Mounting CIFS shares with AD credentials

lykwydchykyn · 2015-08-04 17:20:02

My work environment is moving to Active Directory and I'm trying to sort out mounting my home directory share on my workstation running Arch.

I currently log in using a local (/etc/passwd) account, and my system is not joined to the domain in any way.

My first attempt to set this up is using /etc/fstab, with a line like so:

//datasana/datasana/Home/IT/Alan.Moore  /home/alanm/Home cifs   credentials=/etc/smbcreds.cfg,users 0 0

/etc/smbcreds.cfs specifies my domain, username, and password as per the man page.

When I try to mount this, I get:

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

After reading a bit, I tried specifying Kerberos 5 as the security by adding sec=krb5 to the fstab entry, and then I get this error (after a long timeout):

mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Anyhow...

What I really want is just a simple way to get my share mounted when I log in, preferably without root or hacks or having to enter a password every time. Do I need to join my system to the domain? Is there some new-fangled systemd way of doing this?

alphaniner · 2015-08-04 17:40:43

This looks like it might be informative.

Edit: OTOH have you contacted your sysadmin? Unless you got special dispensation to run Linux, he should have at least some idea what needs to be done.

Last edited by alphaniner (2015-08-04 17:50:25)

lykwydchykyn · 2015-08-04 20:04:33

The sysadmin isn't really linux-savvy.

It's a complicated situation, but basically I have permission to run Linux so long as nobody else has to care. I've been able to manage it for about 10 years this way. So I'm on my own here, though I can make limited changes to the AD if it doesn't impact anything else.

The link looks like kinda dated info on how to join an AD. If I need to join, I think I can muddle through using realmd to do that no problem, I was just hoping not to have to do that since my local account would have to be moved around and probably a bunch of my scripts would break.

Does anyone use Arch on an active directory domain?

Last edited by lykwydchykyn (2015-08-04 20:07:11)

ewaller · 2015-08-04 20:32:06

lykwydchykyn wrote:

Does anyone use Arch on an active directory domain?

Sort of. The work machine spends its time as an email machine and a VitualBox host. Most of its RAM and CPU resources are dedicated to running an Arch guest. I use AD on the host to access all of our network resources, and use "Shared" folders to access those network resources from the guest. Also, the guest usually has an ssh connection to my machine at home with a tmux session going. On occasion, I have even known to forward ports and X.

lykwydchykyn · 2015-08-04 21:20:31

I'm trying a different tactic.

I can connect to the folder using pcmanfm-qt (my usual fm) or nautilus. I've read that the comman gvfs-mount performs the same functionality at the command line.

I can mount this share at the command line using gvfs-mount, but with two problems:

- I have to specify credentials manually every time.
- More problematic, I can't actually access the mounted share. Even trying to ls the directory /run/user/1000/gvfs gives me this error:

ls: cannot access SMB/smb-share:server=datasana,share=datasana: Permission denied
total 0
?????????? ? ? ? ?            ? smb-share:server=datasana,share=datasana

I ran the command as the same user, I don't know who actually owns this folder or why I can't access it. Every answer I've found via $SEARCH_ENGINE seems to think I'm a moron who would try to mount a share as one user and access it as another.

I can be the only linux user trying to mount drives on an active directory file server. Surely this is a solved problem?

alphaniner · 2015-08-04 22:01:30

Assuming gvfs results in a /proc/mounts entry, compare the output of mount when mounted via fm vs when mounted via cl.

fukawi2 · 2015-08-04 23:20:55

This works for me on my CentOS boxes mounting Server 2008 and 2012 shares in an AD environment:

//server.ad.example.com.au/my_share	/mnt/my_share	cifs	rw,soft,nocase,file_mode=0640,dir_mode=0750,credentials=/etc/smb.creds	0 0

Don't forget to include the 'domain' in your credential file:

username=fukawi2
password=AllThePasswords
domain=ad.example.com.au

lykwydchykyn · 2015-08-05 14:22:15

alphaniner wrote:

Assuming gvfs results in a /proc/mounts entry, compare the output of mount when mounted via fm vs when mounted via cl.

