0

I am a Windows admin and my boss requested that I build a sftp and samba server. The sftp and samba server both use Windows AD to authenticate. The external customers need to only sftp and must be jailed to their directory. The internal users have to be able to open all file and folders to upload/download the docs to the external customers.

  1. I have configured a CentOS sftp server and have the users jailed (when they connect to directlty to the sftp server)
  2. I have the CentOS samba server configured and the internal users are able to read/write/traverse the shares.

The issue that I am having is connecting the sftp server to the samba server. Users are able to download the files but are unable to upload.

# mount -t cifs //10.x.x.x/share /mnt -o username=xxxxxxxxxxi,workgroup=DOMAIN

If I type

# mount -t cifs //10.x.x.x/sftp /mnt -o username=xxxxxxxx

the permissions are 0755.

I tried to mount via fstab:

//10.x.x.x/share       /mnt    cifs    nofail,iocharset=utf8,username=xxxxxxxx,file_mode=0775,dir_mode=0775   0    0

I get an error in /var/log/secure when I attempt to upload a file.

pam_krb5[19725]: error reading ccache's default principal name from "KEYRING:persistent:573216638", not reading externally-provided creds
fuero
  • 9,413
  • 1
  • 35
  • 40
Sage
  • 63
  • 5
  • Why are these separate servers? Do they really need to be? If so, why are you using CIFS between them? – Michael Hampton Sep 25 '20 at 22:51
  • we are trying to setup H.A. SFTP servers. We have about 6K users that will be onboarded to this SFTP solution. We figured using a centralized File Server would aid in this setup. We chose Samba because of a business requirement where internally, users pull the files off of the SFTP via UNC Shares. – Sage Sep 25 '20 at 23:02
  • 1
    It may be fine to have internal users access the file share directly with CIFS, but this isn't really going to work for having a server access the files on the other server, as the username must be specified when mounting. This calls for something like NFS between the servers, which can pass the logged in user's own username. – Michael Hampton Sep 25 '20 at 23:04

1 Answers1

0

As Michael Hampton suggested, a feasible solution is to have the SFTP server mount the Samba server's data volume via NFS (or rather use Samba and SFTP as frontends for a shared storage mounted on both boxes via NFS) and sync their User IDs (e.g. using SSSD).

fuero
  • 9,413
  • 1
  • 35
  • 40