how to mount shares as a user without mount.cifs setuid
in [Samba]
|
Prev: [Samba] IDMAP question
Next: [Samba] Fwd: PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04
From: Gary Dale on 8 Apr 2010 14:10 Christian PERRIER wrote: > Quoting Gary Dale (garydale(a)rogers.com): > > >> Now perhaps I'm missing something, but I have no trouble with users >> mounting nfs shares. The idea that users can't mount cifs shares >> strikes me as odd and an unnecessary impediment. >> > > How about turning the binary we provide in Debian to setuid on the > systems where you want it to be this way, by using > dpkg-statoverride(8)? > Actually, I was just responding to Nico's assertion that disabling setuid is a seatbelt. The idea that mounting shares should be restricted to root is, imho, a cure that is worse than the disease. :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Nico Kadel-Garcia on 8 Apr 2010 19:10 On Thu, Apr 8, 2010 at 2:08 PM, Gary Dale <garydale(a)rogers.com> wrote: > Christian PERRIER wrote: >> >> Quoting Gary Dale (garydale(a)rogers.com): >> >> >>> >>> Now perhaps I'm missing something, but I have no trouble with users >>> mounting nfs shares. The idea that users can't mount cifs shares >>> strikes me as odd and an unnecessary impediment. >>> >> >> How about turning the binary we provide in Debian to setuid on the >> systems where you want it to be this way, by using >> dpkg-statoverride(8)? >> > > Actually, I was just responding to Nico's assertion that disabling setuid is > a seatbelt. The idea that mounting shares should be restricted to root is, > imho, a cure that is worse than the disease. :) It's safer *default* behavior. If you want non-root users to be able to mount, you can create a table of mounting options in auto.master or in another auto.cifs file that will translate the mounting options into something available to users, with wildcards to allow access to alternative servers or shares. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gary Dale on 9 Apr 2010 13:40
Nico Kadel-Garcia wrote: > On Thu, Apr 8, 2010 at 2:08 PM, Gary Dale <garydale(a)rogers.com> wrote: > >> Christian PERRIER wrote: >> >>> Quoting Gary Dale (garydale(a)rogers.com): >>> >>> >>> >>>> Now perhaps I'm missing something, but I have no trouble with users >>>> mounting nfs shares. The idea that users can't mount cifs shares >>>> strikes me as odd and an unnecessary impediment. >>>> >>>> >>> How about turning the binary we provide in Debian to setuid on the >>> systems where you want it to be this way, by using >>> dpkg-statoverride(8)? >>> >>> >> Actually, I was just responding to Nico's assertion that disabling setuid is >> a seatbelt. The idea that mounting shares should be restricted to root is, >> imho, a cure that is worse than the disease. :) >> > > It's safer *default* behavior. If you want non-root users to be able > to mount, you can create a table of mounting options in auto.master or > in another auto.cifs file that will translate the mounting options > into something available to users, with wildcards to allow access to > alternative servers or shares. > I've been trying without success to get even a basic auto.cifs working following the howto at http://www.howtoforge.com/accessing_windows_or_samba_shares_using_autofs. I installed autofs v5.0.4 from the Debian/Squeeze repository and created the /etc/auto.cifs file. I made it executable and changed the mountopts line to: mountopts="-fstype=cifs,file_mode=0644,dir_mode=0755,uid=garydale,gid=users". I created a /etc/auto.smb.<filesever> file and gave it my credentials. Then I added the auto.cifs line to the auto.master file and restarted the autofs system. I then fixed a few errors I was getting re. my domain name by adding an automount: nis files line to /etc/nsswitch.conf and also running domainname <mydomain>. At this point I can run ls -als /cifs/<fileserver> and see all the exported shares, etc. from that server. However the shares are not mounted. Checking syslog I now find an error "Status code returned 0xc000005e NT_STATUS_NO_LOGON_SERVERS". Google only finds two hits on this message, neither of which was helpful. I know my Windows desktops are logging in to the domain as their profiles are updated when they do. Anyway, this leaves me with some questions. 1) do you have any idea on how to fix the error? 2) even if I do, I think I need more information on how auto.cifs can help. If I replace the uid=garydale with something like uid=$USER, won't that just pick up the uid as root, the context in which the mount is running? 3) the credentials file for autofs seems to only allow a single username+password combo for each mount. Is there a way around this? 4) can the credentials be updated automatically when the user changes their password? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |