How can I mount a Windows folder and enforce its NTFS permissions?

by sacocats   Last Updated November 13, 2017 20:02 PM

I have an existing Ubuntu server. Users already sign into it with AD credentials. The problem is that there is a mounted file share - in a Windows environment, the users only have access to folders they have permission for. On the Ubuntu server, the folder is accessed with a shared generic account, the credentials for that being stored in a hidden file in /etc/smbmounts. I'm tasked with making it so that the folders are accessed with the same AD credentials that the user used to login to the computer in the first place. That's a summary of the problem, the specifics below:

Here's the setup:

/etc/krb5.conf looks like this:

[libdefaults]

default_realm = DOMAIN.NAME

ticket_lifetime = 24h #

renew_lifetime = 7d

/etc/samba/smb.conf looks like this:

[global]

workgroup = DOMAIN

client signing = yes

client use spnego = yes

kerberos method = secrets and keytab

realm = DOMAIN.NAME

security = ads

server signing = mandatory

/etc/sssd/sssd.conf:

[sssd]

domains = DOMAIN.name

config_file_version = 2

services = nss, pam

debug_level = 5

[domain/DOMAIN.name]

ad_domain = DOMAIN.name

krb5_realm = DOMAIN.NAME

realmd_tags = manages-system joined-with-adcli

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = False

fallback_homedir = /home/domain/%u

#access_provider = ad

#ad_access_filter = (memberOf=cn=Linux Login Allowed,ou=Domain Groups,dc=Domain,dc=local

access_provider = simple

simple_allow_users = administrator

simple_allow_groups = Domain Admins, Linux Login Allowed

enumerate = true

For sssd permissions:

sudo chown root:root /etc/sssd/sssd.conf

sudo chmod 600 /etc/sssd/sssd.conf

Join to the domain:

sudo kinit [insert domain admin username here]

sudo klist

sudo net ads join –k

We've been using PAM for the Windows folder mounting:

<debug enable="0" />

<!-- Volume definitions -->

<volume sgrp="Linux Login Allowed" fstype="cifs" server="fileshare" path="files/userdata/%(USER)/Documents/linux_home" mountpoint="/home/DOMAIN/%(USER)" options="dir_mode=0700,sec=ntlm"/>

<!-- pam_mount parameters: General tunables -->

<logout wait="5000" hup="1" term="2" kill="3" />

/etc/fstab:

//fileshare/folder /folder cifs credentials=/etc/smbmounts/.folder,gid=1003,iocharset=utf8,file_mode=0770,dir_mode=0770,sec=ntlm 0 0

I included everything I could think of pertaining to this setup for full disclosure, but to be clear the problem is not with PAM home folder mounting. It's with the fstab - that //fileshare/folder is the shared folder with NTFS permissions that is vexing me.

I think it would be preferable if I did not upend the existing setup much for folder permissions.

Ideally, I'd like to change the fstab to look for credentials from the initial Samba/SSSD/Kerberos setup for AD authentication and login, rather than the smbmounts file that contains a shared username/password. If possible, a single sign on. Can it be this simple, and if so, what change needs to be made?

I appreciate any help, still fairly new to Linux in general.

Let me know if anymore information needs to be added/removed to make this topic more concise.



Related Questions


Samba: Trying to mount Windows Shares as Read/Write

Updated February 26, 2017 21:02 PM


Mount samba share in startup

Updated April 23, 2017 20:02 PM


How to change permissions on mounted windows share?

Updated November 26, 2017 18:02 PM