Windows network share integration for linux: Difference between revisions
| Line 35: | Line 35: | ||
| {{:Example of cfis fstab}} | {{:Example of cfis fstab}} | ||
| The above example comes from our Mythbuntu configuration page.  As you can see, besides the problem with all system users having access to the share as the one specific network user, that network username and password are exposed in this public readable file.  Any user of the desktop now knows the username and password of the windows share owner. | The above example comes from our Mythbuntu configuration page.  As you can see, besides the problem with all system users having access to the share as the one specific network user, that network username and password are exposed in this public readable file.  Any user of the desktop now knows the username and password of the windows share owner.  /etc/fstab is readable by everyone and so is your Windows password in it. | ||
| Another problem with the Mythbuntu example above is that you will not have write permissions to the mounted shares.  To have write permissions it is necessary to specify the UID.  We also should specify the workgroup name to speed up the process. | |||
|  //athena/public/ /mnt/public cifs domain=workgroup,username=nicole,password=mythtv,uid=1001,iocharset=utf8,sec=ntlm 0 0 | |||
|  //athena/media/ /mnt/media cifs domain=workgroup,username=nicole,password=mythtv,uid=1001,iocharset=utf8,sec=ntlm 0 0 | |||
| Lets assume our workgroup/domain name is "workgroup".  Nicole now has the ability to both read and write to the shares. | |||
Revision as of 14:48, 3 June 2015
Samba was developed in the early 1990s as a way for Linux users to access windows shares as well as enabling the use of a Linux file server to emulate a Windows file server. In over 20 years a lot of exciting things have happened in the development of SMB/CIFS networking protocol support in Linux. However, one major achievement has been completely neglected. If a user wishes to have seamless mounting and access to a Windows share, under his own linux desktop login name to the windows network share of the same login name, independent of each login, and persistent after reboot, then there is no simple solution.
It is easy to setup a persistent mount of a network share upon boot by adding an entry into /etc/fstab. This is fine for a single user computer where network security concerns are not present, such as in a home network. However, with this approach, no matter who logs into the linux workstation, he will have access to the network shares under the login privileges of the static mount provided in /etc/fstab. So if Nicole logs into Tom's desktop computer under her Linux username nicole, she will have access to the network shares with Tom's network authority since he created entries in /etc/fstab to connect to the shares with his username and password.
So it is possible in operating systems such as Ubuntu 14.04 to use the built in file manager Nautilus (Nautilus is the name of the file manager in Ubuntu identified only as "Files" from the desktop GUI - and it should also be noted that Ubuntu devs plan to replace Nautilus in a future distro release) and browse the Microsoft Network with native CIFS support - no need to install Samba. Furthermore, when using this method, the user is prompted for a username and password to access the Windows CIFS share. This way now Nicole can access her own shares on the network and not as Tom.
So, we have discussed two methods of accessing Windows shares from the linux desktop (in reverse order):
- Browse Network in Ubuntu Nautilus and click to mount
- Persistent static mounts in /etc/fstab
Ubuntu Nautilus Click to Mount
This seems pretty slick. Just click, supply credentials and mount. However, the access is not persistent after reboot, even when the option to make the mount saved. It is buggy. Also, the mount path is ugly!
- Files -> Browse Network -> Windows Network -> WINDOWS DOMAIN
Here is where you will see the desktop systems with windows file shares and/or the network file server, be it a Windows server or a Samba based file server such as a NAS device. However, about half the time absolutely nothing appears. Again, it is buggy. In testing on Ubuntu 14.04 it was necessary, sometimes, to close and open the Browse Network option several times in order to have visibility of the NAS file server and network shares.
Once the share is selected in Nautilus the user is prompted for a username and password. The files are now visible in Nautilus and look all nice and neat. However, when attempting to access the mount using console, or another program directly such as an mp3 player, it is difficult to find the mount. It is not in /mnt and it is not in /media. Rather it is ugly, like the following example:
/run/user/1001/gvfs/smb-share:server=[name],share=music/mp3/my favorite song.mp3
What the hell is that? Who's going to want to find that or type all that in? It cannot be accessed directly in console as root.
bash: cd: gvfs: Permission denied
It can be accessed though, from console, as the same user that is in the windows session.
nicole@Acronix:/run/user/1001/gvfs/smb-share:server=athena,share=media$
Again, this is ugly. To solve the ugliness problem a process called gvfs-fuse-daemon is supposed to create a pretty symlink to a subfolder of the user home folder. It should be under
/home/nicole/gvfs
It should be accessible when typing something like this:
cd ~/.gvfs
However, in our fresh install of Ubuntu 14.04 no such symlink was created and the tidy little path is unavailable. Again, buggy. It is possible this isn't even a bug, perhaps the feature was simply dropped.
