Ubuntu Security :: Using AutoFS To Mount CIFS Share Without Leaving Unencrypted Passwords
Jul 30, 2011
I followed this howto in order to mount CIFS shares on demand. This works great, however, this guide suggests leaving my network passwords unencrypted on the disk. This is a very bad security practice, as the passwords can be easly retrieved by booting the computer using a different OS.
I was looking for a way to secure things up, so I came up with this solution: Instead of storing the passwords plain text on the disk, I store them in a tar file encrypted using GPG. When I boot my system, I open this file to a directory in /dev/shm, and order AutoFS to retrieve the passwords from there.
This does the trick, but I presume this solution is not that secure, since /dev/shm content can be written to the swap partition. Is there any other solution which is a better security practice? Maybe using some sort of keyring service?
We have a homegrown process that runs on a windows box and produces a csv file. We mount the directory these are output to using autofs/cifs and then process them using a program on our linux database servers.
Is there a way from linux, looking at the cifs share, to tell if the target file is currently in use by a process on the windows box? We are having issues where an incomplete file is being processed occasionally.
I am trying to image about 30 laptops with WinXP, and I am using Clonezilla and DRBL for the task. We will start migration to Win7 starting Q4, so for now we are still using XP. I used a Clonezilla live USB to capture a standardized image to a CIFS/SAMBA share on the enterprise file server. The file server does not support NFS. To deploy the image, I used Virtualbox to build a VM with Centos 5.5 and then later Ubuntu 10.10. I mounted the CIFS share to /home/partimag but I found that I cannot share this CIFS mount out as NFS so I was unable to deploy the image with the image still residing on the CIFS; I had to copy the image to the VM's local drive.
Now using the DRBL live distribution, which is Debian based, I was able to obtain the image from a CIFS share and then share it out to the clients to be imaged as NFS (I think). I was able to use the DRBL live for some older computers, but since that hasn't been updated in nearly 2 years, I think it's missing some device drivers for my newer machines so it doesn't work on them -- this is why I looked at using CentOS and Ubuntu. To mount the CIFS shares, I'm using the following command:
mount -t cifs -o user@domain //share_ip_addr/share_name/folder /home/mount_point
Do I need to do something different to enable the mounted CIFS share to be shared out as a NFS share so that the clients to be imaged can see the contents from the CIFS share as a NFS share? The below image depicts my setup. The workstation has two NICs. The 10 network is the enterprise network and the 192 network is for DRBL imaging only. DRBL/Clonezilla does PXE boot and leases DHCP for the laptops. The laptops are shielded from the enterprise LAN; I am not doing any kind of NAT on on the server. The Linux VM is built with dual NICs and are set to bridged mode so they appear to be a separate NIC from the VM host on the network even though they going into the same port on the wall. [URL]
We recently moved to a new home and I am trying to get my home file/print server set up again. Thanks to swerdna's excellent website, I got my server box (just upgraded from 11.0 to 11.2) running Samba and serving my shares over the network, and my "client" machines can access them without a problem.However, I'm not having much luck setting up CIFS mounts on my Linux desktop. I have my all-purpose user added to the Samba auth list (via smbpasswd), and configured my client as swerdna's howto's specify, and I can access the files just find. However, when I try to mount the shares with this command:
Code: mount -t cifs -o username=klein,password=klein //192.168.1.70/sharedmedia /home/zak/SharedMedia/ I get the following error:
I've been trying for a while mounting a EMC NAS share on linux. As far as I know the NAS share behaves just like a regular windows share, so the mount process should be very similar. On the NAS server, the disc "Disc1" is shared, and I need to mount a sub-subfolder of that share. This is my line in /etc/fstab:
I am attempting to set up autofs on Ubuntu 10.04 so that it can automatically mount cifs shares when wifi is connected. For some reason, it isn't working. First of all, I know the share is accessible because doing this works fine:
Code: sudo mount.cifs //192.168.0.12/share /cifs -o credentials=/etc/samba/credentials This is in my /etc/auto.master Code: /cifs /etc/auto.home --timeout=60 --ghost And this is /etc/auto.home
Using Dolphin in Super-User mode, I can copy files and directories from the share to itself with no errors. Using Dolphin in Normal-user mode. I get the failure "Could not change permissions for...". The file is copied, but its owner,timestamp and permissions are wrong. If a subdirectory is involved, the copy aborts.
