cifs/smbfs Machine Account

[apeo]

Is it possible to use machine account to authenticate against using cifs/smbfs? I mean in smbclient you can use -P to tell it to use the machine account of the local computer, rather then using a user and password.

[Geoff]

Can explain exactly what you are trying to do? Which machine account? The local one? Authenticate to do what? Connect to a share? A printer? Interactive Login?

[apeo]

Sorry, Im mounting a windows share from a nix server and using the machine account in AD i.e. the computer object that is registered for the nix server in AD. The smbclient would be:

sudo smbclient //windowsserver/share -P

Just wondering if its possible to cifs/smbfs mount using these credentials instead of providing a username and password, and if it would work in fstab.

[Geoff]

assuming the *nix machine is correctly joned to the domain then yes.

[apeo]

so what would the cifs/smbfs command/options be?

If it was in fstab it would be something like:

//servername/sharename /media/windowsshare cifs username=username,password=password,iocharset=utf8 ,file_mode=0777,dir_mode=0777 0 0

but what would i put in instead of username and password?

[Geoff]

You can't do that within the fstab.

[somabc]

You should use PAM_MOUNT to mount the folder

[Geoff]

heck you could even use fuse

[apeo]

Ah ok, I'll have a read about FUSE and PAM_MOUNT

[apeo]

Well after doing some reading and I cant figure out how to use either FUSE or PAM_MOUNT in fstab i.e. mount on boot. Didnt even get to the point where i had an entry into fstab let alone trying to see it it would use machine account credentials (i.e. the computer object that is registered in AD). Can someone send me in the right direction so I can look it up?

[CyberNerd]

Well after doing some reading and I cant figure out how to use either FUSE or PAM_MOUNT in fstab i.e. mount on boot. Didnt even get to the point where i had an entry into fstab let alone trying to see it it would use machine account credentials (i.e. the computer object that is registered in AD). Can someone send me in the right direction so I can look it up?

I can help with pam_mount. It works on login, rather than in fstab, so not sure it's what you need really.
install samba-client and pam_mount etc

and set this in /etc/pam.d/password-auth

Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth	    required	  pam_mount.so 
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    sufficient    pam_winbind.so cached_login use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session optional pam_mount.so 
session     optional	  pam_krb5.so

and this in /etc/security/pam_mount.conf

Code:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<pam_mount>
  <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other,workgroup,nosetuids,noexec,nosuid,noserverino" />
  <mntoptions require="nosuid,nodev" />
  <logout wait="2" hup="0" term="yes" kill="0" />
  <mkmountpoint enable="1" remove="true" />
  <debug enable="0" />
  <volume fstype="cifs" server="student" path="%(USER)" mountpoint="/home/%(USER)" options="workgroup=CURRIC,uid=%(USER),dir_mode=0700,file_mode=0700,nosuid,nodev,noserverino" />
</pam_mount>

[apeo]

Thanks for that, I was really looking at mounting on boot rather then login. Appreciate the info though as its useful for the future.

It seems that you cant use the machine account to mount windows share on boot, just annoying that its possible with smbclient.

[dhicks]

Just wondering if its possible to cifs/smbfs mount using these credentials instead of providing a username and password, and if it would work in fstab.

If you can't use fstab, can you put the appropriate command in /etc/rc.local to be run on boot?

[CyberNerd]

If you can't use fstab, can you put the appropriate command in /etc/rc.local to be run on boot?

That would work, you could also have a cron script to check if it is still mounted and remount if the server goes down.

In preference I usually mount using NFS, I appreciate its more difficult on a windows server, we don't have any windows fileservers as linux has superseded them all.

[Geoff]

If you install services for unix on the windows server you can expose the windows shares over NFS.

http://technet.microsoft.com/en-us/l...(v=ws.10).aspx