Currently our Ubuntu-Clients connect to cifs shares during system boot via /etc/fstab. This has the following disadvantages:
- Passwords are written in plain text as mount option
- The password should expire, but if it does, the /etc/fstab has to be changed on every client. So most passwords used for mounts simply don't expire at the moment
- The CIFS share is mounted under the connecting user and his permissions, so the user actually working with the share on Ubuntu is not displayed. A side effect is a blur of permissions, because the Ubuntu-users are not listed in the Windows file system permissions.
What I already successfully tested on our Ubuntu-Clients:
Using kerberos authentication on user login – so there is a kerberos ticket available for the user.
Using that kerberos ticket to (sudo) mount the cifs share within a systemd userservice
- PRO: Works on graphical login as well as ssh
- PRO: Share is accessible like the local file system
- CON: If I mount on a global mountpoint like /servers/mymount, I have to take care, that I don't overlay mounts by multile users. And the connecting user then would be the one who's permissions would be used by any following user.
Using that kerberos ticket to dynamically mount the share from the file browsers nautilus and thunar
- PRO: If the connection to the share is established via file browser, no extra script or service is necessary
- PRO: The share is mounted into the user context, so definitely with the users permission. If the user has no permission, there is still the possibility to connect the share with another user.
- PRO: The mounts could be automated by /etc/profile using gvfs-mount
- PRO: No sudo-rights are neccessary, the user can gvfs-mount and -unmount as he wishes, very intuitive via file browser
- CON: There is no actual mountpoint, standard unix commands like ls, cp and so on don't work. I would have to use gvfs-* alternatives. At this point the above solution with mount.cifs appears to be better.
So what I would like is to access the cifs share like I access an nfs share.
- No passwords used during the mount
- The permissions of the accessing user should be used
- The filesystem should behave like the local file system (standard unix commands should work)
I could mount a CIFS share multiple times, separately for each user into his home directory, but
Is there a way to mount the CIFS share during boot by the user root, not specifying a connecting user and then using the permissions from an accessing user (for example via kerberos ticket)?
Thank you in advance,