Using Windows XP I can copy files and directories from the share to itself with no errors.
Testing: If I mount with uid and gid, then my normal user can not access the share. mount.cifs //10.x.x.x/Data /home/stevej/Synology/Data/ --verbose -o user=stevej uid=stevej gid=users
Synology DS211 - There are 2 users on it. One of which is stevej and the other is julie. Rights RWX are applied to the users and the group called users. All files have stevej as the owner and users as the group with RWX Opensuse 11.4 - There are 2 pc's. One is run as stevej. The other pc runs as julie Windows 2000 - Runs as stevej and maps to the share as stevej.
Works as expected Windows XP - Runs as julie and maps the the share as julie. Works as expected Ultimately, I want the shares to automount at boot, or login and give the user full access. I have been to Swerdna's page and done as much as I can, but still no luck.
I'm using cifs to mount windows share.I have created one credentials file and given the path in fstab to mount at boot time. Now i want to encrypt the credentials file and place that in the fstab file.But it is not accepting.. how to use encrypted file to use in fstab,so that normal users can not watch the credentials inside the file.
There are a couple of way to mount Samba shares, but I prefer using "autofs" which can mount them on the fly. Use the autofs daemon to have shares automatically mounted on demand. The netfs service (installed by default in Fedora) is not a daemon and can only mount shares on boot, (it can't mount them on demand).
* Install the autofs package:
Code: yum install autofs * Edit /etc/auto.master (the master map file), and comment out all lines (with #). This avoids conflicts with the CDROM (which is handled by Gnome), etc. Save the file. * Create a new file /etc/auto.cifs, with the contents of: Code: #!/bin/bash # $Id$
I wonder if it is possible to have two passwords for one user account in 9.10. I have a long login password (5 words about 45 characters with spaces caps). I would like to set a shorter password for Authentication, sudo, etc. While retaining the original for logging in.In short:Have long password to login to computer.Have short password for everything after login.
During a recent install I made the leap to encryption,but /boot must remain unencrypted.Is there really any legitimate security risk to having an unencrypted /boot partition? I mean basically someone can just see what kernel you're running which they could see during boot anyways right? Oh I and keep all my financial documents in /boot/finances/ (haha ok not really, but I am serious about the first part).
However, autofs does not work: the /msrv directory appears and disappears when I start and stop autofs; but when I enter "cd /msrv" followed by "cd Share05" in the terminal, I get the "bash: cd: /msrv/Share05: No such file or directory" message after the second command.
[root@serv03 /]# ls -l /media/exPort/mMusic total 16 drwxrwxr-x 11 databank lhome 4096 Jun 23 21:25 iTunes drwxrwxr-x 3 databank lhome 4096 Aug 19 2010 Network Trash Folder drwxrwxr-x 3 databank lhome 4096 Aug 13 2010 Streaming Radio
But it doesn't work - neither it throws any errors in, nor does it mount the share. All I need is to mount "/mMusic" (i.e. /media/exPort/mMusic) as "serv03:/media/nMedia/mMusic" so that tree looks like this:
I manage a linux-based network, where some projects are currently under development. Our IT policy states that any email attachment shall be encrypted using GPG. Can I block other attachments using a firewall?
Note: Currently our mail server is not in campus. So I can only use a firewall for this security issue.
Running 8.3..On 7.6 I had a automount and I was able to mount/unmount without issue. With 8.3, I can mount, but when I am in Thunar and i unmount, it gives me a permission denied.In /etc/groups I am in plugdev.
