Using GPO to mount shares on Linux

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Using GPO to mount shares on Linux

Samba - General mailing list
Hello,

I'm using a Samba 4 as domain server and I've a lot of Windows computers
that mounts shared drives on another server through GPO applied by user
groups.
Is there any way to do something similar on a Linux box, or I've to use a
local script?

Thanks!

--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
If you mean, Linux <=> Linux , use automounting, of dedicated mounts. Cifs/nfs, depending on you setup and what you need.


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Daniel Carrasco via samba
> Verzonden: woensdag 11 oktober 2017 9:33
> Aan: [hidden email]
> Onderwerp: [Samba] Using GPO to mount shares on Linux
>
> Hello,
>
> I'm using a Samba 4 as domain server and I've a lot of
> Windows computers that mounts shared drives on another server
> through GPO applied by user groups.
> Is there any way to do something similar on a Linux box, or
> I've to use a local script?
>
> Thanks!
>
> --
> _________________________________________
>
>       Daniel Carrasco Marín
>       Ingeniería para la Innovación i2TIC, S.L.
>       Tlf:  +34 911 12 32 84 Ext: 223
>       www.i2tic.com
> _________________________________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
Yeah, I mean an Ubuntu 16.04 client mounting a Linux Samba shares on a
Debian 8 server depending of user groups. Both connected as members servers
to a Samba 4 DC.

I'll research about how automounting works.

Thanks!!

2017-10-11 10:13 GMT+02:00 L.P.H. van Belle via samba <[hidden email]
>:

> If you mean, Linux <=> Linux , use automounting, of dedicated mounts.
> Cifs/nfs, depending on you setup and what you need.
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Daniel Carrasco via samba
> > Verzonden: woensdag 11 oktober 2017 9:33
> > Aan: [hidden email]
> > Onderwerp: [Samba] Using GPO to mount shares on Linux
> >
> > Hello,
> >
> > I'm using a Samba 4 as domain server and I've a lot of
> > Windows computers that mounts shared drives on another server
> > through GPO applied by user groups.
> > Is there any way to do something similar on a Linux box, or
> > I've to use a local script?
> >
> > Thanks!
> >
> > --
> > _________________________________________
> >
> >       Daniel Carrasco Marín
> >       Ingeniería para la Innovación i2TIC, S.L.
> >       Tlf:  +34 911 12 32 84 Ext: 223
> >       www.i2tic.com
> > _________________________________________
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba




--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 11 Oct 2017 10:13:35 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> If you mean, Linux <=> Linux , use automounting, of dedicated mounts.
> Cifs/nfs, depending on you setup and what you need.
>
>

The problem is, they don't seem to work any more. They all seem to rely
on mount.cifs and you need to be root to run this. When the user logs
in, the mounting program runs using the users creds and fails.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
Hi,

On 10/11/2017 10:37 AM, Rowland Penny via samba wrote:
> The problem is, they don't seem to work any more. They all seem to rely
> on mount.cifs and you need to be root to run this. When the user logs
> in, the mounting program runs using the users creds and fails.

We are using libpam-mount, and it works perfectly.

To be configured in /etc/security/pam_mount.conf.xml, like

> <volume user="*" mountpoint="/home/%(USER)/mount_location" path="share_name" server="smb_server_name" fstype="cifs" options="domain=WRKGRP,sec=ntlmv2i,vers=3.0"/>

Or perhaps you don't mean something like this.

But it's not a GPO, of course.

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 11 Oct 2017 11:00:59 +0200
Michael Wandel <[hidden email]> wrote:

> On 11.10.2017 10:37, Rowland Penny via samba wrote:
> > On Wed, 11 Oct 2017 10:13:35 +0200
> > "L.P.H. van Belle via samba" <[hidden email]> wrote:
> >
> >> If you mean, Linux <=> Linux , use automounting, of dedicated
> >> mounts. Cifs/nfs, depending on you setup and what you need.
> >>
> >>
> >
> > The problem is, they don't seem to work any more. They all seem to
> > rely on mount.cifs and you need to be root to run this. When the
> > user logs in, the mounting program runs using the users creds and
> > fails.
> >
> Hi,
>
> it can be solved by pam_mount or you can use mount.cifs with the
> multiuser option.
>
> https://www.snia.org/sites/default/orig/SDC2012/presentations/Revisions/JeffLayton_Multiuser%20Mounts%20with%20Linux%20CIFS_revision.pdf
>
> best regards
> Michael
>
>
> > Rowland
> >  
> >
>
>

I have tried to get autofs to work with nfs and cifs as user mounts, I
cannot get these to work and believe me, I really tried ;-)

I cannot get pam_mount to work either, it just tells me there are no
volumes to mount. If I run the mount manually it doesn't work, I run it
again with sudo, it works. I cannot find a way to get pam_mount to use
sudo.