It's identical either way; both give me this:

gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)

One interesting difference is that the FM uses the stored credentials in the keyring, wherease the CLI (though it does request the keyring) prompts me for credentials.

lykwydchykyn · 2015-08-05 14:27:38

fukawi2 wrote:

This works for me on my CentOS boxes mounting Server 2008 and 2012 shares in an AD environment:
//server.ad.example.com.au/my_share	/mnt/my_share	cifs	rw,soft,nocase,file_mode=0640,dir_mode=0750,credentials=/etc/smb.creds	0 0
Don't forget to include the 'domain' in your credential file:
username=fukawi2
password=AllThePasswords
domain=ad.example.com.au

Many thanks, but using the same options I just get

mount error(13): Permission denied

I've double-checked my credentials file, the creds are correct and the domain is listed. I don't know why this isn't working for me. Are your CentOS boxes domain member servers?

lykwydchykyn · 2015-08-05 15:09:19

OK, I think I made a breakthrough on the gvfs thing.

GVFS seems to be mounting the top-level shared folder to the mountpoint. Problem is, I don't have access to that folder. I only have access to certain sub-folders.

It worked in the file-manager because I specified the complete path. If I do this, and don't try to directly access the mount point, it works in the FM.

It doesn't seem to work at the terminal though, maybe because bash wants to traverse through each directory?

I wonder if I can get GVFS to mount directly to the folder, rather than the top-level share?

EDIT: This bug seems relevant.

Last edited by lykwydchykyn (2015-08-05 16:39:57)

fukawi2 · 2015-08-05 23:40:13

lykwydchykyn wrote:

Are your CentOS boxes domain member servers?

No, just standalone boxen. Sorry that didn't help. The only other thing I can suggest...... Are you running dual-stack/IPv6? I've found recently that I've had to force it to IPv4 since a recent Windows update for some reason that I haven't fully worked out (by explicitly forcing the remote IPv4 addres using the addr=192.0.2.1 fstab flag)

lykwydchykyn · 2015-08-06 03:38:36

I don't think we're doing any kind of ipv6 at our shop.

Do you have any advice for getting more meaningful errors from gvfs or mount.cifs? Even with lots of -vvv's, all I get is stuff like "Permission denied" or "Invalid argument" with no details whatsoever.

alphaniner · 2015-08-06 04:26:40

journal?

lykwydchykyn · 2015-08-06 13:50:37

alphaniner wrote:

journal?

Depending on the approach, the journal doesn't yeild much. With mount.cifs it's perfectly useless; doesn't even log the error, never mind the details.

lykwydchykyn · 2015-08-06 18:16:31

Ok friends, we are closer, but not out of the woods yet...

I asked the sysadmin if I could change permissions on the parent directory to allow me to read and list folder contents. Having done that, I can now use gvfs-mount to mount the shared folder and navigate to (and thus symlink to) my home directory. Yay!

Now there are two sticking points left:

- gvfs-mount seems to not want to use stored passwords. I am launching gnome-keyring-daemon at login and exporting the environment variables. Since I'm using awesome wm, this is done in my rc.lua script, maybe the environment that gvfs-mount runs in is not getting these...

- More importantly -- Initially, or after a period of not accessing the drives, it takes several minutes(!) to access the drives. During that time, any process trying to access the drives just hangs. I'm seeing this repeatedly in the logs (every ~40s or so):

org.gtk.vfs.Daemon[945]: Kinit failed: Cannot contact any KDC for requested realm

I gather this has something to do with kerberos and doing the domain authentication, but I haven't the first idea of how to deal with it.

As for using mount.cifs, I've given up on that; it isn't optimal anyway (since it'd require plaintext passwords on disk as well as sudo/root), and it just keeps telling me unhelpful errors.

EDIT: I got rid of the Kinit error by adding domain controller information to /etc/krb5.conf, but it doesn't change the slow access time. It's like it times out the login session and has to renegotiate authentication. Ugh.

Last edited by lykwydchykyn (2015-08-06 19:35:33)

lykwydchykyn · 2015-08-19 18:39:33

Just wanted to update this thread. I've mitigated but not completely solved this issue.

I still have to manually mount these shares every time I log in; mercifully, that isn't often, and I have a script so it's not too bad. But it takes about 2 minutes to authenticate, after which it's anywhere from 5-10 minutes before I can access the mounted folders and use any files. Super annoying.

I got around the timeout issue by creating a cron job to ls the Home directory every few minutes, so the drive is always recently accessed.

I solved the Kinit error, but it made no difference in auth times.

I really wish there was a simpler way to mount a CIFS share, just like I mount sshfs or nfs shares, without involving root, gvfs, or fstab. Whatever happened to smbmount?

I should also add, my system seems to freeze up a lot now when left on overnight. I haven't been able to determine the cause, I kind of wonder if it's related to the gvfs mount. It started after I set all that up.

Last edited by lykwydchykyn (2015-08-19 18:40:47)

headkase · 2015-08-19 18:50:56

I'm not on a AD but I do network with Windows machines within the household. I've always found gvfs to be flaky, hanging or low performance as you say, however cifs mounts have always worked perfectly for me. I know you said you've given up on cifs but perhaps you could revisit them and tackling them head on to address the performance of gvfs. And with a judicious chmod you can make your credential file only readable by root. And if someone else has root on your computer they got everything else anyway from a security perspective.

I assume you've been referring to: https://wiki.archlinux.org/index.php/Ac … ntegration ?

Edit: for the chmod see here: https://wiki.archlinux.org/index.php/Sa … tc.2Ffstab

However, storing passwords in a world readable file is not recommended! A safer method would be to use a credentials file. As an example, create a file and chmod 600 filename so only the owning user can read and write to it.

Last edited by headkase (2015-08-19 19:00:33)

lykwydchykyn · 2015-08-19 21:44:02

I could live with the credentials file if mount.cifs would actually work or give me some meaningful error message or logs indicating why it doesn't work. But it just doesn't. I just get a permission denied error, no further details are forthcoming.

Yes, I've double/triple/quadruple checked the formats and permissions on everything.

And if someone else has root on your computer they got everything else anyway from a security perspective.

On my computer, but not on my employer's active directory. I'd *prefer* not to have my AD credentials sitting around in plaintext, but if it's functional I can live with it.

Last edited by lykwydchykyn (2015-08-19 21:44:24)

headkase · 2015-08-19 22:43:41

Windows will sometimes fail to authenticate, again on home networks, shares if the encryption level on the server is too high. That could have something to do with it. Windows offers two grades of encryption with the higher one not working and the lower one working. That may have something to do with it.

There is this: http://serverfault.com/questions/694087 … ver-client

Which states that mount.cifs possibly doesn't support encryption yet which, if valid, could be the issue.

yance · 2015-08-20 11:30:37

lykwydchykyn wrote:

The sysadmin isn't really linux-savvy.
It's a complicated situation, but basically I have permission to run Linux so long as nobody else has to care. I've been able to manage it for about 10 years this way. So I'm on my own here, though I can make limited changes to the AD if it doesn't impact anything else.
The link looks like kinda dated info on how to join an AD. If I need to join, I think I can muddle through using realmd to do that no problem, I was just hoping not to have to do that since my local account would have to be moved around and probably a bunch of my scripts would break.
Does anyone use Arch on an active directory domain?

I use arch and have CIFS shares with AD credentials mounted on my arch system. And it works just fine. Here my fstab setup:

//SERVER/sharename /mnt/mountpoint cifs noauto,x-systemd.automount,x-systemd.device-timeout=10,cache=none,rsize=8192,wsize=8192,nofail,uid=1000,gid=100,credentials=/path/to/credentials/.credentialsfile,iocharset=utf8,sec=ntlm 0 0

lykwydchykyn · 2015-10-19 16:56:01

So, just an update... the gvfs-mount solution stopped working this week. gvfs-mount seems to mount just fine, the entries show up if I launch a file-browser. But I can't ever access the shares, and no directories show up under /run/user/1000/gvfs.

I can't understand what the problem is. I just can't access my files.

I can mount the share using mount.cifs, but when I do I have no permission to access any of the actual directories under the mountpoint, even though they show as being owned by my user and having rxw access. The NTFS permissions on the server show that my domain user has full read and traversal privileges to the shared folder.

I'm pulling my hair out with this one.

lykwydchykyn · 2015-10-19 21:17:56

So, I got the permissions issue solved. It's like this.

The actual server storing the data has this structure:

\\server\share\Homes\Departments\MyDepartment\MyUser

The DFS share points to "MyDepartment".

By default, I have no read permissions for "share", "Homes", "Departments", "MyDepartment". I have full control of "MyUser". Windows seems to be able to deal with this and map a drive to "MyUser" via the DFS UNC path despite the missing permissions in the containing directories.

mount.cifs cannot.

I was, at least for a while, able to mount using GVFS by adding my user with read permissions to the MyDepartment directory. Don't know why that stopped working.

To get mount.cifs working, I had to explicitly add my user to Homes, Departments, and MyDepartment with read & traverse permissions. Once I do this, I can mount using mount.cifs either directly to the server or using the DFS share point.

This isn't a great solution, as it involves making an exception to the security policy just for me, but it works for now. I wish I could use a keyring for mount.cifs, but I'll have to live with storing credentials in plaintext for now.

Hope this helps someone someday.

Arch Linux

#1 2015-08-04 17:20:02

Mounting CIFS shares with AD credentials

#2 2015-08-04 17:40:43

Re: Mounting CIFS shares with AD credentials

#3 2015-08-04 20:04:33

Re: Mounting CIFS shares with AD credentials

#4 2015-08-04 20:32:06

Re: Mounting CIFS shares with AD credentials

#5 2015-08-04 21:20:31

Re: Mounting CIFS shares with AD credentials

#6 2015-08-04 22:01:30

Re: Mounting CIFS shares with AD credentials

#7 2015-08-04 23:20:55

Re: Mounting CIFS shares with AD credentials

#8 2015-08-05 14:22:15

Re: Mounting CIFS shares with AD credentials

#9 2015-08-05 14:27:38

Re: Mounting CIFS shares with AD credentials

#10 2015-08-05 15:09:19

Re: Mounting CIFS shares with AD credentials

#11 2015-08-05 23:40:13

Re: Mounting CIFS shares with AD credentials

#12 2015-08-06 03:38:36

Re: Mounting CIFS shares with AD credentials

#13 2015-08-06 04:26:40

Re: Mounting CIFS shares with AD credentials

#14 2015-08-06 13:50:37

Re: Mounting CIFS shares with AD credentials

#15 2015-08-06 18:16:31

Re: Mounting CIFS shares with AD credentials

#16 2015-08-19 18:39:33

Re: Mounting CIFS shares with AD credentials

#17 2015-08-19 18:50:56

Re: Mounting CIFS shares with AD credentials

#18 2015-08-19 21:44:02

Re: Mounting CIFS shares with AD credentials

#19 2015-08-19 22:43:41

Re: Mounting CIFS shares with AD credentials

#20 2015-08-20 11:30:37

Re: Mounting CIFS shares with AD credentials

#21 2015-10-19 16:56:01

Re: Mounting CIFS shares with AD credentials

#22 2015-10-19 21:17:56

Re: Mounting CIFS shares with AD credentials

Board footer