> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 11 oktober 2017 11:39 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Using GPO to mount shares on Linux > > On Wed, 11 Oct 2017 11:00:59 +0200 > Michael Wandel <m.wandel at t-online.de> wrote: > > > On 11.10.2017 10:37, Rowland Penny via samba wrote: > > > On Wed, 11 Oct 2017 10:13:35 +0200 > > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > > > >> If you mean, Linux <=> Linux , use automounting, of dedicated > > >> mounts. Cifs/nfs, depending on you setup and what you need. > > >> > > >> > > > > > > The problem is, they don't seem to work any more. They > all seem to > > > rely on mount.cifs and you need to be root to run this. When the > > > user logs in, the mounting program runs using the users creds and > > > fails. > > > > > Hi, > > > > it can be solved by pam_mount or you can use mount.cifs with the > > multiuser option. > > > > > https://www.snia.org/sites/default/orig/SDC2012/presentations/Revision > > s/JeffLayton_Multiuser%20Mounts%20with%20Linux%20CIFS_revision.pdf > > > > best regards > > Michael > > > > > > > Rowland > > > > > > > > > > > > I have tried to get autofs to work with nfs and cifs as user > mounts, I cannot get these to work and believe me, I really tried ;-) > > I cannot get pam_mount to work either, it just tells me there > are no volumes to mount. If I run the mount manually it > doesn't work, I run it again with sudo, it works. I cannot > find a way to get pam_mount to use sudo. > > In my opinion 'multiuser' is a possibilty, but again I cannot > get it to work. > > I am now considering pam_script, so watch this space ;-) > > Rowland >I believe you. The trick is. 1) add this to krb5.conf ; for Windows 2008 with AES default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 2) make use of kerberos, add cifs/FQDN to the systemkeytab file. 2a) optional, make use of idmap.conf, something like this. /etc/idmapd.conf [General] Verbosity = 0 Pipefs-Directory = /run/rpc_pipefs # set your own domain here, if id differs from FQDN minus hostname # Domain = localdomain Domain = internal.dnsdomain.tld Local-Realm = REALM [Mapping] Nobody-User = nobody Nobody-Group = nogroup [Translation] Method = static,nsswitch GSS-Methods = static,nsswitch [Static] NETBIOSNAME$@REALM = root host/FQDN at ROTTERDAM.BAZUIN.NL = root cifs/FQDN at ROTTERDAM.BAZUIN.NL = root cifs/FQDN@ = root 3) reboot the server, login and try mount -t cifs -o sec=krb5i //fileserver.subdomain.doamin.local/share /mnt See if this helps. Greetz, Louis
On Wed, 11 Oct 2017 11:51:02 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Rowland Penny via samba > > Verzonden: woensdag 11 oktober 2017 11:39 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Using GPO to mount shares on Linux > > > > On Wed, 11 Oct 2017 11:00:59 +0200 > > Michael Wandel <m.wandel at t-online.de> wrote: > > > > > On 11.10.2017 10:37, Rowland Penny via samba wrote: > > > > On Wed, 11 Oct 2017 10:13:35 +0200 > > > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > > > > > >> If you mean, Linux <=> Linux , use automounting, of dedicated > > > >> mounts. Cifs/nfs, depending on you setup and what you need. > > > >> > > > >> > > > > > > > > The problem is, they don't seem to work any more. They > > all seem to > > > > rely on mount.cifs and you need to be root to run this. When > > > > the user logs in, the mounting program runs using the users > > > > creds and fails. > > > > > > > Hi, > > > > > > it can be solved by pam_mount or you can use mount.cifs with the > > > multiuser option. > > > > > > > > https://www.snia.org/sites/default/orig/SDC2012/presentations/Revision > > > s/JeffLayton_Multiuser%20Mounts%20with%20Linux%20CIFS_revision.pdf > > > > > > best regards > > > Michael > > > > > > > > > > Rowland > > > > > > > > > > > > > > > > > > I have tried to get autofs to work with nfs and cifs as user > > mounts, I cannot get these to work and believe me, I really > > tried ;-) > > > > I cannot get pam_mount to work either, it just tells me there > > are no volumes to mount. If I run the mount manually it > > doesn't work, I run it again with sudo, it works. I cannot > > find a way to get pam_mount to use sudo. > > > > In my opinion 'multiuser' is a possibilty, but again I cannot > > get it to work. > > > > I am now considering pam_script, so watch this space ;-) > > > > Rowland > > > I believe you. The trick is. > > 1) add this to krb5.conf > ; for Windows 2008 with AES > default_tgs_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5 > > 2) make use of kerberos, add cifs/FQDN to the systemkeytab file. > 2a) optional, make use of idmap.conf, something like this. > /etc/idmapd.conf > [General] > > Verbosity = 0 > Pipefs-Directory = /run/rpc_pipefs > > # set your own domain here, if id differs from FQDN minus hostname > # Domain = localdomain > Domain = internal.dnsdomain.tld > Local-Realm = REALM > > [Mapping] > > Nobody-User = nobody > Nobody-Group = nogroup > > [Translation] > Method = static,nsswitch > GSS-Methods = static,nsswitch > > > [Static] > NETBIOSNAME$@REALM = root > host/FQDN at ROTTERDAM.BAZUIN.NL = root > cifs/FQDN at ROTTERDAM.BAZUIN.NL = root > cifs/FQDN@ = root > > > 3) reboot the server, login and try > mount -t cifs -o > sec=krb5i //fileserver.subdomain.doamin.local/share /mnt > > > See if this helps. >I did all of this, I have read everything I could find on the internet and I just couldn't make it work. I am now a leading expert on what doesn't work ;-) Rowland
On 10/11/2017 12:09 PM, Rowland Penny via samba wrote:> I did all of this, I have read everything I could find on the internet > and I just couldn't make it work. > > I am now a leading expert on what doesn't work ;-) > > Rowlandok, that is an unusual situation... you having a problem, and things working here :-) So perhaps we're doing different things: we mount PER USER under the users home directory. We don't have ONE global mount that is shared between all logged-on users, but each has his/her own shares under /home/username/share1 -> /home/username/share4 Pam_mount mounts it on logon, both via ssh and xrdp. The mounted shares also automatically appear as shortcuts on the desktop, just like a mounted usb stick does. Very convenient for the users. So perhaps you are trying to mount 'global shares', that everybody should be able to access, logged on as themselves? MJ