In my opinion 'multiuser' is a possibilty, but again I cannot get it
to work.

I am now considering pam_script, so watch this space ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 11 Oct 2017 11:11:33 +0200
mj via samba <[hidden email]> wrote:

> Hi,
>
> On 10/11/2017 10:37 AM, Rowland Penny via samba wrote:
> > The problem is, they don't seem to work any more. They all seem to
> > rely on mount.cifs and you need to be root to run this. When the
> > user logs in, the mounting program runs using the users creds and
> > fails.
>
> We are using libpam-mount, and it works perfectly.
>
> To be configured in /etc/security/pam_mount.conf.xml, like
>
> > <volume user="*" mountpoint="/home/%(USER)/mount_location"
> > path="share_name" server="smb_server_name" fstype="cifs"
> > options="domain=WRKGRP,sec=ntlmv2i,vers=3.0"/>
>
> Or perhaps you don't mean something like this.
>
> But it's not a GPO, of course.
>
> MJ
>

Perhaps I should have mentioned that I am trying to get this to work
with 'sec=krb5', which does work if mounted by root.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
In reply to this post by Samba - General mailing list
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Rowland Penny via samba
> Verzonden: woensdag 11 oktober 2017 11:39
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
>
> On Wed, 11 Oct 2017 11:00:59 +0200
> Michael Wandel <[hidden email]> wrote:
>
> > On 11.10.2017 10:37, Rowland Penny via samba wrote:
> > > On Wed, 11 Oct 2017 10:13:35 +0200
> > > "L.P.H. van Belle via samba" <[hidden email]> wrote:
> > >
> > >> If you mean, Linux <=> Linux , use automounting, of dedicated
> > >> mounts. Cifs/nfs, depending on you setup and what you need.
> > >>
> > >>
> > >
> > > The problem is, they don't seem to work any more. They
> all seem to
> > > rely on mount.cifs and you need to be root to run this. When the
> > > user logs in, the mounting program runs using the users creds and
> > > fails.
> > >
> > Hi,
> >
> > it can be solved by pam_mount or you can use mount.cifs with the
> > multiuser option.
> >
> >
> https://www.snia.org/sites/default/orig/SDC2012/presentations/Revision
> > s/JeffLayton_Multiuser%20Mounts%20with%20Linux%20CIFS_revision.pdf
> >
> > best regards
> > Michael
> >
> >
> > > Rowland
> > >  
> > >
> >
> >
>
> I have tried to get autofs to work with nfs and cifs as user
> mounts, I cannot get these to work and believe me, I really tried ;-)
>
> I cannot get pam_mount to work either, it just tells me there
> are no volumes to mount. If I run the mount manually it
> doesn't work, I run it again with sudo, it works. I cannot
> find a way to get pam_mount to use sudo.
>
> In my opinion 'multiuser' is a possibilty, but again I cannot
> get it to work.
>
> I am now considering pam_script, so watch this space ;-)
>
> Rowland
>
I believe you. The trick is.

1) add this to krb5.conf
; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

2) make use of kerberos, add cifs/FQDN to the systemkeytab file.  
2a) optional, make use of idmap.conf, something like this.
/etc/idmapd.conf
[General]

Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs

# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = internal.dnsdomain.tld
Local-Realm = REALM

[Mapping]

Nobody-User = nobody
Nobody-Group = nogroup

[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch


[Static]
NETBIOSNAME$@REALM = root
host/[hidden email] = root
cifs/[hidden email] = root
cifs/FQDN@ = root


3) reboot the server, login and try
mount -t cifs -o sec=krb5i //fileserver.subdomain.doamin.local/share /mnt


See if this helps.

