Changes
From Free Knowledge Base- The DUCK Project: information for everyone
/* Accessing Windows Shares: Discussion */
The following lines were added (+) and removed (-):
Another example for a modern NAS sudo mount -t cifs -o user=nicolep,uid=1001 //apollo/documents /mnt/documents''She will be prompted for a password when she executes this command for sudo, and again for the SMB account password for her account nicolep. Also, the uid is set matching her local account in /etc/passwd so that the mounted share does not appear with all files and directories as owner root, thus they would have not been writable to her.''error: mount.cifs: bad UNC (/apollo/documents) <- if you are getting this error make sure you have two forward slashes on the path //apolloUnmount when done sudo umount //apollo/nicolepTo quickly unmount all your cifs mounts (if the network file server goes down or NAS is offline your system can hang unless you release the mounts) sudo umount -a -t cifs -l=== Slightly improved security with credentials=filename ===You can now Substitute your Windows username and password in the fstab command by specifying "credentials." Then file permissions can be used to restrict read access to the still plain text passwords in the credentials file. using credentials=filename specifies a file that contains a username and/or password. This is preferred over having passwords in plaintext in a shared file, such as /etc/fstab. Be sure to protect any credentials by saving the file (as root) to /root/, and chmod 600. cd echo username=mywindowsusername > /root/.smbpasswd echo password=mywindowspassword >> /root/.smbpasswd chmod 600 /root/.smbpasswdThen in fstab credentials=/root/.smbpasswdAn example of the fstab entry: //apollo/video/ /mnt/video cifs defaults,vers=1.0,domain=workgroup,credentials=/root/.smbpasswd,iocharset=utf8,sec=ntlm 0 0This is only the basic level of security that standard file ownership and permissions provide. It is not possible to encrypt the username or password. smbclient needs access to the plaintext password in order to mount the share. Although the SMB/CIFS session is typically negotiated without sending the unencrypted password across the network, the client still needs access to the plaintext password in order to properly encrypt it during the authentication phase.=== No dialect specified on mount ===When attempting to 'mount -a' against your /etc/fstab you see a system generated error mount error(22): Invalid argument Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)Further analysis by looking at kern.log tail -f /var/log/kern.logReveals the following error message kernel: [86079.045389] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. kernel: [86079.065167] CIFS VFS: Unable to select appropriate authentication method! kernel: [86079.065176] CIFS VFS: Send error in SessSetup = -22 kernel: [86079.065219] CIFS VFS: cifs_mount failed w/return code = -22You can always specify a version of SMB //apollo/video/ /mnt/video cifs defaults,vers=1.0,domain=workgroup,username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0In this example it is specified that the oldest version, SMB 1.0, is specified because the file server is old and runs 1.0.Most NAS devices as of 2020 support SMB 1 through SMB 3.* SMB 1, SMB 2, SMB 2.1, SMB 3We can use a more simplified format that avoids certain parameters being incompatible with the kernel's preferred SMB version. //apollo/home /mnt/nicolep cifs defaults,domain=workgroup,username=nicolep,password=mythtv,uid=1002Note that we specified the uid of the user, which is the uid in /etc/passwd. Without specification of the uid the file system will seem "read only" to the user as owner and group on the mount point will be root when the uid is not specified.Another note: we put the username and password in fstab in an insecure way. An evolution offering slightly better security is available using a so-called credentials file.#Using the mount command in a script (which prompts user for password when executed)