Samba was developed in the early 1990s as a way for Linux users to access windows shares as well as enabling the use of a Linux file server to emulate a Windows file server. In over 20 years a lot of exciting things have happened in the development of SMB/CIFS networking protocol support in Linux. However, one major achievement has been completely neglected. If a user wishes to have seamless mounting and access to a Windows share, under his own linux desktop login name to the windows network share of the same login name, independent of each login, and persistent after reboot, then there is no simple solution.
It is easy to setup a persistent mount of a network share upon boot by adding an entry into /etc/fstab. This is fine for a single user computer where network security concerns are not present, such as in a home network. However, with this approach, no matter who logs into the linux workstation, he will have access to the network shares under the login privileges of the static mount provided in /etc/fstab. So if Nicole logs into Tom's desktop computer under her Linux username nicole, she will have access to the network shares with Tom's network authority since he created entries in /etc/fstab to connect to the shares with his username and password.
So it is possible in operating systems such as Ubuntu 14.04 to use the built in file manager Nautilus (Nautilus is the name of the file manager in Ubuntu identified only as "Files" from the desktop GUI - and it should also be noted that Ubuntu devs plan to replace Nautilus in a future distro release) and browse the Microsoft Network with native CIFS support - no need to install Samba. Furthermore, when using this method, the user is prompted for a username and password to access the Windows CIFS share. This way now Nicole can access her own shares on the network and not as Tom.
So, we have discussed two methods of accessing Windows shares from the linux desktop (in reverse order):
- Browse Network in Ubuntu Nautilus and click to mount
- Persistent static mounts in /etc/fstab
Ubuntu Nautilus Click to Mount
This seems pretty slick. Just click, supply credentials and mount. However, the access is not persistent after reboot, even when the option to make the mount saved. It is buggy. Also, the mount path is ugly!
- Files -> Browse Network -> Windows Network -> WINDOWS DOMAIN
Here is where you will see the desktop systems with windows file shares and/or the network file server, be it a Windows server or a Samba based file server such as a NAS device. However, about half the time absolutely nothing appears. Again, it is buggy. In testing on Ubuntu 14.04 it was necessary, sometimes, to close and open the Browse Network option several times in order to have visibility of the NAS file server and network shares.
Once the share is selected in Nautilus the user is prompted for a username and password. The files are now visible in Nautilus and look all nice and neat. However, when attempting to access the mount using console, or another program directly such as an mp3 player, it is difficult to find the mount. It is not in /mnt and it is not in /media. Rather it is ugly, like the following example:
/run/user/1001/gvfs/smb-share:server=[name],share=music/mp3/my favorite song.mp3
What the hell is that? Who's going to want to find that or type all that in? It cannot be accessed directly in console as root.
bash: cd: gvfs: Permission denied
It can be accessed though, from console, as the same user that is in the windows session.
nicole@Acronix:/run/user/1001/gvfs/smb-share:server=athena,share=media$
Again, this is ugly. To solve the ugliness problem a process called gvfs-fuse-daemon is supposed to create a pretty symlink to a subfolder of the user home folder. It should be under
/home/nicole/gvfs
It should be accessible when typing something like this:
cd ~/.gvfs
However, in our fresh install of Ubuntu 14.04 no such symlink was created and the tidy little path is unavailable. Again, buggy. It is possible this isn't even a bug, perhaps the feature was simply dropped.
We can create symlinks for these ugly paths. The symlinks will be persistent. However, the symlinks will appear broken until the share is manually browsed using Nautilus. Again, this is going to depend on what mood Nautilus is in and CIFS.
Persistent Mount in fstab
The process for making a persistent mount by editing the /etc/fstab involves supplying the Windows network login credentials, including password, in this text file readable by all system users.
There are more than one ways to do this. This example uses cifs to permanently mount the shares so that they will be available after reboot. If the system complains add the 'noauto' parameter.
- First edit your /etc/hosts file and add the hostname and IP address of the windows share or file server
- Next create mount points in /mnt for each windows share
- Make sure you have cifs installed
- Edit /etc/fstab and add a line for each windows share, see examples:
//apollo/public/ /mnt/public cifs username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0 //apollo/media/ /mnt/media cifs username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0 //apollo/video/ /mnt/video cifs username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0
- mount the shares
mount -a
- This provides read-only access to the network shares.
KERNEL CHANGE BREAKS CIFS.
Somewhere between kernel 4.10.0-38 4.15.0-20 a change was made that COULD PREVENT your cifs shares from mounting. Kernels at and before 4.10 used SMB (Server Message Block) version 1.0 as the default if not specified. Most folks did not specify it so it defaulted to 1.0 and worked. Microsoft ditched 1.0 in Windows 10 and dropped support. Linux kernel developers decided to change the kernel code to no longer default to SMB 1.0 and now default to a newer version. For people that are using legacy networks or NAS devices, it breaks the mounting example from above.
Solution: Specify the SMB version.
The solution is to tell mount.cifs to use the SMB2, SMB2.1 or SMB3.0 protocol using the "vers" parameter. in Linux CIFS Utils and Samba Specify 1.0, 2.0, 2.1, or 3.0.
For the following full line example a linux desktop is connecting to an older NAS device. It is necessary to specify SMB version 1.0. Example:
//apollo/video/ /mnt/video cifs defaults,vers=1.0,domain=workgroup,username=nicolep,password=mythtv,iocharset=utf8,sec=ntlm 0 0
The above example comes from our Mythbuntu configuration page. As you can see, besides the problem with all system users having access to the share as the one specific network user, that network username and password are exposed in this public readable file. Any user of the desktop now knows the username and password of the windows share owner. /etc/fstab is readable by everyone and so is your Windows password in it.
Another problem with the Mythbuntu example above is that you will not have write permissions to the mounted shares. To have write permissions it is necessary to specify the UID. We also should specify the workgroup name to speed up the process.
//athena/public/ /mnt/public cifs domain=workgroup,username=nicole,password=mythtv,uid=1001,iocharset=utf8,sec=ntlm 0 0 //athena/media/ /mnt/media cifs domain=workgroup,username=nicole,password=mythtv,uid=1001,iocharset=utf8,sec=ntlm 0 0
Lets assume our workgroup/domain name is "workgroup". Nicole now has the ability to both read and write to the shares.
We still have the exposing of your windows network security credentials issue. By using a credentials file we can hide the password.
vi ~/.smbcredentials
Enter the username and password
username=nicole password=mythtv
Change the permissions of the file to prevent unwanted access to your credentials:
chmod 600 ~/.smbcredentials
Now edit fstab
vi /etc/fstab
Use:
//athena/public/ /mnt/public cifs domain=workgroup,credentials=/home/ubuntuusername/.smbcredentials,uid=1001,iocharset=utf8,sec=ntlm 0 0 //athena/media/ /mnt/media cifs domain=workgroup,credentials=/home/ubuntuusername/.smbcredentials,uid=1001,iocharset=utf8,sec=ntlm 0 0
Another security implementation to explore is using libpam_mount which may not work in Ubuntu 14.04 and is not covered here.
We still have the problem of all of our linux desktop users having access to the windows share as the one windows network user. One workaround is to mount during the login process rather than at boot. However, the mount then remains even after the user logs off. The system would need to be rebooted or the mount manually removed before logging out.
Hybrid Solution
Some users implement a hybrid of both systems to achieve a working solution. Consider that there may be public shares that you are indifferent as to whether all users have read write permission and there are personal or restricted shares that you want to limit access to. Lets define an example.
You may have a music share that you wish to have publicly accessible to all network users, read-only so that they do not delete any of your favorite songs.
You also have a private share that you wish only to be accessible by you.
This is a simple example. Considering this and the examples above, you should be able to construct any combination you desire for your own network needs.
Lets create a user on the file server or NAS device called music. Music can have read-only or read-write access defined on the file server as we will further restrict by the way we mount on our workstation. On the workstation we modify fstab.
vi /etc/fstab
And we add the following lines;
-- stand-by for the rest of this composition --