Firstly I created a new file in /etc/
touch /etc/COMPUTERHOSTNAME-cifs.credentialsPopulate the file with the username and password as required:
username=DOMAIN\USERNAMEchmod the file to 700 so only root can read, write, and execute the file.
password=PASSWORD
chmod 700 /etc/COMPUTERHOSTNAME-cifs.credentialsFinally update your /etc/fstab to read the credentials file:
//SERVERNAME/SHARE /mnt/MOUNTPOINT/ cifs credentials=/etc/COMPUTERHOSTNAME-cifs.credentials 0 0Once again check the fstab works as expected, umount the cifs mount, and re-running:
mount -aWe can also test viewing the file as a normal user, to ensure the credentials are hidden:
[user@HOSTNAME NormalUser]$ cat /etc/COMPUTERHOSTNAME-cifs.credentials
cat: /etc/COMPUTERHOSTNAME-cifs.credentials: Permission denied
Bingo!
Update: 6-11-2012
Last week I wrote this article to mount a cifs share securely however today I was required to mount a cifs share (which happened to be their ActiveDirectory home drive) to the users home folder on Linux. Using the instructions above I was able to mount the home drive, however I was then unable to access the mount as a normal user. I resolved this by using the following line in the /etc/fstab file:
//SERVER/SHARE /home/USER/Home-Drive/ cifs credentials=/home/user/domain.credentials,file_mode=0770,dir_mode=0770,uid=X,gid=X 0 0
I was able to ascertain the users uid and gid by grabbing the output of "id" as the user. I also created the mount point folder in preperation
Update: 25-02-2014
Another scenario would be to use a service account rather then a specific user account to mount the share. These service accounts are usually locked down to ensure they cannot be used outside their desired role.
fstab entry:
//serverName/Share$ /mnt/ShareName cifs ro,credentials=/root/.cifs.credentials 0 0
credentials file (chmod 700):
username=domain\lb-slp-en-grp02-cifs
password=password
Update: 6-11-2012
Last week I wrote this article to mount a cifs share securely however today I was required to mount a cifs share (which happened to be their ActiveDirectory home drive) to the users home folder on Linux. Using the instructions above I was able to mount the home drive, however I was then unable to access the mount as a normal user. I resolved this by using the following line in the /etc/fstab file:
//SERVER/SHARE /home/USER/Home-Drive/ cifs credentials=/home/user/domain.credentials,file_mode=0770,dir_mode=0770,uid=X,gid=X 0 0
I was able to ascertain the users uid and gid by grabbing the output of "id" as the user. I also created the mount point folder in preperation
sudo su - AnotherUserAs root I could then run 'mount -a'. This solution does have its flaws as the users password will eventually expire, this in turn will require the credentials file to be updated. The user will also have to either reboot the machine or ask the root user to perform any remount when required.
id
mkdir ~/Home-Drive
Update: 25-02-2014
Another scenario would be to use a service account rather then a specific user account to mount the share. These service accounts are usually locked down to ensure they cannot be used outside their desired role.
fstab entry:
//serverName/Share$ /mnt/ShareName cifs ro,credentials=/root/.cifs.credentials 0 0
credentials file (chmod 700):
username=domain\lb-slp-en-grp02-cifs
password=password
On the Windows Server I then need to give this user RO access. This can be performed by locating the share under the shares management tool (Computer Management -> Shared Folders -> Shares). Locate the 'Security' tab found under the properties for the share and add the cifs user found above.
No comments:
Post a Comment