samba - Mar 2016 - Access Windows files with individual user credentials

Dear fellow Samba fans,

This seems like a blatantly obvious need, but I'm not finding anything 
in the Samba literature addressing it.  Maybe my search-fu is just 
failing me.

I have a collection of Linux machines with multiple simultaneous users.  
The Linux machines are all running Samba 4.1.7, compiled from the source 
since my distro (CentOS 6.6) isn't that current.  We are operating in a 
Windows A/D domain via Winbind, and everything in that area seems to be 
working great.  Linux can see all the user accounts, knows their group 
memberships, etc., and their Windows login passwords work fine on the 
Linux boxes.

The Linux users want to access Windows network shares, which I currently 
implement using the automounter and a bit of code commonly floating 
around the Internet to mount it via smbclient.  The problem with this 
approach is that smbclient needs login credentials at the time it sets 
up the mount.  Everyone using that mount is then being treated as if 
they were using the same login credentials.  They don't gain their own 
individual access rights to files on the Windows share.  That's been OK 
so far, but the users are becoming more sophisticated in this 
environment and now need more sophisticated access controls.

As I think about this, it seems to me that my current implementation is 
modeling the Windows drive mapping function, where the credentials are 
checked at the time the drive is accessed, and remains constant for the 
entire machine even if another user logs into it.  What I really want is 
something that is similar to Windows UNC access, in which as I 
understand it, credentials are checked on each file open based on the 
particular user that is trying to open the file.  This is obviously a 
far more flexible, sophisticated approach that gives Linux users 
fine-grained access to files just like they would have if connecting 
from a Windows client.

I can't really believe this has never been discussed before, but I'm not
finding it.  Can someone please point me in the right direction?

Thanks everyone.

              -Brian

On Mon, Mar 14, 2016 at 04:17:59PM -0700, B Martin
wrote:
> Dear fellow Samba fans,
> 
> This seems like a blatantly obvious need, but I'm not finding
> anything in the Samba literature addressing it.  Maybe my search-fu
> is just failing me.
> 
> I have a collection of Linux machines with multiple simultaneous
> users.  The Linux machines are all running Samba 4.1.7, compiled
> from the source since my distro (CentOS 6.6) isn't that current.  We
> are operating in a Windows A/D domain via Winbind, and everything in
> that area seems to be working great.  Linux can see all the user
> accounts, knows their group memberships, etc., and their Windows
> login passwords work fine on the Linux boxes.
> 
> The Linux users want to access Windows network shares, which I
> currently implement using the automounter and a bit of code commonly
> floating around the Internet to mount it via smbclient.  The problem
> with this approach is that smbclient needs login credentials at the
> time it sets up the mount.  Everyone using that mount is then being
> treated as if they were using the same login credentials.  They
> don't gain their own individual access rights to files on the
> Windows share.  That's been OK so far, but the users are becoming
http://linux.die.net/man/8/mount.cifs

"multiuser

Map user accesses to individual credentials when accessing the server.
By default, CIFS mounts only use a single set of user credentials (the
mount credentials) when accessing a share. With this option, the client
instead creates a new session with the server using the user's credentials
whenever a new user accesses the mount. Further accesses by that user
will also use those credentials. Because the kernel cannot prompt for
passwords, multiuser mounts are limited to mounts using sec= options
that don't require passwords."

Which means use kerberos tickets, gotten from the kdc on login.

Awesome.  Thank you.

                -B.

