Sharing a Samba mount from Linux across multiple Windows users.

Dev00 · 07-06-2013, 02:02 PM

Moving thread here from Linux-Networking.

I'm not sure if this topic falls under a Windows forum or Linux.

Here's what I'm trying to achieve:

- Expose a file path in Linux through Samba service.
- Mount the same path as a Windows Drive, say X:, on a Windows 2003 Server, as the NT System account, so that services running on windows can see it.
- Allow users who have accounts on the Windows 2k3 server also see the X: drive for read/write access

I have been able to achieve exactly the above when
a) the remote file system was another windows machine and SMB/NetBIOS was used to share/mount/access the drive
b) the remote file system was an NFS mount from a AIX/Unix share

When Linux is used as the file system host, the mount process itself works, and the resulting X: drive can be accessed by the user who mounted it. Of course, in this case the NT System is mounting it and can be accessed as well. However, when another user logs in, he/she can see the X: drive, but a password not correct error pops up when the drive is double-clicked.

The drive is mounted using the command:

net use X: \\server-name\shared-path <password> /user:<application-system-user> /persistent:YES

The smb.conf entry for security looks like this:

security = share
passdb backend = tdbsam
valid users = <application-system-user>
path = /shared-path/
writeable = yes
:
:

I know security = share is deprecated. When security = user is used instead, the error message complains of a user name and password.

Long term, I may use a domain controller and configure accordingly with the security = domain option. For now I will have to make it work with the share or user option.

The "workaround" is to add the username/password (of the user that logs in to the windows server to access X: drive) to smbpasswd. In addition the username should be added to the "valid users" entry in smb.conf, and to smbusers.

It looks like Windows 2003 authenticates the logged on user's credentials instead of what is already mapped within the pre-authenticated mount ! How do I force the share to utilize the <application-system-user> credential instead ? Especially since this works fine for the Windows/SMB and Unix/NFS share from the exact same Windows 2003 server (smb client).

The <application-system-user> is a valid Linux account as well as a samba account, with all the right read/write privileges. I've even changed group security policy within Windows 2k3 to use LM, NTLM or even NTLMv2 where possible to eliminate credential type negotiation errors. Made no difference. What am I missing here ?

Any assistance is appreciated.

Regards,
Dev

Dev00 · 07-06-2013, 02:04 PM

Quote:

Originally Posted by Ser Olmy

Do you want Samba to authenticate against Active Directory?

I will want to use AD authentication later, but not just yet. The purpose right now is to limit access to the Linux share to only users who have access to the Win2k3 server (SMB client). So, as long as they log in to the Windows server through their domain account or a local host account, they can transparently access the share (say, through drive X: ) without having to run scripts, perform mounts, request additional permissions etc.,

I'm willing to drop security = share in a heartbeat, if I can get the prerequisites for security = user to work. What setting can I enter in the smb.conf file and/or change in Windows, to ensure the credential used to mount the share is the one used to negotiate the logged in user's access to the share instead of their own ?

camh · 07-15-2013, 04:59 PM

AD authentication would be the best way to do this, but here's a *sloppy* fix if you still need one:

Use iptables to restrict SMB/CIFS traffic to the Win2k3 box only. Just use security = share and configure permissions to allow guest read/write access. Then any valid user on the 2k3 box would be able to mount the share, while preventing any other device from accessing it.