Re: [PLUG] Mount cifs share from fstab.
Yes, thank you ... that is how it is suppose to work with AD/keberos/SMB/CIFS. Unfortunately, the original poster does not appear to have AD or any kind of SSO. So, I believe that he is concerned that plain text password in a file is not the most secure option. Despite the password from the file not being transmitted in plain text, there are still issues with this --> The SMB share would be mounted by the mounting user, regardless who is logged in on the linux box and using the share. So the ownership and access rights would naturally follow the mountee. This is not too much of an issue with windows, especially if SMB and local passwords are identical. However typical Linux setup does not use SMB for local authentication. Additionally, in SMB nothing really can be mounted without some sort of user authentication first. So SMB sort of prevents securely mounting shares at boot being ready for user to login. There has been plenty of similar posts related to SMB/CIFS mounts and resulting access issues. I think, that people do not realize that a local user on one machine is not equal to a local user on another machine. SSO/AD provides the trust between the hosts and common authentication method between the machines and servers. The easiest way to reconcile this would be probably to synchronize the users and their UID's across the machines and the file server and switch to plain NFS on Linux. Of course this is only as secure as the network because plain NFS trusts the machines about the users. I hope it helps explaining little the ownership/permission/authentication issues. Tomas On Tue, 2017-12-05 at 01:32 +, Smith, Cathy wrote: > I work in a multi-user environment where authentication is performed > by Kerberos. So all user accounts in the Active Directory domain, > use their AD password to login to the Linux servers. The Linux > server is configured as a samba server. We run Red Hat here. I > just have a basic samba server configuration running on the Linux > server. I don't have to have the account's password specified as > long as the account is in the AD domain. We only use the .sambpass > file for non-AD accounts. Those account must have a local password > entry on the Linux server. > > Cathy > -- > Cathy L. Smith > IT Engineer > > Pacific Northwest National Laboratory > Operated by Battelle for the > U.S. Department of Energy > > Phone: 509.375.2687 > Fax: 509.375.4399 > Email: cathy.sm...@pnnl.gov > > > > -Original Message- > From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On > Behalf Of Tomas Kuchta > Sent: Monday, December 04, 2017 4:35 PM > To: Portland Linux/Unix Group > Subject: Re: [PLUG] Mount cifs share from fstab. > > When you put SMB password into root RO file, it is not secure > locally, but it is not transmitted over the network in the plain text > as far as I know. > > In my experience, SMB/CIFS is quie painful to use in multi user, > multi machine world without domain compatible single sign of. > > To be fair, same goes for NFS with Kerberos, if you cannot live > without server side authentication. > > Off topic: > In my opinion - single sign on should be basic stuff done by any > ..nix household chiefdom setup for both Linux and Windows. Once > working, it makes huge difference in usability and security. And it > currently keeps M$ away from local network resource scans. > > -T > > On Dec 4, 2017 3:47 PM, "David" wrote: > > > > > On 12/04/2017 03:36 PM, michael wrote: > > > > > > > > On 2017-12-04 17:00, David wrote: > > > > > > > > > > > On 12/04/2017 02:33 PM, michael wrote: > > > > > > > > > > > > > > I have it working. I don't want the password for the owner > > > > > of the > > > > > share in plain text in a file though. Creating > > > > > /home/pi/.smbpasswd > > > > > with the contents: > > > > > username=Test > > > > > password=password > > > > > domain=somedomain > > > > > and chmod 600 isn't good enough. > > > > > > > > > > The password should be salted in this file even if it is > > > > > password! > > > > > > > > > > Is there a simple way to use an smbpasswd file properly > > > > > salted > > > > > without implementing a full samba server? > > > > > > > > > > > > > The proper tool that I know of is "smbpasswd" as an > > > > executable, > > > > which is part of the samba-common-bin package on my sy
Re: [PLUG] Mount cifs share from fstab.