Greetz,

Louis





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
On Wed, 11 Oct 2017 11:51:02 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

>  
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Rowland Penny via samba
> > Verzonden: woensdag 11 oktober 2017 11:39
> > Aan: [hidden email]
> > Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
> >
> > On Wed, 11 Oct 2017 11:00:59 +0200
> > Michael Wandel <[hidden email]> wrote:
> >
> > > On 11.10.2017 10:37, Rowland Penny via samba wrote:
> > > > On Wed, 11 Oct 2017 10:13:35 +0200
> > > > "L.P.H. van Belle via samba" <[hidden email]> wrote:
> > > >
> > > >> If you mean, Linux <=> Linux , use automounting, of dedicated
> > > >> mounts. Cifs/nfs, depending on you setup and what you need.
> > > >>
> > > >>
> > > >
> > > > The problem is, they don't seem to work any more. They
> > all seem to
> > > > rely on mount.cifs and you need to be root to run this. When
> > > > the user logs in, the mounting program runs using the users
> > > > creds and fails.
> > > >
> > > Hi,
> > >
> > > it can be solved by pam_mount or you can use mount.cifs with the
> > > multiuser option.
> > >
> > >
> > https://www.snia.org/sites/default/orig/SDC2012/presentations/Revision
> > > s/JeffLayton_Multiuser%20Mounts%20with%20Linux%20CIFS_revision.pdf
> > >
> > > best regards
> > > Michael
> > >
> > >
> > > > Rowland
> > > >  
> > > >
> > >
> > >
> >
> > I have tried to get autofs to work with nfs and cifs as user
> > mounts, I cannot get these to work and believe me, I really
> > tried ;-)
> >
> > I cannot get pam_mount to work either, it just tells me there
> > are no volumes to mount. If I run the mount manually it
> > doesn't work, I run it again with sudo, it works. I cannot
> > find a way to get pam_mount to use sudo.
> >
> > In my opinion 'multiuser' is a possibilty, but again I cannot
> > get it to work.
> >
> > I am now considering pam_script, so watch this space ;-)
> >
> > Rowland
> >
> I believe you. The trick is.
>
> 1) add this to krb5.conf
> ; for Windows 2008 with AES
>     default_tgs_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>
> 2) make use of kerberos, add cifs/FQDN to the systemkeytab file.  
> 2a) optional, make use of idmap.conf, something like this.
> /etc/idmapd.conf
> [General]
>
> Verbosity = 0
> Pipefs-Directory = /run/rpc_pipefs
>
> # set your own domain here, if id differs from FQDN minus hostname
> # Domain = localdomain
> Domain = internal.dnsdomain.tld
> Local-Realm = REALM
>
> [Mapping]
>
> Nobody-User = nobody
> Nobody-Group = nogroup
>
> [Translation]
> Method = static,nsswitch
> GSS-Methods = static,nsswitch
>
>
> [Static]
> NETBIOSNAME$@REALM = root
> host/[hidden email] = root
> cifs/[hidden email] = root
> cifs/FQDN@ = root
>
>
> 3) reboot the server, login and try
> mount -t cifs -o
> sec=krb5i //fileserver.subdomain.doamin.local/share /mnt
>
>
> See if this helps.
>

I did all of this, I have read everything I could find on the internet
and I just couldn't make it work.

I am now a leading expert on what doesn't work ;-)

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 11 Oct 2017 12:03:38 +0200
Michael Wandel <[hidden email]> wrote:

> On 11.10.2017 11:38, Rowland Penny via samba wrote:
> > On Wed, 11 Oct 2017 11:00:59 +0200
> > Michael Wandel <[hidden email]> wrote:
> >
> >> On 11.10.2017 10:37, Rowland Penny via samba wrote:
> >>> On Wed, 11 Oct 2017 10:13:35 +0200
> >>> "L.P.H. van Belle via samba" <[hidden email]> wrote:
> >>>
> >>>> If you mean, Linux <=> Linux , use automounting, of dedicated
> >>>> mounts. Cifs/nfs, depending on you setup and what you need.
> >>>>
> >>>>
> >>>
> >>> The problem is, they don't seem to work any more. They all seem to
> >>> rely on mount.cifs and you need to be root to run this. When the
> >>> user logs in, the mounting program runs using the users creds and
> >>> fails.
> >>>
> >> Hi,
> >>
> >> it can be solved by pam_mount or you can use mount.cifs with the
> >> multiuser option.
> >>
> >> https://www.snia.org/sites/default/orig/SDC2012/presentations/Revisions/JeffLayton_Multiuser%20Mounts%20with%20Linux%20CIFS_revision.pdf
> >>
> >> best regards
> >> Michael
> >>
> >>
> >>> Rowland
> >>>  
> >>>
> >>
> >>
> >
> > I have tried to get autofs to work with nfs and cifs as user
> > mounts, I cannot get these to work and believe me, I really
> > tried ;-)
> >
> ok, do you use automount from the autofs package or do you use systemd
> automount units ?

