Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 5. Mounting an SMB Share
The Server Message Block (SMB) protocol implements an application-layer network protocol used to access resources on a server, such as file shares and shared printers.
In the context of SMB, you can find mentions about the Common Internet File System (CIFS) protocol, which is a dialect of SMB. Both the SMB and CIFS protocol are supported, and the kernel module and utilities involved in mounting SMB and CIFS shares both use the name cifs.
The cifs-utils package provides utilities to:
- Mount SMB and CIFS shares
- Manage NT LAN Manager (NTLM) credentials in the kernel’s keyring
- Set and display Access Control Lists (ACL) in a security descriptor on SMB and CIFS shares
- Display session ID, encryption/decrytion keys, SMB-specific file and quota information from a mounted SMB share
5.1. Supported SMB protocol versions
The Linux cifs.ko kernel module supports certain Server Message Block (SMB) protocol versions. There are some security considerations and feature differences among SMB1, SMB2, SMB3, and newer versions for optimal network file sharing.
The cifs.ko kernel module supports the following SMB protocol versions:
SMB 1
WarningThe SMB1 protocol is deprecated due to known security issues, and is only safe to use on a private network. The main reason that SMB1 is still provided as a supported option is that currently it is the only SMB protocol version that supports UNIX extensions. If you do not need to use UNIX extensions on SMB, use SMB2 or later.
- SMB 2.0
- SMB 2.1
- SMB 3.0
- SMB 3.1.1
Depending on the protocol version, not all SMB features are implemented.
5.2. UNIX extensions support
Samba uses the CAP_UNIX capability bit in the SMB protocol to provide the UNIX extensions feature. These extensions are also supported by the cifs.ko kernel module. However, both Samba and the kernel module support UNIX extensions only in the SMB 1 protocol.
Prerequisites
-
The
cifs-utilspackage is installed.
Procedure
-
Set the
server min protocolparameter in the[global]section in the/etc/samba/smb.conffile toNT1. Mount the share by using the SMB 1 protocol by providing the
-o vers=1.0option to the mount command. For example:# mount -t cifs -o vers=1.0,username=<user_name> //<server_name>/<share_name> /mnt/By default, the kernel module uses SMB 2 or the highest later protocol version supported by the server. Passing the
-o vers=1.0option to themountcommand forces that the kernel module uses the SMB 1 protocol that is required for using UNIX extensions.
Verification
Display the options of the mounted share:
# mount... //<server_name>/<share_name> on /mnt type cifs (...,unix,...)If the
unixentry is displayed in the list of mount options, UNIX extensions are enabled.
5.3. Manually mounting an SMB share
You can access files on a remote SMB server temporarily by mounting the share manually with the mount utility.
Manually mounted shares are not mounted automatically again when you reboot the system. To configure that Red Hat Enterprise Linux automatically mounts the share when the system boots, see Mounting an SMB share automatically when the system boots.
Prerequisites
-
The
cifs-utilspackage is installed.
Procedure
Use the
mountutility with the-t cifsparameter to mount an SMB share:# mount -t cifs -o username=<user_name> //<server_name>/<share_name> /mnt/Password for <user_name>@//<server_name>/<share_name>: passwordIn the
-oparameter, you can specify options that are used to mount the share. For details, see theOPTIONSsection in themount.cifs(8)man page and Frequently used SMB mount options. Below is an example for mounting a share by using an encrypted SMB 3.0 connection.To mount the
\\server\example\share as theDOMAIN\Administratoruser over an encrypted SMB 3.0 connection into the/mnt/directory:# mount -t cifs -o username=DOMAIN\Administrator,seal,vers=3.0 //server/example /mnt/Password for DOMAIN\Administrator@//server_name/share_name: password
Verification
List the content of the mounted share:
# ls -l /mnt/total 4 drwxr-xr-x. 2 root root 8748 Dec 4 16:27 test.txt drwxr-xr-x. 17 root root 4096 Dec 4 07:43 Demo-Directory
5.4. Mounting an SMB share automatically when the system boots
If access to a mounted SMB share is permanently required on a server, mount the share automatically at boot time.
Prerequisites
-
The
cifs-utilspackage is installed.
Procedure
Add an entry for the share to the
/etc/fstabfile. For example://<server_name>/<share_name> /mnt cifs credentials=/root/smb.cred 0 0ImportantTo enable the system to mount a share automatically, you must store the user name, password, and domain name in a credentials file. For details, see Creating a credentials file to authenticate to an smb share.
In the fourth field of the row in the
/etc/fstab, specify mount options, such as the path to the credentials file. For details, see theOPTIONSsection in themount.cifs(8)man page and Frequently used SMB mount options.