I was having a discussion with someone who said that telnet, FTP, HTTP plain-text authentication in the local subnet is ok because it's a switched network. Also, that these protocols are not good over the net but in a local subnet they are just fine.
I know that someone can plug a hub in the network port and connect 2 (or more) PCs and see the packets. Also, heard about ettercap but haven't really delved into it. I know dsniff was written to prove the point that unencrypted protocols are bad. Would like to get opinion about unencrypted protocols over a switched networks.
Linux box info: root@mytestbox:~# uname -a Linux mytestbox 2.6.32-30-generic-pae #59-Ubuntu SMP Tue Mar 1 23:01:33 UTC 2011 i686 GNU/Linux
Windows box info: Windows Server 2008 SP2 Enterprise I've verified via --verbose output that mount.cifs is indeed processing the passed on options.
root@mytestbox:~# mount -t cifs //10.1.1.10/Test /root/testwin --verbose -o credentials=/root/testcreds,rw,nocase,noperm,noacl,nounix,noserverin o,iocharset=utf8,file_mode=0777,dir_mode=0777
Yet, when I type mount all it reports is (rw,mand). The share works just fine, and I can see the masking (all files are showing as rwxrwxrwx as expected etc) but mount is not listing the options?!
Is this normal expected behavior? Is there a bug report on this? I've google'd to the best of my capabilities and could not locate any such information which is why I decided to hit the forums prior to filing a bug.
i just create a nfs server and share a /123 directory , i can successfully mount this share using mount command , but i cant be mount using auto.master (autofs) , how can i mount this share using autofs .
I have /var/ftp/pub on Computer A being exported via nfs. I'm running defaults, master map file is defined as auto.master in /etc/sysconfig/autofs. On Computer B, I can manually mount the nfs share with no problem. However, it doesn't seem to mount with autofs. I'm running Centos 5.5 on Computer B. I have the following configs
Setup clients on a LAN to automatically mount NFS shares whenever the fileserver is up, without using autofs. Instead a simple bash script which checks if the server is up, and if the shares need to be mounted or unmounted is called by a custom upstart job. For a small office or home network populated with Unix-like computers (e.g., a few Ubuntu desktops or laptops and a fileserver), NFS (Network File System) is a good way to share storage space and centralise the backup of important documents. However, having a fileserver running 24/7 is often overkill for such a setup.
One way to have clients mount NFS shares automatically when the fileserver is turned on, is to use a package called autofs. Unfortunately, there are a few unresolved issues with using autofs in combination with NFS. In my case, when autofs tries to mount NFS shares when the fileserver is turned off, the Gnome desktop, and Nautilus in particular, becomes extremely unresponsive, regardless of the options used. Attempting to mount the share manually from the command line when the server is down however, does return a message of failure quite promptly, without hanging the desktop.
To solve this issue, I wrote a simple bash script that is run through the upstart system. The script simply checks if the fileserver is up, if the shares need mounting or unmounting, and then sleeps for a while before checking again. This works out quite well, so I decided to share this information in case someone else runs into these issues. PrerequisitesThis howto assumes that you have an NFS server set up with shares exported, and one or more clients capable of mounting those shares. For more information on setting up NFS shares and mounting them on a client from the command line, see: SettingUpNFSHowTo.
Clients should be able to ping the server to determine if it is running. Naturally, you need administrator access on the clients to install the script and upstart job outlined below. This script assumes that the directory paths of the shares match the location where they are mounted. In my case, the fileserver has two shares: /media/Storage and /media/Backup. On the clients these shares are mounted on the same paths. If your setup deviates from this, the script needs some modification. The script From the desktop of one the clients, paste the following bash script as a new file in your favourite text editor:
#!/bin/bash # The hostname or IP-address of the fileserver: FILESERVER="myfileserver.local" # Check every X seconds (60 is a good default):
Now adjust the FILESERVER variable. In this example, my fileserver is called myfileserver. By default, Ubuntu sets up your networking environment in such a way, that computername.local can be used to reach that computer over the local network, so the network name for myfileserver is myfileserver.local. Of course, you can also use the IP-address of the server. Next, change the MOUNTS variable to match the NFS shares exported by your NFS server. MOUNTS is an array; multiple entries are separated by spaces. So if you have one share exported as /media/MyShare, that line would look like this:
MOUNTS=( "/media/MyShare" )
An advantage of mounting shares in /media, is that they automatically show up as mounted drives on the user's desktop. Note that this howto assumes that you use the same paths for the share on the server and client side! Save the script to your desktop with an obvious name. In this example we call it mount_my_nfs_shares. Open a terminal and cd to the desktop. Make the script executable by calling:
chmod +x mount_my_nfs_shares
Next, move it to a place where it can be called by our upstart job, but also from the console to test. A good place to put such custom executables is /usr/local/bin.
sudo mv mount_my_nfs_shares /usr/local/bin
This script uses the logger command to tell the system's log what it is doing. To test this script, open up two terminals; in one, execute the following so we can monitor the log messages:
tail -f /var/log/syslog
In the other, simply execute mount_my_nfs_shares. If the script works, your shares should show up on the desktop and the computer:// location in Nautilus. If the fileserver goes down or becomes unreachable, the shares should disappear, and reappear when the fileserver comes back on-line. If this works, move on to the next step. Installing a custom upstart job The next step is to have the clients automatically run the above script when they are booted. We can use upstart for this. Create a new text file, and enter the following:
# mount_my_nfs_shares - mount NFS shares on fileserver, if present description"Mount NFS-shares" start on (filesystem) respawn
How the script works The script enters an eternal loop and keeps checking if it can reach the fileserver once every minute (unless you adjust the INTERVAL variable). If it can reach (ping) the fileserver, it checks if the mounts are already mounted by searching for them (grepping) in the output of mount. If they are not mounted, it tries to mount them. Else, if the server is down, it looks in the output of mount to see if these mounts exist. If they do, it tries to unmount them with the -f flag (useful for unmounting unreachable NFS shares).
Hi Linux Forum People! This is my first post. Somehow I'm not able to mount directories from other machine using autofs. Autofs maps successfully loaded into NIS client, but autofs does not recognize them. Please see belowI'm running RHEL4
I have installed ubuntu 10.10 and the Samba addon to configure my shares to my Windows terminals.This is what I got
Firewall off (utf disabled)
Internal Sata /dev/sda1 (EXT4 FS)
External USB HDD /dev/sdb1 mounted at /media/SG1500GB (EXT4 FS)
I have two shares
1. //home/test - Which I can see and access with no problems (can't write to it though even though I set the share as writable?, but, I can read from it). This is available to everyone. My windows terminal can see this folder and access it. This is on my main 80GB internal drive /dev/sda1.
2. //media/SG1500GB/Music. I set this up for everyone full access and I can see it at all my Windows machines but,I can't get into the folder. Windows keeps giving me an error stating network path not found.I also try to access it via the Nautilus (Places/Network/system/music) and get an error message "unable to mount location, Failed to mount windows share". This drive is mounted per the disk utility.
I just made the upgrade to 10.04 over the weekend, and everything seems to be working fine, minus one nagging detail.I have a Mythbuntu setup - a frontend and a backend. In addition to recording television, I have a folder setup on my backend where I can dump movie files to watch on the frontend. The folder is shared in the /etc/fstab via a CIFS share. Within that folder is a symlink to where my torrent folder is located. The issues seems to be how my frontend handles symlinks within the shared folders. If I run "ls -la" in my base CIFS share folder, it lists the symlink folder and says it's owned by root, but if I try and change to that directory - either using "ls" or "cd" - it says Permission Denied. On the backend, I changed ownership of the symlink to the username the CIFS is using to login, but that had no effect. I'm not familiar with how to do any sort of configuration on CIFS, if that's where I'd even need to start.
