I want to write dfs share with active directory groups on the Linux server. I mounted CIFS with ad user who is in the same active directory group. When I write to the directory with other than mount user I got the permission error. I have changed the permissions for both windows and Linux servers. I added ad groups to dfs share directory on the windows side and chmod 777 Linux side. How can I write ad users other than mount users to dfs share directory on the Linux server?
1 Answer
By default, Linux cifs mounts only use a single SMB user account for all local UIDs. You can mount the share with -o file_mode=0666,dir_mode=0777 to grant full access to all local UIDs, but they will all share the same AD account that you used when mounting.
To have each local UID automatically use its own AD account, you'll need the -o multiuser option instead. Note that Linux won't be able to prompt for credentials on access, so this works best if you use Kerberos authentication (-o sec=krb5, and have each user use SSSD or kinit to obtain the Kerberos credentials from AD).
Multiuser mode can work with password-based NTLM, each user still needs to pre-set their credentials using cifscreds add, but as this relies on kernel keyrings (the cifs driver code unfortunately insists on per-session keyrings and doesn't accept the per-uid keyring) it is actually more difficult to deal with than the Kerberos mode.
answered Nov 2, 2019 at 7:18