Verification
Mount the share by specifying the mount point:
# mount /mnt/
5.5. Creating a credentials file to authenticate to an SMB share
In certain situations, such as when mounting a share automatically at boot time, a share should be mounted without entering the user name and password. To implement this, create a credentials file.
Prerequisites
-
The
cifs-utilspackage is installed.
Procedure
Create a file, such as
/root/smb.cred, and specify the user name, password, and domain name in that file:username=user_name password=password domain=domain_nameSet the permissions to only allow the owner to access the file:
# chown user_name /root/smb.cred# chmod 600 /root/smb.credYou can now pass the
credentials=file_namemount option to themountutility or use it in the/etc/fstabfile to mount the share without being prompted for the user name and password.
5.6. Performing a multi-user SMB mount
The credentials used to mount a share define default access permissions. For example, if you mount a share by using the DOMAIN\example user, all actions on that share run as that user, no matter which local user performs them. However, in certain situations, the administrator wants to mount a share automatically when the system boots, but users should perform actions on the share’s content by using their own credentials. You can configure this scenario by using the multiuser mount option.
To use the multiuser mount option, you must additionally set the sec mount option to a security type that supports providing credentials in a non-interactive way, such as krb5 or the ntlmssp option with a credentials file.
The root user mounts the share by using the multiuser option and an account that has minimal access to the contents of the share. Regular users can then provide their user name and password to the current session’s kernel keyring by using the cifscreds utility. If the user accesses the content of the mounted share, the kernel uses the credentials from the kernel keyring instead of the one initially used to mount the share.
Using this feature consists of the following steps:
-
Ensure the
cifs-utilspackage is installed. -
Mount a share with the
multiuseroption. -
Optionally, verify if the share was successfully mounted with the
multiuseroption. - Access the share as a user.
5.6.1. Mounting a share with the multiuser option
Before users can access the share with their own credentials, mount the share as the root user by using an account with limited permissions.
Procedure
Create the entry for the share in the
/etc/fstabfile. For example://server_name/share_name /mnt cifs multiuser,sec=ntlmssp,credentials=/root/smb.cred 0 0Mount the share:
# mount /mnt/If you do not want to mount the share automatically when the system boots, mount it manually by passing
-o multiuser,sec=security_typeto themountcommand. For details about mounting an SMB share manually, see Manually mounting an SMB share.
5.6.2. Verifying if an SMB share is mounted with the multiuser option
To verify if a share is mounted with the multiuser option, display the mount options.
Procedure
Display the mount options:
# mount... //server_name/share_name on /mnt type cifs (sec=ntlmssp,multiuser,...)If the
multiuserentry is displayed in the list of mount options, the feature is enabled.
5.6.3. Accessing a share as a user
If an SMB share is mounted with the multiuser option, users can provide their credentials for the server to the kernel’s keyring:
# cifscreds add -u SMB_user_name server_namePassword: passwordWhen the user performs operations in the directory that contains the mounted SMB share, the server applies the file system permissions for this user. It does not apply the permissions of the user who initially mounted the share.
Multiple users can perform operations by using their own credentials on the mounted share at the same time.
5.7. Frequently used SMB mount options
Explore frequently used SMB mount options, including configuration details for credential handling, permissions, encryption, security modes, and protocol versions, to optimize secure and efficient SMB share connections in Linux environments.
When you mount an SMB share, the mount options determine:
- How the connection will be established with the server. For example, which SMB protocol version is used when connecting to the server.
- How the share will be mounted into the local file system. For example, if the system overrides the remote file and directory permissions to provide access to multiple local users to the content on the server.
To set multiple options in the fourth field of the /etc/fstab file or in the -o parameter of a mount command, separate them with commas.
The following list gives frequently used mount options:
| Option | Description |
|---|---|
| credentials=file_name | Sets the path to the credentials file. |
| dir_mode=mode | Sets the directory mode if the server does not support CIFS UNIX extensions. |
| file_mode=mode | Sets the file mode if the server does not support CIFS UNIX extensions. |
| password=password |
Sets the password used to authenticate to the SMB server. Alternatively, specify a credentials file by using the |
| seal |
Enables encryption support for connections by using SMB 3.0 or a later protocol version. Therefore, use |
| sec=security_mode |
Sets the security mode, such as
If the server does not support the
For security reasons, do not use the insecure |
| username=user_name |
Sets the user name used to authenticate to the SMB server. Alternatively, specify a credentials file by using the |
| vers=SMB_protocol_version | Sets the SMB protocol version used for the communication with the server. |
For a complete list, see the OPTIONS section in the mount.cifs(8) man page on your system.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}