In this post, we will learn how to mount an SMB share with the multiuser mount option, using password-based authentication and cifscreds to control access.
Multiuser Mounts With SAMBA
When a Samba share is mounted, the mount credentials determine the access permissions on themount point by default. The new multiuser mount option separates the mount credentials from the credentials used to determine file access for each user. In CentOS/RHEL 7, this can be used with sec=ntlmssp authentication (contrary to the mount.cifs(8) man page).
The root user mounts the share using the multiuser option and an SMB username that has minimal access to the contents of the share. Regular users can then stash their own SMB usernames and passwords in the current session’s kernel keyring with the cifscreds command. Their accesses to the share are authenticated with their own credentials from the keyring, not the mount credentials. The users can clear or change their credentials for that login session at any time, and they are cleared when the session ends. File access permissions are enforced entirely by the SMB server based on the access credentials currently in use.
For example, to create a new mount point /mnt/multiuser and mount the share myshare from the SMB file server serverX, authenticating as SMB user fred, who has the NTLM password redhat, and using the multiuser mount option:
[root@desktopX ~]# mkdir /mnt/multiuser [root@desktopX ~]# mount -o multiuser,sec=ntlmssp,username=fred \ > //serverX/myshare /mnt/multiuser Password for fred@//serverX/myshare: redhat
The command cifscreds is required to store authentication credentials in the keyring of the local user. Those authentication credentials are forwarded to the Samba server on a multiuser mount. The cifs-utils package provides the cifscreds command, so it is required on the desktopX system.
[root@desktopX ~]# yum -y install cifs-utils
The cifscreds command has various actions:
- add to add SMB credentials to the session keyring of a user. This option is followed by the host name of the SMB file server.
- update to update existing credentials in the session keyring of the user. This option is followed by the host name of the SMB file server.
- clear to remove a particular entry from the session keyring of the user. This option is followed by the host name of the Samba server.
- clearall to clear all existing credentials from the session keyring of the user.
For example, assume that root has mounted //serverX/myshare on the mount point /mnt/multiuser using the multiuser option. In order to access files on that share, user frank must use cifscreds to temporarily stash his username and password in the kernel-managed session keyring.
$ cifscreds add serverX Password: redhat $ echo "Frank was here" >/mnt/multiuser/frank2.txt $ cat /mnt/multiuser/frank2.txt Frank was here. $ exit
Assume that the permissions on the files in the SMB share grant frank read-write access to the directory, but jane is only granted read access.
[jane@desktopX ~]$ cifscreds add serverX Password: redhat [jane@desktopX ~]$ echo "Jane was not here" >/mnt/multiuser/jane2.txt -bash: /mnt/multiuser/jane2.txt: Permission denied [jane@desktopX ~]$ cat /mnt/multiuser/frank2.txt Frank was here