Mounting CIFS shares

Common Internet File Systems (CIFS) provides an open and cross-platform protocol for requesting remote network server files and services. When a CIFS share is mounted on a Centrify Linux system, file ownership is listed incorrectly.

To correct this, apply the CentrifyDC-cifsidmap plug-in. The CentrifyDC-cifsidmap plug-in enables mapping AD User/Group Security IDs (SIDs) to User/Group IDs (UIDs/GIDs) configured in a zone and from UIDs/GIDs to AD User/Group SIDs correctly. This, in turn, allows the CIFS Client integration with Centrify DirectControl.

Use cases

Mapping UIDs to SIDs is not always required when mounting CIFS shares. But it is needed when working with the files on the shares. For example, when modifying Access Control Links (ACLs). In version 5.8 and older, the cifs-utils package uses the winbind daemon for this mapping. Through winbind, the /usr/sbin/cifs.idmap binary was linked against libraries.

The /usr/sbin/cifs.idmap binary works in conjunction with the Samba winbind facility to map owner and group SIDs to UIDs and GIDs respectively.

With version 5.9 the winbind facility does not perform this mapping. Use the CentrifyDC-cifsidmap plug-in to ensure that:

  • cifs-idmap translates the ownership on the SMB share correctly.
  • the kernel determines who has rights to the CIFS share mount directories and files correctly.
  • AD User/Group SIDs are mapped correctly and all the IDs are consistent and correct.

For example:

To see the incorrect file ownership: mount your CIFS share and display the ownership of the files in the mounted share.

  1. Mount the share. This command requires root privileges.

    Syntax:

    sudo mount -t cifs domain_ip/path /local/path/ -o username=your_user_name, file_privilege, 
    password=your_password, domain=domain_name, cifsacl

    Example:

    sudo mount -t cifs //192.168.0.100/cifsshare /tmp/mntshare1/ -o username=cifsdemouser1,rw,
    password=My1Pass,domain=example.com,cifsacl

    The cifs type (-t cifs) requires the cifsacl option. See man mount.cifs for command usage.

  2. List all the files on the mounted file system.

    If the CIFS share is owned by root, then you need to use sudo to view the files on the mounted directory, because the files you are verifying can only be seen with root privileges.

    sudo ls -al /mntshare1

    ... ... root root ... cifsdemouser1.txt
    ... root root ... cifsdemouser2.txt
    ... root root ... cifsdemouser3.txt

    If the AD user names are not listed, and only root is listed at the owner of the files, then you need to install the CentrifyDC-cifsidmap plug-in. Complete the steps in the following sections.

CentrifyDC-cifsidmap plug-in requirements

The Centrify CIFS idmap plug-in is available only for supported systems. The cifs.idmap-plugin requires:

Operating system versions:

  • RedHat 7 or above
  • Debian 8 or above
  • SUSE 12 or above

cifs-utils version:

  • cifs-util 5.9 or above

Prepare to install CentrifyDC-cifsidmap plug-in

Prior to installing the CentrifyDC-cifsidmap plug-in, install and configure the following:

  • Install the cifs-utils

    The cifs-utils are a package of tools used on CIFS filesystems. See your CIFS documentation.

  • Install CentrifyDC

    See the Planning and Deployment Guide.

  • Join the machine to AD

    See the Planning and Deployment Guide.

Install the CentrifyDC-cifsidmap package

  1. Verify cifs-utils package is installed. Install it, if it is not already installed. For example:

    It is possible to manually configure your system without cifs-utils, but the program /usr/sbin/cifs.idmap, is still required for the Centrify CIFS idmap plug-in to work.

    • SUSE or RedHat

      yum install cifs-utils
    • Debian

      apt-get install cifs-utils
  2. Download the CentrifyDC-cifsidmap package and change to the download directory.

    The package contains the cifs-idmap-plugin.

    Example download package names

    • SUSE or RedHat

      CentrifyDC-cifsidmap-5.5.1-rhel5.x86_64.rpm 
    • Debian

      CentrifyDC-cifsidmap-5.5.1-deb8-x86_64.deb

    Example download directory

    # cd /home/user1/Download/
  3. Run the appropriate package install command from the download directory.

    • SUSE or RedHat

      # sudo rpm -i CentrifyDC-cifsidmap-5.5.1-rhel5.x86_64.rpm
    • Debian

      # sudo dpkg -i CentrifyDC-cifsidmap-5.5.1-deb8-x86_64.deb
  4. Verify the CentrifyDC-cifsidmap package is installed correctly. Check the libcifsidmap.so location.

