I have an existing Ubuntu server. Users already sign into it with AD credentials. The problem is that there is a mounted file share - in a Windows environment, the users only have access to folders they have permission for. On the Ubuntu server, the folder is accessed with a shared generic account, the credentials for that being stored in a hidden file in /etc/smbmounts. I'm tasked with making it so that the folders are accessed with the same AD credentials that the user used to login to the computer in the first place. That's a summary of the problem, the specifics below:
Here's the setup:
/etc/krb5.conf looks like this:
[libdefaults]
default_realm = DOMAIN.NAME
ticket_lifetime = 24h #
renew_lifetime = 7d
/etc/samba/smb.conf looks like this:
[global]
workgroup = DOMAIN
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = DOMAIN.NAME
security = ads
server signing = mandatory
/etc/sssd/sssd.conf:
[sssd]
domains = DOMAIN.name
config_file_version = 2
services = nss, pam
debug_level = 5
[domain/DOMAIN.name]
ad_domain = DOMAIN.name
krb5_realm = DOMAIN.NAME
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/domain/%u
#access_provider = ad
#ad_access_filter = (memberOf=cn=Linux Login Allowed,ou=Domain Groups,dc=Domain,dc=local
access_provider = simple
simple_allow_users = administrator
simple_allow_groups = Domain Admins, Linux Login Allowed
enumerate = true
For sssd permissions:
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
Join to the domain:
sudo kinit [insert domain admin username here]
sudo klist
sudo net ads join –k
We've been using PAM for the Windows folder mounting:
<debug enable="0" />
<!-- Volume definitions -->
<volume sgrp="Linux Login Allowed" fstype="cifs" server="fileshare" path="files/userdata/%(USER)/Documents/linux_home" mountpoint="/home/DOMAIN/%(USER)" options="dir_mode=0700,sec=ntlm"/>
<!-- pam_mount parameters: General tunables -->
<logout wait="5000" hup="1" term="2" kill="3" />
/etc/fstab:
//fileshare/folder /folder cifs credentials=/etc/smbmounts/.folder,gid=1003,iocharset=utf8,file_mode=0770,dir_mode=0770,sec=ntlm 0 0
I included everything I could think of pertaining to this setup for full disclosure, but to be clear the problem is not with PAM home folder mounting. It's with the fstab - that //fileshare/folder is the shared folder with NTFS permissions that is vexing me.
I think it would be preferable if I did not upend the existing setup much for folder permissions.
Ideally, I'd like to change the fstab to look for credentials from the initial Samba/SSSD/Kerberos setup for AD authentication and login, rather than the smbmounts file that contains a shared username/password. If possible, a single sign on. Can it be this simple, and if so, what change needs to be made?
I appreciate any help, still fairly new to Linux in general.
Let me know if anymore information needs to be added/removed to make this topic more concise.
Thanks for all the help, everyone! I found the answer at this link, the best answer post: https://community.spiceworks.com/topic/484483-mounting-windows-shares-on-lubuntu
PBIS was not required to join to the domain or get authentication, it worked without it.