On 03/14/2016 04:51 PM, Jeremy Allison wrote:
> On Mon, Mar 14, 2016 at 04:17:59PM -0700, B Martin wrote:
>> Dear fellow Samba fans,
>>
>> This seems like a blatantly obvious need, but I'm not finding
>> anything in the Samba literature addressing it.  Maybe my search-fu
>> is just failing me.
>>
>> I have a collection of Linux machines with multiple simultaneous
>> users.  The Linux machines are all running Samba 4.1.7, compiled
>> from the source since my distro (CentOS 6.6) isn't that current. 
We
>> are operating in a Windows A/D domain via Winbind, and everything in
>> that area seems to be working great.  Linux can see all the user
>> accounts, knows their group memberships, etc., and their Windows
>> login passwords work fine on the Linux boxes.
>>
>> The Linux users want to access Windows network shares, which I
>> currently implement using the automounter and a bit of code commonly
>> floating around the Internet to mount it via smbclient.  The problem
>> with this approach is that smbclient needs login credentials at the
>> time it sets up the mount.  Everyone using that mount is then being
>> treated as if they were using the same login credentials.  They
>> don't gain their own individual access rights to files on the
>> Windows share.  That's been OK so far, but the users are becoming
> http://linux.die.net/man/8/mount.cifs
>
> "multiuser
>
> Map user accesses to individual credentials when accessing the server.
> By default, CIFS mounts only use a single set of user credentials (the
> mount credentials) when accessing a share. With this option, the client
> instead creates a new session with the server using the user's
credentials
> whenever a new user accesses the mount. Further accesses by that user
> will also use those credentials. Because the kernel cannot prompt for
> passwords, multiuser mounts are limited to mounts using sec= options
> that don't require passwords."
>
> Which means use kerberos tickets, gotten from the kdc on login.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 15.03.2016 um 00:17 schrieb B Martin:
> Dear fellow Samba fans,
> 
> This seems like a blatantly obvious need, but I'm not finding
> anything in the Samba literature addressing it.  Maybe my search-fu
> is just failing me.
> 
> I have a collection of Linux machines with multiple simultaneous
> users. The Linux machines are all running Samba 4.1.7, compiled
> from the source since my distro (CentOS 6.6) isn't that current.
> We are operating in a Windows A/D domain via Winbind, and
> everything in that area seems to be working great.  Linux can see
> all the user accounts, knows their group memberships, etc., and
> their Windows login passwords work fine on the Linux boxes.
> 
> The Linux users want to access Windows network shares, which I
> currently implement using the automounter and a bit of code
> commonly floating around the Internet to mount it via smbclient.
> The problem with this approach is that smbclient needs login
> credentials at the time it sets up the mount.  Everyone using that
> mount is then being treated as if they were using the same login
> credentials.  They don't gain their own individual access rights to
> files on the Windows share.  That's been OK so far, but the users
> are becoming more sophisticated in this environment and now need
> more sophisticated access controls.
> 
> As I think about this, it seems to me that my current
> implementation is modeling the Windows drive mapping function,
> where the credentials are checked at the time the drive is
> accessed, and remains constant for the entire machine even if
> another user logs into it.  What I really want is something that is
> similar to Windows UNC access, in which as I understand it,
> credentials are checked on each file open based on the particular
> user that is trying to open the file.  This is obviously a far more
> flexible, sophisticated approach that gives Linux users 
> fine-grained access to files just like they would have if
> connecting from a Windows client.
> 
> I can't really believe this has never been discussed before, but
> I'm not finding it.  Can someone please point me in the right
> direction?
> 
> Thanks everyone.
> 
> -Brian
> 
I use pam_mount for mounting samba-shares on a Linux-client.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlbnvosACgkQ2JOGcNAHDTZjDACfWxTR4DDw8EaDJXa09gOXPagS
6kIAn3IDrDX7hkIoC+akW4GVP5w+2zhA
=ffD1
-----END PGP SIGNATURE-----