    • SUSE or RedHat

      # ls /usr/share/centrifydc/lib64/plugins/cifs/libcifsidmap.so -al
      ... /usr/share/centrifydc/lib64/plugins/cifs/libcifsidmap.so
    • Debian

      # ls /usr/share/centrifydc/lib/plugins/cifs/libcifsidmap.so -al
      ... /usr/share/centrifydc/lib/plugins/cifs/libcifsidmap.so

Configure cifs-utils for CentrifyDC-cifsidmap plug-in

On Linux, the command, alternatives, is a tool for managing different software packages that provide the same functionality. The alternatives command, on different systems has different names and locations. For additional information on alternatives use, see your Linux documentation.

  • RedHat

    /usr/sbin/alternatives
  • SUSE and Debian

    /usr/sbin/update-alternatives

To configure the cifs-utils

  1. Check the status of /etc/cifs-utils/idmap-plugin and note the priority level.

    For example on RedHat:

    # pwd
    /etc/cifs-utils
    
    
    # ls -al
    ... idmap-plugin -- /etc/alternatives/cifs-idmap-plugin
    
    
    # alternatives --display cifs-idmap-plugin
    ... 
    /usr/lib64/cifs-utils/cifs_idmap_sss.so - priority 20
    ...
    Current 'best' version is /usr/lib64/cifs-utils/cifs_idmap_sss.so.

    In this example the cifs_idmap_sss.so plugin object has the highest priority and that priority is set to 20.

  2. Configure cifs-utils to use the CentrifyDC-cifsidmap plug-in, cifs-idmap-plugin.

    Run the commands appropriate for your OS.

    Include a priority that is higher than the priority listed in Step 1. For example, the priority in Step 1 is 20, set this cifs-idmap-plugin priority to 21 or higher.

    • RedHat

      alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin 
      /usr/share/centrifydc/lib64/plugins/cifs/libcifsidmap.so <priority>
      alternatives --set cifs-idmap-plugin 
      /usr/share/centrifydc/lib64/plugins/cifs/libcifsidmap.so
    • SUSE or Debian

      update-alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin 
      /usr/share/centrifydc/lib64/plugins/cifs/libcifsidmap.so <priority>
      update-alternatives --set cifs-idmap-plugin 
      /usr/share/centrifydc/lib64/plugins/cifs/libcifsidmap.so
  3. Verify the CentrifyDC-cifsidmap plug-in is configured correctly. Run the appropriate alternatives display option.

    • RedHat

      alternatives --display cifs-idmap-plugin
    • SUSE or Debian

      update-alternatives --display cifs-idmap-plugin
  4. Verify the cifs-idmap-plugin location and priority. Review the alternative command response.

    The cifs-idmap-plugin priority needs to be higher than other listed idmaps. The Current 'best' version needs to point to the cifs-idmap-plugin location.

    For example on RedHat:

    # alternatives --display cifs-idmap-plugin

    ...
    /usr/share/centrifydc/lib64/plugins/cifs/libcifsidmap.so - priority 21
    Current 'best' version is /usr/share/centrifydc/lib64/plugins/cifs/libcifsidmap.so.

Mount the CIFS share and confirm file ownership

Only mount CIFS shares as root user or use sudo.

  1. Verify the receiving mount directory. Create a directory to receive the mount files, if you do not have one. For example:

    cd /tmp
    mkdir mntshare1
    ls -al /mntshare1
  2. Optionally, verify that the user(s), you are expecting to be owners of CIFS shared files, are valid AD users. For example:

    adquery user cifsdemouser1
    cifsdemouser1:x:1019226236:1019226232:cifsdemouser1:home/cifsdemouser1:/bin/bash
  3. If you previously mounted the CIFS share, and found that file ownership was incorrect, unmount it now. For example:

    sudo unmount /tmp/mntshare1/
  4. Mount the share. This command requires root privileges.

    Syntax:

    sudo mount -t cifs domain_ip/path /local/path/ -o username=your_user_name, file_privilege, 
    password=your_password, domain=domain_name, cifsacl

    Example:

    sudo mount -t cifs //192.168.0.100/cifsshare /tmp/mntshare1/ -o username=cifsdemouser1,rw,
    password=My1Pass,domain=example.com,cifsacl

    The cifs type (-t cifs) requires the cifsacl option. See man mount.cifs for command usage.

  5. List all the files on the mounted file system.

    If the CIFS share is owned by root, then you need to use sudo to view the files on the mounted directory, because the files you are verifying can only be seen with root privileges.

    sudo ls -al /tmp/mntshare1

    ...
    ... cifsdemouser1 root ... cifsdemouser1.txt
    ... cifsdemouser2 root ... cifsdemouser2.txt
    ... cifsdemouser3 root ... cifsdemouser3.txt

    Notice the AD users are listed as owners of the CIFS share files. This completes the task.