BACKGROUND

I have a Linux system and a Windows system on the same net connected to a TeraStation Pro. The Linux system runs a cron.daily task to perform daily and weekly backups of the Linux and Windows system. I had it all working, until....

PROBLEM 1
I was required to turn off the Guest account on the windows machine, which now broke my mount point to the Windows shared C drive. Apparently to share the C drive, Windows must also enable the Guest account. I tried adding credentials to the Linux mount point in the FSTAB files, while it appears to successfully mount the Windows drive, but when I attempt to perform a LS command it echos "Permission Denied"

QUESTION 1
How can I mount the Windows C drive with valid credentials even if Windows won't play nice and let me backup protected paths?

PROBLEM 2
As mentioned, I have a cron.daily task that performs daily differential, and weekly/monthly full backups. Unfortunately, it also backs up the password files, audit logs, etc. which using the FSTAB mount point allows even non-root accounts to gain access to password files, one of which are the plain text credentials files I have the FSTAB pointing to mount the Windows machine and the TeraStation.

QUESTION 2
How to I make the mount point to the TeraStation root permission only to prevent non-root user from accessing backup files?

Any tips, tricks, or links would be greatly appreciated.

Thanks,

Elvis


UPDATE: Added lines from my FSTAB
//192.168.0.50/share /home/sedwr/terastation smbfs auto,lfs,user,rw,sync,credentials=/etc/samba/ts.cred 0 0
//192.168.0.6/c /home/sedwr/windows smbfs auto,lfs,user,ro,credentials=/etc/samba/win.cred 0 0

Problelm 2 Question 2

First a bit of theory. The mount point is a directory in the filesystem tree. Whether or not a partition is mounted to that mount point, the permissions on that directory control who may have access to it before and after the partition is mounted.

Therefore,

chown root:root /TereStation
sets user and group ownership to root.

chmod ug+rwx /TeraStation
sets read write execute permissions to user and group (root and root). In the case of a directory, execute permission means "allowed to cd into" that directory.

chmod o-rwx /TeraStation
removes read write execute permissions for all other users. They may not cd into that directory; they may not read files in that directory; and they may not write files to that directory.

Try this test. As root, create a directory, and put a simple text file in it. Run the commands as above for that directory. Then as normal user, try to cd into it, list the contents, read the file in it, or write to that directory. You shouldn't be able to do that except as root.

bigrigdriver,

Thanks...

SOLUTION 2
Since I am auto-mounting during boot up, I think root actually perform the mounts. Thus, I think the mounts inherit the owner:group and permissions from root. I added a new BACKUPS share on the Terastation to eliminate commingling of user and backup files. I had to add the UID and GUI, which the permissions are inherited or assigned defaults, so I added FMASK and DMASK to remove permissions to prevent unauthorized users from even reading backup files that may contain passwords or audit logs. I also set NOUSER to eliminate the desktop icons to avoid the temptation of users to access the folders/files. I did this in addition to setting the mount point owner:group and permissions as you suggested. I am sure this is not optimal, but it seems to work for between the Linux systems and the Terastation.

# FSTAB
.
.
.
# terastation share
//192.168.0.50/share /home/sedwr/terastation smbfs auto,lfs,user,uid=sedwr,gid=controls,rw,sync,dmask=700,fmask=600,credentials=/etc/samba/ts.cred 0 0
# windows
//192.168.0.6/c$ /home/sedwr/windows smbfs auto,lfs,nouser,uid=root,gid=root,ro,dmask=700,fmask=600,credentials=/etc/samba/win.cred 0 0
# terastation backups
//192.168.0.50/backups /home/sedwr/backups smbfs auto,lfs,nouser,uid=root,gid=root,rw,sync,dmask=700,fmask=600,credentials=/etc/samba/bu.cred 0 0


BACK TO PROBLEM 1

I am still having trouble mounting the Windows C:/ drive. I have tried using user authentication, administration, re-enabling the Guest account, re-sharing the C drive, etc. Use the built in C$ vs. adding a new share name, etc. All I get is the following error message:

> mount /home/sedwr/windows/
10098: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
SMB connection failed


QUESTION 1

Is there some setting on the Windows side that needs to be configured in addition to the Linux side? The error in the Windows Event Viewer is: EventID: 529 NT User: AUTHORIRY\SYSTEM Reason: Unknown user name or bad password, both of which I have double checked. Any hints/tips/tricks would be greatly appreciated.

bigrigdriver,

I figured it out, but I thought I would post my solution to PROBLEM 1/QUESTION 1

SOLUTION 1

On the Windows XP machine, open Settings -> Control Panels -> Administrative Tools -> Local Security Policy.
Open Security Settings -> Local Policies -> Security Options. Change the Network access: Sharing and security model for local accounts = Classic - local users authenticate as themselves.

Doing so will re-enable the Guest account until you set up access permissions for the drives/folders one wants to share to authenticated users. Right Mouse Click on the drive/folder -> Properties -> Sharing -> Permissions. Then remove Everyone entry and add Users ({yourcomputername}\Users). Once sharing permissions are set up you can go back and disable the Guest account using what ever mechanism you're most familiar with.


Then using the automount command in my FSTAB posted above with an appropriate credentials file will mount the Windows share with restrictive permissions that will prevent the standard user from access password files and security logs from the Linux side and protect my cron.daily backups on the Terastation


Again, many thanks.