I used autofs-ldap on Devuan.
 
>
> which OS you are using ?
>
> which script you are using ?
> /etc/auto.smb ?

Everything in AD.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
In reply to this post by Samba - General mailing list


On 10/11/2017 12:09 PM, Rowland Penny via samba wrote:
> I did all of this, I have read everything I could find on the internet
> and I just couldn't make it work.
>
> I am now a leading expert on what doesn't work ;-)
>
> Rowland

ok, that is an unusual situation... you having a problem, and things
working here :-)

So perhaps we're doing different things:

we mount PER USER under the users home directory. We don't have ONE
global mount that is shared between all logged-on users, but each has
his/her own shares under /home/username/share1 -> /home/username/share4

Pam_mount mounts it on logon, both via ssh and xrdp.

The mounted shares also automatically appear as shortcuts on the
desktop, just like a mounted usb stick does. Very convenient for the users.

So perhaps you are trying to mount 'global shares', that everybody
should be able to access, logged on as themselves?

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
On Wed, 11 Oct 2017 12:21:55 +0200
mj via samba <[hidden email]> wrote:

>
>
> On 10/11/2017 12:09 PM, Rowland Penny via samba wrote:
> > I did all of this, I have read everything I could find on the
> > internet and I just couldn't make it work.
> >
> > I am now a leading expert on what doesn't work ;-)
> >
> > Rowland
>
> ok, that is an unusual situation... you having a problem, and things
> working here :-)
>
> So perhaps we're doing different things:
>
> we mount PER USER under the users home directory. We don't have ONE
> global mount that is shared between all logged-on users, but each has
> his/her own shares under /home/username/share1
> -> /home/username/share4
>
> Pam_mount mounts it on logon, both via ssh and xrdp.
>
> The mounted shares also automatically appear as shortcuts on the
> desktop, just like a mounted usb stick does. Very convenient for the
> users.
>
> So perhaps you are trying to mount 'global shares', that everybody
> should be able to access, logged on as themselves?
>
> MJ
>

I want to mount a users folder on one machine into the users folder on
another machine.
i.e. mount \\dc1\users\rowland on client /home/rowland/mnt

Sods law has kicked in, I have now got a mount to work with pam_mount,
but there is a major problem, anything created in the share doesn't
belong to rowland, it is 3000000:domain users. This is not acceptable,
the mounted share belongs to rowland, but nothing inside it does. I
think I will continue to try and get pam_script to do what I want.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list


On 10/11/2017 12:43 PM, Rowland Penny via samba wrote:
> I want to mount a users folder on one machine into the users folder on
> another machine.
> i.e. mount \\dc1\users\rowland on client /home/rowland/mnt
That sounds similar to our use case.

> Sods law has kicked in, I have now got a mount to work with pam_mount,
> but there is a major problem, anything created in the share doesn't
> belong to rowland, it is 3000000:domain users. This is not acceptable,
> the mounted share belongs to rowland, but nothing inside it does. I
> think I will continue to try and get pam_script to do what I want.
Strange.

So what does a mount look like?

Here:

> root@dmmember:~# mount | grep username
> //fileserver.company.com/username on /home/username/username type cifs (rw,relatime,sec=ntlmi,unc=\\filehost.company.com\username,username=username,domain=WRKGRP,uid=49611,forceuid,gid=513,forcegid,addr=192.168.89.2,unix,posixpaths,serverino,acl,rsize=61440,wsize=65536,actimeo=1)
> root@dmmember:~#

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
I think MJ is using samba with AD backend and Rowland RID.
Rowland, try AD backend if your using rid atm.

Gr.