I work in a multi-user environment where authentication is performed by Kerberos. So all user accounts in the Active Directory domain, use their AD password to login to the Linux servers. The Linux server is configured as a samba server. We run Red Hat here. I just have a basic samba server configuration running on the Linux server. I don't have to have the account's password specified as long as the account is in the AD domain. We only use the .sambpass file for non-AD accounts. Those account must have a local password entry on the Linux server. Cathy -- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.4399 Email: cathy.sm...@pnnl.gov -Original Message- From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On Behalf Of Tomas Kuchta Sent: Monday, December 04, 2017 4:35 PM To: Portland Linux/Unix Group Subject: Re: [PLUG] Mount cifs share from fstab. When you put SMB password into root RO file, it is not secure locally, but it is not transmitted over the network in the plain text as far as I know. In my experience, SMB/CIFS is quie painful to use in multi user, multi machine world without domain compatible single sign of. To be fair, same goes for NFS with Kerberos, if you cannot live without server side authentication. Off topic: In my opinion - single sign on should be basic stuff done by any ..nix household chiefdom setup for both Linux and Windows. Once working, it makes huge difference in usability and security. And it currently keeps M$ away from local network resource scans. -T On Dec 4, 2017 3:47 PM, "David" wrote: > On 12/04/2017 03:36 PM, michael wrote: > >> On 2017-12-04 17:00, David wrote: >> >>> On 12/04/2017 02:33 PM, michael wrote: >>> >>>> I have it working. I don't want the password for the owner of the >>>> share in plain text in a file though. Creating /home/pi/.smbpasswd >>>> with the contents: >>>> username=Test >>>> password=password >>>> domain=somedomain >>>> and chmod 600 isn't good enough. >>>> >>>> The password should be salted in this file even if it is password! >>>> >>>> Is there a simple way to use an smbpasswd file properly salted >>>> without implementing a full samba server? >>>> >>> >>> The proper tool that I know of is "smbpasswd" as an executable, >>> which is part of the samba-common-bin package on my system (Debian). >>> >>> It may have dependencies which includes a full smb server (which I >>> run), so this may not be helpful information. >>> >>> dafr >>> >> > >> I am most concerned about the password having to be in plaintext when >> transmitted over the network. Even if there is a way without a full >> samba server deployment to have the password sent in encrypted form >> over the network, that would be great. The server is probably the >> latest incarnation of Windows server. I don't like the idea of >> having to have a Linux user for every Windows user either. >> > > > > Sure, I get that, and agree with the concerns. I was looking at the > smbpasswd man page initially and this is why I think you want to use > this > utility: > > "On a UNIX machine the encrypted SMB >passwords are usually stored in the smbpasswd(5) file." > > Now, the problem with the utility is that unless you do something > fancy, you may have to be on the localhost where the share is exported > to set / reset the password as a user. This may not be feasible in > your situation unless there is a web interface that you can front > smbpasswd with to allow users to change passwords. > > When mounting a share in a Windows VM on my Linux host, I have to auth > with a pop-up window of user / pass to access the shared directory. > I'm not sure if (and don't believe that) you have to have a Linux > account for the Windows user. They are different password files, but > my experience is also limited to a full samba server, so your needs > may be more an issue than mine. > > dafr > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Mount cifs share from fstab.
When you put SMB password into root RO file, it is not secure locally, but it is not transmitted over the network in the plain text as far as I know. In my experience, SMB/CIFS is quie painful to use in multi user, multi machine world without domain compatible single sign of. To be fair, same goes for NFS with Kerberos, if you cannot live without server side authentication. Off topic: In my opinion - single sign on should be basic stuff done by any ..nix household chiefdom setup for both Linux and Windows. Once working, it makes huge difference in usability and security. And it currently keeps M$ away from local network resource scans. -T On Dec 4, 2017 3:47 PM, "David" wrote: > On 12/04/2017 03:36 PM, michael wrote: > >> On 2017-12-04 17:00, David wrote: >> >>> On 12/04/2017 02:33 PM, michael wrote: >>> I have it working. I don't want the password for the owner of the share in plain text in a file though. Creating /home/pi/.smbpasswd with the contents: username=Test password=password domain=somedomain and chmod 600 isn't good enough. The password should be salted in this file even if it is password! Is there a simple way to use an smbpasswd file properly salted without implementing a full samba server? >>> >>> The proper tool that I know of is "smbpasswd" as an executable, which >>> is part of the samba-common-bin package on my system (Debian). >>> >>> It may have dependencies which includes a full smb server (which I >>> run), so this may not be helpful information. >>> >>> dafr >>> >> > >> I am most concerned about the password having to be in plaintext when >> transmitted over the network. Even if >> there is a way without a full samba server deployment to have the >> password sent in encrypted form over the >> network, that would be great. The server is probably the latest >> incarnation of Windows server. I don't >> like the idea of having to have a Linux user for every Windows user >> either. >> > > > > Sure, I get that, and agree with the concerns. I was looking at the > smbpasswd man page initially and this is why I think you want to use this > utility: > > "On a UNIX machine the encrypted SMB >passwords are usually stored in the smbpasswd(5) file." > > Now, the problem with the utility is that unless you do something fancy, > you may have to be on the localhost where the share is exported to set / > reset the password as a user. This may not be feasible in your situation > unless there is a web interface that you can front smbpasswd with to allow > users to change passwords. > > When mounting a share in a Windows VM on my Linux host, I have to auth > with a pop-up window of user / pass to access the shared directory. I'm not > sure if (and don't believe that) you have to have a Linux account for the > Windows user. They are different password files, but my experience is also > limited to a full samba server, so your needs may be more an issue than > mine. > > dafr > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Mount cifs share from fstab.