On 15.03.2016 08:49, Stefan Kania wrote:
> Am 15.03.2016 um 00:17 schrieb B Martin:
>> Dear fellow Samba fans,
> 
>> This seems like a blatantly obvious need, but I'm not finding
>> anything in the Samba literature addressing it.  Maybe my search-fu
>> is just failing me.
> 
>> I have a collection of Linux machines with multiple simultaneous
>> users. The Linux machines are all running Samba 4.1.7, compiled
>> from the source since my distro (CentOS 6.6) isn't that current.
>> We are operating in a Windows A/D domain via Winbind, and
>> everything in that area seems to be working great.  Linux can see
>> all the user accounts, knows their group memberships, etc., and
>> their Windows login passwords work fine on the Linux boxes.
> 
>> The Linux users want to access Windows network shares, which I
>> currently implement using the automounter and a bit of code
>> commonly floating around the Internet to mount it via smbclient.
>> The problem with this approach is that smbclient needs login
>> credentials at the time it sets up the mount.  Everyone using that
>> mount is then being treated as if they were using the same login
>> credentials.  They don't gain their own individual access rights to
>> files on the Windows share.  That's been OK so far, but the users
>> are becoming more sophisticated in this environment and now need
>> more sophisticated access controls.
> 
>> As I think about this, it seems to me that my current
>> implementation is modeling the Windows drive mapping function,
>> where the credentials are checked at the time the drive is
>> accessed, and remains constant for the entire machine even if
>> another user logs into it.  What I really want is something that is
>> similar to Windows UNC access, in which as I understand it,
>> credentials are checked on each file open based on the particular
>> user that is trying to open the file.  This is obviously a far more
>> flexible, sophisticated approach that gives Linux users 
>> fine-grained access to files just like they would have if
>> connecting from a Windows client.
> 
>> I can't really believe this has never been discussed before, but
>> I'm not finding it.  Can someone please point me in the right
>> direction?
> 
>> Thanks everyone.
> 
>> -Brian
> 
> I use pam_mount for mounting samba-shares on a Linux-client.
> 
> 
I use cifs mounts with multiuser and kerberos options. It is good
described at https://access.redhat.com/solutions/279183 .

best regards

Michael


> 
> 
-- 
Michael Wandel
Bielefeld

On Mon, 14 Mar 2016, Jeremy Allison wrote:
> On Mon, Mar 14, 2016 at 04:17:59PM -0700, B Martin wrote:
>> users.  The Linux machines are all running Samba 4.1.7, compiled
>> from the source since my distro (CentOS 6.6) isn't that current. 
We
>> are operating in a Windows A/D domain via Winbind, and everything in
>> that area seems to be working great.  Linux can see all the user
>> accounts, knows their group memberships, etc., and their Windows
>> login passwords work fine on the Linux boxes.
>>
>> The Linux users want to access Windows network shares, which I
>> currently implement using the automounter and a bit of code commonly
> http://linux.die.net/man/8/mount.cifs
>
> "multiuser
>
> Which means use kerberos tickets, gotten from the kdc on login.
This is the way to go.  Note that for EL6, Redhat recommends you use 
/etc/fstab due to a bug in the way kerberos credentials are handled by the 
kernel.  Using automount (especially with a short timeout) will cause the 
kernel keyring to fill up and run out of space, and eventually your users 
will be unable to remount the filesystem.  Redhat doesn't want to fix it 
(at least as of EL6.5), because it requires an API change, so the fix is 
to upgrade to EL7.  I think I looked at EL6.6 and they had not fixed it, 
though I haven't looked at EL6.7.  I can't find a link for this now, but
I'm pretty sure I read it in a Redhat RHEL support-contract-required bug.

There is a workaround where adding the following to sysctl.conf will help 
avoid the problem somewhat, but won't solve it entirely:

kernel.keys.root_maxkeys = 1000000
kernel.keys.root_maxbytes = 25000000

Unless your users reboot often, you probably don't want to go this route. 
The alternative to rebooting is to restart autofs (requires root), and 
then have the user run kinit (requires the user type their password), so 
it's not something easy to automate.

Redhat has a good tutorial on how to use /etc/fstab to set up a permanent 
multiuser mount, but it requires a support contract:

https://access.redhat.com/solutions/279183

If you don't have one, the short version is: create a dummy "cifs"
user,
export its keytab, copy it to all the machines; set up the fstab entry 
with noauto; use a script at boot time to kinit using the exported keytab 
then run mount.