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens mj via samba
> Verzonden: woensdag 11 oktober 2017 13:25
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
>
>
>
> On 10/11/2017 12:43 PM, Rowland Penny via samba wrote:
> > I want to mount a users folder on one machine into the
> users folder on
> > another machine.
> > i.e. mount \\dc1\users\rowland on client /home/rowland/mnt
> That sounds similar to our use case.
>
> > Sods law has kicked in, I have now got a mount to work with
> pam_mount,
> > but there is a major problem, anything created in the share doesn't
> > belong to rowland, it is 3000000:domain users. This is not
> acceptable,
> > the mounted share belongs to rowland, but nothing inside it does. I
> > think I will continue to try and get pam_script to do what I want.
> Strange.
>
> So what does a mount look like?
>
> Here:
>
> > root@dmmember:~# mount | grep username
> > //fileserver.company.com/username on
> /home/username/username type cifs
> >
> (rw,relatime,sec=ntlmi,unc=\\filehost.company.com\username,username=us
> >
> ername,domain=WRKGRP,uid=49611,forceuid,gid=513,forcegid,addr=192.168.
> >
> 89.2,unix,posixpaths,serverino,acl,rsize=61440,wsize=65536,actimeo=1)
> > root@dmmember:~#
>
> MJ
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
In reply to this post by Samba - General mailing list


On 10/11/2017 01:24 PM, mj via samba wrote:
>> root@dmmember:~# mount | grep username
>> //fileserver.company.com/username on /home/username/username type cifs
>> (rw,relatime,sec=ntlmi,unc=\\filehost.company.com\username,username=username,domain=WRKGRP,uid=49611,forceuid,gid=513,forcegid,addr=192.168.89.2,unix,posixpaths,serverino,acl,rsize=61440,wsize=65536,actimeo=1)
>>

Or on a different server, with slightly different mount options:

>
> //fileserver.company.com/Temp$ on /home/username/temp type cifs (rw,relatime,vers=3.0,sec=ntlmsspi,cache=strict,username=username,domain=WRKGRP,uid=49609,forceuid,gid=513,forcegid,addr=192.168.8.12,file_mode=0755,dir_mode=0755,nounix,serverino,rsize=65536,wsize=65536,actimeo=1)


The uid=49609,forceuid,gid=513,forcegid were not added by me, they were
added automatically by pam-mount I guess, but perhaps that would help in
your situation, with your wrong permissions?

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 11 Oct 2017 13:34:23 +0200
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> I think MJ is using samba with AD backend and Rowland RID.
> Rowland, try AD backend if your using rid atm.
>

That fixed it, sort of proves the point, you need to use the same ID
everywhere.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using GPO to mount shares on Linux

Samba - General mailing list
Wohoo, finaly i could help Rowland :-p  ;-)

I follow this as guidance:

1 server ( all in one ) use RID, easy to setup etc, but .. If you go to ... Or have plans to..
 
2 servers ( DC + a member )
        use backend RID if you dont need access with a windows account to a shared home folder. ( cifs or nfs )
          you use a dedicated local "linuxAdmin" for maintanace. ( often the first created user in linux )
        use backend AD if you do need access with ssh for example or shared homefolders.

3 server or more, all server where ssh or access to a server with a shared folder is needed, use backend AD.
        adviced is all servers with file shares.
        Optional, mix this with RID, for example for a dedicated print server, or proxy server (auth).

I use setup 3.
Multiple servers with AD and RID mixed on the members, based on function.

A NFS pointer is.
Make sure you set you home folder 755, kerberos ( MIT ), lookf or .klogin in the home dir.
If the setup is to tight this fails.  ( workaround: disable .klogin checking in krb5.conf )
And nfs/hostname.FQDN needs to be added to HOSTNAME$ where its needed.

For Cifs. You may need to add these lines in krb5.conf cifs uses them nfs not.
; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Now here, if you see, Required keys not available, no matter what you do
Then you probley are missing these line in krb5.conf.

The source i use for above info :
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/mount_ms_cifs_using_ad_krb.html 
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html

Its a .nl domain but its in english  ;-) and contains still good info.
Just beware its based on debian squeeze.
And a handy to know.
https://support.microsoft.com/en-us/help/977321/kdc-event-id-16-or-27-is-logged-if-des-for-kerberos-is-disabled 

Greetz,

Louis


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba