[NTLUG:Discuss] Re: Three questions
Kyle Davenport
Kyle_Davenport at compusa.com
Fri Jun 24 10:42:16 CDT 2005
*** Authentication Certificate ***
>>>3) Anyone know of a way using Samba client on a Linux PC to get "network
>>>mappings" to remote SMB servers without having to supply the password
>>>for each one (no convenience) or store it in clear text in a local file
>>>(bad security)?
>>>
>>>
>>
>>I have done this at work because of the dozens of windows hosts and
>>multiple domains I have to connect to. cifs and smb mounts can use a
>>credential file. I put my different domain logins into separate
root-only
>>read files like /etc/IT.cred looks like this:
>>
>>username=me
>>password=secret
>>
>>and in /etc/fstab:
>>
>>//winserver/C /winserver/c cifs credentials=/etc/IT.cred,gid=10,
>>file_mode=0644,dir_mode=0755 0 0
>>
>>or, what I usually do, an autofs file, with an entry like this:
>>auto.host:D$ -fstype=smbfs,credentials=/etc/NA.cred,workgroup=NA
>>://host/D\$
>>
>>
>>I'm still trying to hack an auto autofs file, which almost works, to
>>automount any box in a domain. Let me know if anyone's interested.
>
>
>I was with you until you started talking about autofs, I don't
>understand the syntax or how that is going to help. I should have also
>stated that I'm looking for functionality equivalent to Windows. The
>credentials file has some possibilities but the password is still clear
>text (a "bad" administrator could have a field day) and you also have to
>deal with the issue "what happens when the password changes"?
> Microsoft's password caching has it's painful aspects (just be logged
>in to more that one PC and change your password without at least logging
>out and back in everywhere - account lockout soon follows). But it sure
>is convenient. Guess what I'd really prefer is a "password pass" from
>the login process to smbmount or temporary password caching (for a
>minute or so, just long enough to process a login script). Wonder if
>the Samba developers would be receptive?
yes - storing your passwords in a credential file works only if you are
the sole root user on your box (which is a typical desktop scenario).
Otherwise you go with some single sign-on solution like ldap and/or
kerberos. They work fine with samba - plenty of howto's on the web.
I do autofs because it's convenient - way more convenient than windows -
from the command line. In a multi-user production environment, I find M$'s
handling of credentials is embarassingly bad. LinNeighborhood has a nice
gui, but it stores a password for only one domain IIRC.
Kyle
More information about the Discuss
mailing list