5.0-TIV-TSMBAC-WinX32.exe > -rwxrwSrwx 1 root root 174554976 Jun 5 2013 6.3.1.0-TIV-TSMBAC-WinX32.exe > ... > ... > > After some testing, it seems as though the mount command is purposefully mounting the share as root, with 777 perms, so the user can have proper access. The user1 is able to read/write all files as needed. And other users on the system have no access to the share. (which is odd because the perms are 777) > > I'm hoping someone else in the world has solved this problem: Is this the proper way to mount non-root user Windows shares via command line? Is there another/better way to mount Windows shares command line for non-root users? Or are we doing it the correct way and somehow the system is monitoring the mounted share and translating permissions from unix to CIFS on the fly. The ACLS on the Windows server are correct for all created files/folders from that user. We have to know these permissions are correct and stable before we put this mount procedure into production in our labs. > > Any ideas? > > Thanks! > > AlexHi Over cifs, the -rwxrwSrwx part of the listing doesn't bear any resemblance to the actual ac lists. HTH Steve