[NTLUG:Discuss] Re: Three questions

Sat Jun 25 01:25:46 CDT 2005

Kyle Davenport wrote:

>*** Authentication Certificate ***
>
>  
>
>>>>3) Anyone know of a way using Samba client on a Linux PC to get "network
>>>>mappings" to remote SMB servers without having to supply the password
>>>>for each one (no convenience) or store it in clear text in a local file
>>>>(bad security)?
>>>>
>>>>
>>>>        
>>>>
>>>I have done this at work because of the dozens of windows hosts and
>>>multiple domains I have to connect to.  cifs and smb mounts can use a
>>>credential file.  I put my different domain logins into separate
>>>      
>>>
>root-only
>  
>
>>>read files like /etc/IT.cred looks like this:
>>>
>>>username=me
>>>password=secret
>>>
>>>and in /etc/fstab:
>>>
>>>//winserver/C  /winserver/c cifs   credentials=/etc/IT.cred,gid=10,
>>>file_mode=0644,dir_mode=0755 0 0
>>>
>>>or, what I usually do, an autofs file, with an entry like this:
>>>auto.host:D$ -fstype=smbfs,credentials=/etc/NA.cred,workgroup=NA
>>>://host/D\$
>>>
>>>
>>>I'm still trying to hack an auto autofs file, which almost works, to
>>>automount any box in a domain.  Let me know if anyone's interested.
>>>      
>>>
>>I was with you until you started talking about autofs, I don't
>>understand the syntax or how that is going to help.  I should have also
>>stated that I'm looking for functionality equivalent to Windows.  The
>>credentials file has some possibilities but the password is still clear
>>text (a "bad" administrator could have a field day) and you also have to
>>deal with the issue "what happens when the password changes"?
>>Microsoft's password caching has it's painful aspects (just be logged
>>in to more that one PC and change your password without at least logging
>>out and back in everywhere - account lockout soon follows).  But it sure
>>is convenient.  Guess what I'd really prefer is a "password pass" from
>>the login process to smbmount or temporary password caching (for a
>>minute or so, just long enough to process a login script).  Wonder if
>>the Samba developers would be receptive?
>>    
>>
>
>yes  - storing your passwords in a credential file works only if you are
>the sole root user on your box (which is a typical desktop scenario).
>Otherwise you go with some single sign-on solution like ldap and/or
>kerberos.  They work fine with samba - plenty of howto's on the web.
>I do autofs because it's convenient - way more convenient than windows -
>from the command line.  In a multi-user production environment, I find M$'s
>handling of credentials is embarassingly bad.  LinNeighborhood has a nice
>gui, but it stores a password for only one domain IIRC.
>
>Kyle
>
>
>
>_______________________________________________
>https://ntlug.org/mailman/listinfo/discuss
>
>  
>
Storing the password for one domain is better than nothing so I'll have 
to look into LinNeighborhood. If I used a single signon solution (I've 
played with LDAP, not real keen on what is required for encryption) 
would I get some kind of password-caching equivalent or do I face the 
same issue (smbmount prompting for a password)? Again, thanks for all 
the replies, I would really like to have a good solution here because my 
goal is to be able to provide a secure non-MS (Linux-based at the client 
and server) network-based authentication scheme. Granted, MS password 
caching is like having a black box filled with vipers but until there's 
something better (or at least as good)...