I have an existing Ubuntu server. Users already sign into it with AD credentials. The problem is that there is a mounted file share - in a Windows environment, the users only have access to folders they have permission for. On the Ubuntu server, the folder is accessed with a shared generic account, the credentials for that being stored in a hidden file in /etc/smbmounts. I'm tasked with making it so that the folders are accessed with the same AD credentials that the user used to login to the computer in the first place. That's a summary of the problem, the specifics below:
Here's the setup:
/etc/krb5.conf looks like this:
[libdefaults] default_realm = DOMAIN.NAME ticket_lifetime = 24h # renew_lifetime = 7d
/etc/samba/smb.conf looks like this:
[global] workgroup = DOMAIN client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = DOMAIN.NAME security = ads server signing = mandatory
[sssd] domains = DOMAIN.name config_file_version = 2 services = nss, pam debug_level = 5 [domain/DOMAIN.name] ad_domain = DOMAIN.name krb5_realm = DOMAIN.NAME realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/domain/%u #access_provider = ad #ad_access_filter = (memberOf=cn=Linux Login Allowed,ou=Domain Groups,dc=Domain,dc=local access_provider = simple simple_allow_users = administrator simple_allow_groups = Domain Admins, Linux Login Allowed enumerate = true
For sssd permissions:
sudo chown root:root /etc/sssd/sssd.conf sudo chmod 600 /etc/sssd/sssd.conf
Join to the domain:
sudo kinit [insert domain admin username here] sudo klist sudo net ads join –k
We've been using PAM for the Windows folder mounting:
<debug enable="0" /> <!-- Volume definitions --> <volume sgrp="Linux Login Allowed" fstype="cifs" server="fileshare" path="files/userdata/%(USER)/Documents/linux_home" mountpoint="/home/DOMAIN/%(USER)" options="dir_mode=0700,sec=ntlm"/> <!-- pam_mount parameters: General tunables --> <logout wait="5000" hup="1" term="2" kill="3" />
//fileshare/folder /folder cifs credentials=/etc/smbmounts/.folder,gid=1003,iocharset=utf8,file_mode=0770,dir_mode=0770,sec=ntlm 0 0
I included everything I could think of pertaining to this setup for full disclosure, but to be clear the problem is not with PAM home folder mounting. It's with the fstab - that //fileshare/folder is the shared folder with NTFS permissions that is vexing me.
I think it would be preferable if I did not upend the existing setup much for folder permissions.
Ideally, I'd like to change the fstab to look for credentials from the initial Samba/SSSD/Kerberos setup for AD authentication and login, rather than the smbmounts file that contains a shared username/password. If possible, a single sign on. Can it be this simple, and if so, what change needs to be made?
I appreciate any help, still fairly new to Linux in general.
Let me know if anymore information needs to be added/removed to make this topic more concise.
Thanks for all the help, everyone! I found the answer at this link, the best answer post: https://community.spiceworks.com/topic/484483-mounting-windows-shares-on-lubuntu
PBIS was not required to join to the domain or get authentication, it worked without it.