We can create symlinks for these ugly paths. The symlinks will be persistent. However, the symlinks will appear broken until the share is manually browsed using Nautilus. Again, this is going to depend on what mood Nautilus is in and CIFS.
Persistent Mount in fstab
The process for making a persistent mount by editing the /etc/fstab involves supplying the Windows network login credentials, including password, in this text file readable by all system users.
fstab example: persistent mounts using exposed credentials
There are more than one ways to do this. This example uses cifs to permanently mount the shares so that they will be available after reboot. If the system complains add the 'noauto' parameter.
- First edit your /etc/hosts file and add the hostname and IP address of the windows share or file server
- Next create mount points in /mnt for each windows share
- Make sure you have cifs installed
- Edit /etc/fstab and add a line for each windows share, see examples:
//apollo/public/ /mnt/public cifs username=nicolep,password=yourpass,iocharset=utf8,sec=ntlm 0 0 //apollo/media/ /mnt/media cifs username=nicolep,password=yourpass,iocharset=utf8,sec=ntlm 0 0 //apollo/video/ /mnt/video cifs username=nicolep,password=yourpass,iocharset=utf8,sec=ntlm 0 0
- mount the shares
mount -a
- This provides read-only access to the network shares.
Example with file permission specified and full rw access
//apollo/public /mnt/public cifs defaults,dir_mode=0777,file_mode=0777,domain=workgroup,username=nicolep,password=yourpass,uid=1000
troubleshooting: devs keep breaking samba
KERNEL CHANGE BREAKS CIFS.
Somewhere between kernel 4.10.0-38 4.15.0-20 a change was made that COULD PREVENT your cifs shares from mounting. Kernels at and before 4.10 used SMB (Server Message Block) version 1.0 as the default if not specified. Most folks did not specify it so it defaulted to 1.0 and worked. Microsoft ditched 1.0 in Windows 10 and dropped support. Linux kernel developers decided to change the kernel code to no longer default to SMB 1.0 and now default to a newer version. For people that are using legacy networks or NAS devices, it breaks the mounting example from above.
Solution: Specify the SMB version.
The solution is to tell mount.cifs to use the SMB2, SMB2.1 or SMB3.0 protocol using the "vers" parameter. in Linux CIFS Utils and Samba Specify 1.0, 2.0, 2.1, or 3.0.
For the following full line example a linux desktop is connecting to an older NAS device. It is necessary to specify SMB version 1.0. Example:
//apollo/video/ /mnt/video cifs defaults,vers=1.0,domain=workgroup,username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0
FAILED TO CLOSE BROKEN PIPE
Update 2024 Kernel 5.15 Samba 2:4.15.13+dfsg-0ubuntu1.6 -
cp: failed to close 'filename': Broken pipe
A problem with this latest at the time samba Can't copy large files to Windows share - Error closing file: Input/output error issue workaround, specify prior version of cifs on fstab, see example:
//apollo/video/ /mnt/video cifs vers=2.0,defaults,domain=workgroup,username=nicolep,password=yourpass,uid=1000
The above example comes from our Mythbuntu configuration page. As you can see, besides the problem with all system users having access to the share as the one specific network user, that network username and password are exposed in this public readable file. Any user of the desktop now knows the username and password of the windows share owner. /etc/fstab is readable by everyone and so is your Windows password in it.
Another problem with the Mythbuntu example above is that you will not have write permissions to the mounted shares. To have write permissions it is necessary to specify the UID. We also should specify the workgroup name to speed up the process.
//athena/public/ /mnt/public cifs domain=workgroup,username=nicole,password=mythtv,uid=1001,iocharset=utf8,sec=ntlm 0 0 //athena/media/ /mnt/media cifs domain=workgroup,username=nicole,password=mythtv,uid=1001,iocharset=utf8,sec=ntlm 0 0
Lets assume our workgroup/domain name is "workgroup". Nicole now has the ability to both read and write to the shares.