On 12/04/2017 03:36 PM, michael wrote: On 2017-12-04 17:00, David wrote: On 12/04/2017 02:33 PM, michael wrote: I have it working. I don't want the password for the owner of the share in plain text in a file though. Creating /home/pi/.smbpasswd with the contents: username=Test password=password domain=somedomain and chmod 600 isn't good enough. The password should be salted in this file even if it is password! Is there a simple way to use an smbpasswd file properly salted without implementing a full samba server? The proper tool that I know of is "smbpasswd" as an executable, which is part of the samba-common-bin package on my system (Debian). It may have dependencies which includes a full smb server (which I run), so this may not be helpful information. dafr I am most concerned about the password having to be in plaintext when transmitted over the network. Even if there is a way without a full samba server deployment to have the password sent in encrypted form over the network, that would be great. The server is probably the latest incarnation of Windows server. I don't like the idea of having to have a Linux user for every Windows user either. Sure, I get that, and agree with the concerns. I was looking at the smbpasswd man page initially and this is why I think you want to use this utility: "On a UNIX machine the encrypted SMB passwords are usually stored in the smbpasswd(5) file." Now, the problem with the utility is that unless you do something fancy, you may have to be on the localhost where the share is exported to set / reset the password as a user. This may not be feasible in your situation unless there is a web interface that you can front smbpasswd with to allow users to change passwords. When mounting a share in a Windows VM on my Linux host, I have to auth with a pop-up window of user / pass to access the shared directory. I'm not sure if (and don't believe that) you have to have a Linux account for the Windows user. They are different password files, but my experience is also limited to a full samba server, so your needs may be more an issue than mine. dafr ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Mount cifs share from fstab.
On 2017-12-04 17:00, David wrote: On 12/04/2017 02:33 PM, michael wrote: I have it working. I don't want the password for the owner of the share in plain text in a file though. Creating /home/pi/.smbpasswd with the contents: username=Test password=password domain=somedomain and chmod 600 isn't good enough. The password should be salted in this file even if it is password! Is there a simple way to use an smbpasswd file properly salted without implementing a full samba server? The proper tool that I know of is "smbpasswd" as an executable, which is part of the samba-common-bin package on my system (Debian). It may have dependencies which includes a full smb server (which I run), so this may not be helpful information. dafr ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug I am most concerned about the password having to be in plaintext when transmitted over the network. Even if there is a way without a full samba server deployment to have the password sent in encrypted form over the network, that would be great. The server is probably the latest incarnation of Windows server. I don't like the idea of having to have a Linux user for every Windows user either. ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Mount cifs share from fstab.
On 12/04/2017 02:33 PM, michael wrote: I have it working. I don't want the password for the owner of the share in plain text in a file though. Creating /home/pi/.smbpasswd with the contents: username=Test password=password domain=somedomain and chmod 600 isn't good enough. The password should be salted in this file even if it is password! Is there a simple way to use an smbpasswd file properly salted without implementing a full samba server? The proper tool that I know of is "smbpasswd" as an executable, which is part of the samba-common-bin package on my system (Debian). It may have dependencies which includes a full smb server (which I run), so this may not be helpful information. dafr ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug