I’ve been struggling for a week now between multuple documentation to figure this out, here’s what I’m trying to accomplish :
Mount share at either boot via service account or at domain user login, yes, SSSD is configured and working.
From there it should apply users rights on the smb share from it’s krb5 username and password.
This does not seem to work completely, I am able to map the network drive at boot via the service account but once in the user, rights does not apply since it uses the service account mapping.
Here’s the last doc I’ve landed on and tried : SMB: How to mount a Kerberized share - Red Hat Customer Portal
Thank you for your help in advance,
Forgetting the “boot via service account” for a minute, if you just want to mount as logged on user with perms, isn’t this the same thing as mounting a user’s home directory?
(Many people won’t be able to read the RHEL article as it’s behind a login).
So in theory yes, the user would log and the mapped network share would apply permission to the drive using SSSD logged user info.
I am trying to simplify my life and not manually map all the network share per workstation or use a general user to map for all users.
FYI, I’ve revised all the KRB5,SSSD,PAM and NSS config to make sure nothing was not doing it’s job properly.
This said, here’s where I can’t seem to figure it out :
in /etc/fstab : //test/test /E cifs multiuser,cifsacl,_netdev,sec=krb5,noserverino,user,uid=$USER,cruid=$USER,gid=domain^users,rw,username=XYZ@XYZ.co 0 0
This should mount via the XYZ user but then set permission from logged krb5 user.
Any pointer ?
I don’t know, but I think /etc/fstab is more for when you want something mounted at boot time, but if it’s for home directories, surely they would be mounted at user logon time?
This is to mount Windows SMB Share, network drive for user to put and take documents not home directories.
I am simply trying to replicate something like a GPO for Windows, to map network drives when user login depending on permission.
Any clue ?
In your original post it said:
so the second option sounded like a home directory
I think the question needs to be a bit clearer.