3

We've been experimenting with integrating linux systems into what is largely a Windows domain, with a Windows-based Active Directory server. After considerable trial and error, we have successfully configured sssd (on RHEL, CentOS, and Ubuntu) to allow AD user logins bound by AD security groups. We solved the problem of allowing AD logins long ago; it was a bit trickier to restrict access to only particular AD domain users, as was necessary in our use case. The last hurdle involves the experiment of trying to "automount" home directories from a Windows storage server, with something like pam mkhomedir creating these home directories if they don't exist already. I say experiment because we can always fall back to using a linux storage server. The optimal system would have users with some level of linux home directory Windows user profile unification (similar to what Samba gives you with NT domain profiles), but at the moment we can't get this working for linux clients at all. Using a command like this

mount.cifs //cnsdisk/Home/pgoetz /home/pgoetz -o username=pgoetz,sec=krb5,vers=3.0,uid=pgoetz,cruid=pgoetz

Will work for exactly one user that already has a tgt kerberos ticket to mount a windows share, but a second user is then locked out. My thought is if we can't even get manual mounts to work, there's no hope of constructing an automated solution.

I'm not expecting anyone to be able to answer this (a RHEL knowledge base article professed to solve this; didn't work for us); just frustrated that these kinds of problems haven't already been thoroughly worked out and documented.

Edit: I'm pretty sure the multiuser option provided above is obsolete, but RHEL tech support included it in their solution, so I left it in. Don't think that helps, though.

pgoetz
  • 435
  • 1
  • 8
  • 15
  • Have you set a uid in the AD Users and Groups Attribute Editor for the users that are logging in? I think in your `mount` command, the uid and cruid are expected to be numbers – sippybear Oct 30 '18 at 21:30
  • You can't automount a `cifs` share via `/etc/fstab` in the way that you're trying to do it because you'll have to provide credentials whether your Linux machines are set the authenticate via AD. The only way is to provide a credentials file which isn't secure because other may have `root` on the machine. The best way to do this would be to use a Unix-based storage server which provides `NFS` as you can provide Unix attributes to the AD groups which makes authentication much easiter. – Nasir Riley Oct 30 '18 at 21:50
  • @sippybear the uid just defaults to the user's SID. We've gotten this mount command to work successfully for one user. Regarding whether or not this must be numeric, quoted from the mount.cifs man page `uid=arg sets the uid that will own all files or directories on the mounted filesystem when the server does not provide ownership information. It may be specified as either a username or a numeric uid.` You seem to be right about cruid, though; however I should be leaving this out and allowing it to to default to the uid. – pgoetz Nov 01 '18 at 14:38

0 Answers0