I have a FreeNAS server running CIFS shares. I just tried out Deja Dup on my home directory and backed it up to my CIFS share. This is about 200gb worth or so, I believe.After it was done, I went to browse into the directory. I've restarted the CIFS service on the server, rebooted the server, and rebooted Ubuntu,I STILL cannot browse my directory. It says:Sorry, could not display all the contents of "jason": Invalid argument.Yet I can SSH into it and do an ls listing and see all of the .tar.gz packages that Deja Dup created. Likewise, I can browse to it just fine in Windows.What is Ubuntu doing that it doesn't like to see these files? It's a huge, huge pain in the rear... How can I fix it?
I have Ubuntu Karmic. I chose to install with an encrypted home directory. Recently I got a warning that I only had 2GB of drive space left. This is mostly because of my videos. So I went and bought a new hard drive and partitioned it and made 1 ext4 partition and copied my videos all to the new hard drive. I added a line in my fstab to mount the new hard drive to ~/videos, but when I reboot the computer, there is a screen saying something like "error mounting /home/me/videos, press S to skip or something else to reboot". If I press S to skip, then when my system comes up there is a video directory but it's empty because my other hard drive didn't get mounted. I can run sudo mount /dev/sdb video/ and it will mount fine and I can see all my videos, so why can't fstab mount it? Does this have something to do with my encrypted home directory?
I am not very security minded...I'm aware of it, and always made sure I had up-to-date overall protection in Windows but firewalls, and the blasted passwords are largely a thorn in my side!When I got my iPhone last year I suddenly discovered password managers & "wallets" to keep all that kind of information in and syncable across different devices. My life got so much easier. Of course now I need to figure out encryption keys, and how they work (I'm clueless). I also need to find a program or system that I can move my existing low-tech info (mailnly user name & passwords) that will also accomodate the increased needs of Ubuntu security and still be sync-able. I started a little research weeks ago, but my current "wallet" only exports .csv so I quit since I'm going to have to do a lot of data entry whatever I go with.So here goes:
1) what is the difference (bare bones) between using an encryption key (e.k.) vs. a standard user created password? what situations are better suited for e.k.?
2) I have seahorse (default intall with Ubuntu I guess) but the only thing in it is Login under passwords which leads to a login keyring (?) and a drop-down list of about 6-10 of the gazillon passwords I use daily. The other tabs are for keys which I don't have any concept of.
3) I know FF also "remembers" user id & passwords as you choose to have it do so. Is that information transferable into seahorse or another program?
4)I'm also (today) getting ready to really set up my system for user names & security across my little home network. How can I integrate that into whichever program/app I go with to store my pwds and keys?
5)give me links to fairly current documentation on this stuff?
6) Any program/app recommendations.Pros/cons uses, what they can & can't do or be used for, etc.
I have a Buffalo Drivestation (model HD-CELU2, 1tb) attached to my network.From my ubuntu desktop I can go to the menu, select "connect to server", put in the ip and share info, and it mounts perfectly.I can open the share and browse eadwrite, but when I try to mount it from a terminal or within fstab, it will still mount, but I cannot see any files that are on the drive. I have about 12gb of data on it, but like I said when I mount it using "mount -t cifs 192.x.x.x/share blah blah blah" I do not see any of the files.If I do a df I can see that the drive has files on it based on the free space available, but if I do an ls nothing shows.
I have a network share mounted with cifs which does not work as expected. It should automount at boot and dismount at shutdown. It does not automount at boot, but "# mount -a" will mount it in the gui after booting finishes. This I can live with, but at shutdown or reboot, the cifs share hangs for about 30 seconds before dying. My /etc/fstab entry code...
I saw a bug report about the cifs umount issue, but can't find it at the moment. I did notice that it was a very old bug. If I remember to do "# umount /media/data-srv" before rebooting, all is fine, but I seem to constantly forget and then stew as the system hangs for an extra 30-45 seconds. I've tried several things to automate it including shutdown scripts added to /etc/init.d/ and elsewhere, but nothing seems to work. Anyone have this issue and find a work-around?