[NTLUG:Discuss] Re: Three questions
Leroy Tennison
leroy_tennison at prodigy.net
Sat Jun 25 01:25:46 CDT 2005
Kyle Davenport wrote:
>*** Authentication Certificate ***
>
>
>
>>>>3) Anyone know of a way using Samba client on a Linux PC to get "network
>>>>mappings" to remote SMB servers without having to supply the password
>>>>for each one (no convenience) or store it in clear text in a local file
>>>>(bad security)?
>>>>
>>>>
>>>>
>>>>
>>>I have done this at work because of the dozens of windows hosts and
>>>multiple domains I have to connect to. cifs and smb mounts can use a
>>>credential file. I put my different domain logins into separate
>>>
>>>
>root-only
>
>
>>>read files like /etc/IT.cred looks like this:
>>>
>>>username=me
>>>password=secret
>>>
>>>and in /etc/fstab:
>>>
>>>//winserver/C /winserver/c cifs credentials=/etc/IT.cred,gid=10,
>>>file_mode=0644,dir_mode=0755 0 0
>>>
>>>or, what I usually do, an autofs file, with an entry like this:
>>>auto.host:D$ -fstype=smbfs,credentials=/etc/NA.cred,workgroup=NA
>>>://host/D\$
>>>
>>>
>>>I'm still trying to hack an auto autofs file, which almost works, to
>>>automount any box in a domain. Let me know if anyone's interested.
>>>
>>>
>>I was with you until you started talking about autofs, I don't
>>understand the syntax or how that is going to help. I should have also
>>stated that I'm looking for functionality equivalent to Windows. The
>>credentials file has some possibilities but the password is still clear
>>text (a "bad" administrator could have a field day) and you also have to
>>deal with the issue "what happens when the password changes"?
>>Microsoft's password caching has it's painful aspects (just be logged
>>in to more that one PC and change your password without at least logging
>>out and back in everywhere - account lockout soon follows). But it sure
>>is convenient. Guess what I'd really prefer is a "password pass" from
>>the login process to smbmount or temporary password caching (for a
>>minute or so, just long enough to process a login script). Wonder if
>>the Samba developers would be receptive?
>>
>>
>
>yes - storing your passwords in a credential file works only if you are
>the sole root user on your box (which is a typical desktop scenario).
>Otherwise you go with some single sign-on solution like ldap and/or
>kerberos. They work fine with samba - plenty of howto's on the web.
>I do autofs because it's convenient - way more convenient than windows -
>from the command line. In a multi-user production environment, I find M$'s
>handling of credentials is embarassingly bad. LinNeighborhood has a nice
>gui, but it stores a password for only one domain IIRC.
>
>Kyle
>
>
>
>_______________________________________________
>https://ntlug.org/mailman/listinfo/discuss
>
>
>
Storing the password for one domain is better than nothing so I'll have
to look into LinNeighborhood. If I used a single signon solution (I've
played with LDAP, not real keen on what is required for encryption)
would I get some kind of password-caching equivalent or do I face the
same issue (smbmount prompting for a password)? Again, thanks for all
the replies, I would really like to have a good solution here because my
goal is to be able to provide a secure non-MS (Linux-based at the client
and server) network-based authentication scheme. Granted, MS password
caching is like having a black box filled with vipers but until there's
something better (or at least as good)...
More information about the Discuss
mailing list