Hello all,
I am looking to implement winbind and samba-client (mount.cifs, actually) on a
RHEL6 machine with the following properties:
1. Users will log in to the RHEL6 box using Active Directory (2008 R2)
credentials (via winbind)
2. There will be a global (i.e. not mounted on a per-user basis) CIFS
mount at /client_data which points to a CIFS share on a Windows Server 2012 R2
file server.
3. Users who log in to the RHEL6 box as their AD users will be granted the
appropriate permissions on the files/directories under /client_data via CIFS
ACLs applied from the Windows server.
I was easily (relatively speaking) able to perform the first two above with the
standard samba-* packages provided by Redhat, but #3 has proven to be an elusive
beast.
I read that Samba4 offered support for full CIFS ACL compliance, so I tried
removing my samba-* packages and installing samba4-* packages (specifically
4.0.0-60). I had a lot of problems getting authentication to pass through
properly ("NT_STATUS_INVALID_PARAMETER_MIX"), so I tried quickly
upgrading to 4.1.6 (from some RPMs I found on Glusterfs's site of all
places), and voila! She authenticates!
But, sadly, I realized at that point (because my cifs mounts failed) that the
samba4-* packages don't provide cifs.mount... So I grabbed a tarball of
cifs-utils 6.3, installed the deps for building the cifsacl stuff, built and
installed it. Now my shares mount up.
With some quick-n-dirty testing, though, it doesn't seem like groups added
to the Windows security ACL are being respected on the Linux side.
Am I asking too much, or is this something that can actually be done? If it is
actually possible, what components are necessary for this to work (i.e. what
might I be missing?)?
Any and all log files and conf files will be provided upon request. Thanks!
Jon Heese
Systems Administrator
INetU Managed Hosting
P: 610.266.7441 x 261
F: 610.266.7434
www.inetu.net<https://www.inetu.net/>
** This message contains confidential information, which also may be privileged,
and is intended only for the person(s) addressed above. Any unauthorized use,
distribution, copying or disclosure of confidential and/or privileged
information is strictly prohibited. If you have received this communication in
error, please erase all copies of the message and its attachments and notify the
sender immediately via reply e-mail. **
