Solaris CIFS Administration Guide

Chapter 4 Solaris CIFS Client Administration (Tasks)

This chapter provides instructions on how to use the Solaris CIFS client to access CIFS shares from a CIFS server in a Windows environment.

This chapter covers the following topics:


Note –

CIFS is an enhanced version of the SMB protocol, which allows CIFS clients to access files and resources on CIFS servers. The terms SMB and CIFS can be considered interchangeable.


Up-to-date troubleshooting information is available from the OpenSolaris CIFS Server project page.

Managing CIFS Mounts in Your Local Environment (Task Map)

The following table points to the tasks that a regular user can perform to manage CIFS mounts.

Task 

Description 

For Instructions 

Find the shares that are available on a CIFS server in your domain. 

From a particular CIFS server, view the shares that you can mount on a directory that you own. 

How to Find Available CIFS Shares on a Known File Server

Mount a CIFS share on a directory that you own. 

Use the mount command to mount the share on a mount point that you own.

How to Mount a CIFS Share on a Directory You Own

View the list of CIFS shares that are mounted on the system. 

View the list of mounted CIFS shares. 

How to View the List of Mounted CIFS Shares

Unmount a CIFS share from a directory that you own. 

When you no longer need access to a CIFS share, you can unmount it. 

How to Unmount a CIFS Share From a Directory You Own

Store a persistent password to be used for authentication. 

When you store a persistent password, you can bypass the manual authentication required each time that you want to mount a share from the specified server. 

How to Store a CIFS Persistent Password

Use a PAM module to store a persistent password to be used for authentication. 

Use this optional functionality only in environments that do not run Active Directory or Kerberos, but which synchronize passwords between Solaris clients and their CIFS/SMB servers. 

How to Configure the PAM Module to Store a CIFS Persistent Password

Delete a persistent password. 

If you no longer want to store a persistent password, delete it. 

How to Delete a CIFS Persistent Password

Customize your environment by using a $HOME/.nsmbrc file.

You can customize your Solaris CIFS environment by specifying values for Solaris CIFS client properties. 

How to Customize Your Solaris CIFS Environment

ProcedureHow to Find Available CIFS Shares on a Known File Server

  1. Determine the server that you want to query about available shares.

    If you are not familiar with the CIFS file servers available in your domain, contact your system administrator. You might be able to use Network Neighborhood on Windows systems or the GNOME file browser to browse for available CIFS shares.

  2. List the available CIFS shares on a server.


    $ smbutil view [-A | -U user] //[domain;][user[:password]@]server
    

    //[domain;][user[:password]@]server is a resource name. user is the user name with which you connect to the CIFS server, server. You can optionally specify the domain name and the password of the user that you specified on the command line.

    The -A option enables you to view shares anonymously, and you are not prompted for a password. The -U user option indicates the user with which to authenticate on the specified server.

  3. When prompted, enter the password for the user that you specified on the CIFS server.

    If you specified the -A option to view shares anonymously, you are not prompted for a password.

    If you did not specify a user, enter the password associated with your user name.

  4. View the list of available CIFS shares.

    The smbutil view output shows the name of the share, its type, and an optional text description of the share.

    Most shares have a type of disk because the shares are files and directories. The other share types are as follows:

    • IPC Represents an interprocess communication (IPC) device, such as a pipe or a mailslot

    • printer Represents a printer queue

    • device Represents a communications device

    For example, the following command shows how to view the shares on the solarsystem server:


    $ smbutil view //cal@solarsystem
    Password:
    Share        Type       Comment
    -------------------------------
    netlogon     disk       Network Logon Service
    ipc$         IPC        IPC Service (Samba Server)
    tmp          disk       Temporary file space
    public       disk       Public Stuff
    ethereal     disk
    root         disk       Home Directories
    
    6 shares listed from 6 available

    Note –

    The Solaris CIFS client does not support device shares.


    The following command enables you to anonymously view the shares on the solarsystem server:


    $ smbutil view -A //solarsystem
    

ProcedureHow to Mount a CIFS Share on a Directory You Own


Note –

If you own the directory on which you want to mount a share, you can perform the mount operation yourself. If you do not own the directory, you must perform the mount operation as the owner of the directory or as superuser.


  1. Verify that the network/smb/client service is enabled.


    $ svcs network/smb/client
    STATE          STIME    FMRI
    online         19:24:36 svc:/network/smb/client:default

    This service is enabled by default, so the usual state for the service is online. To enable the service, type the following command:


    $ svcadm enable network/smb/client
    
  2. Find the share that you want to mount from a server.


    $ smbutil view //server
    
  3. Enter your password at the prompt.

  4. Perform the mount on your directory.


    $ mount -F smbfs //[workgroup;][user[:password]@]server/share mount-point
    

    For example, to mount the /tmp share from the solarsystem server on the /mnt mount point, type:


    $ mount -F smbfs //solarsystem/tmp /mnt
    

ProcedureHow to View the List of Mounted CIFS Shares

This procedure shows how to list all of the CIFS shares that are mounted on your system. The resulting list includes your mounts, other users' mounts, and multiuser mounts created by the system administrator.

  1. List all CIFS mounts.

    Use one of the following commands to list the mounted CIFS shares:

    • Use the mount command.


      $ mount -v | grep 'type smbfs'
      //root@solarsystem/tmp on /mnt type smbfs read/write/setuid/devices/dev=5080000
        on Tue Feb 12 11:40:18 2008
      //root@solarsystem/files on /files type smbfs read/write/setuid/devices/dev=4800000
        on Mon Feb 11 22:17:56 2008

      Note that the mount command includes information about the mount options specified at mount time.

    • Use the df -k -F smbfs command.


      $ df -k -F smbfs
      //root@solarsystem/tmp      1871312   70864 1800448     4%    /mnt
      //root@solarsystem/files    8067749    8017 7979055     1%    /files

ProcedureHow to Unmount a CIFS Share From a Directory You Own

To successfully unmount a share, you must own the mount point on which the share is mounted.

  1. Determine the mount point of the share that you want to unmount.

    Use one of the following commands to find shares that are mounted from a CIFS server:

    • Use the mount command.


      $ mount -v | grep 'type smbfs'
      //root@solarsystem/tmp on /mnt type smbfs read/write/setuid/devices/dev=5080000
        on Tue Feb 12 11:40:18 2008
      //root@solarsystem/files on /files type smbfs read/write/setuid/devices/dev=4800000
        on Mon Feb 11 22:17:56 2008
    • Use the df -k -F smbfs command.


      $ df -k -F smbfs
      //root@solarsystem/tmp      1871312   70864 1800448     4%    /mnt
      //root@solarsystem/files    8067749    8017 7979055     1%    /files
  2. Unmount the share by specifying the name of the mount point, /mnt or /files in the previous step.

    For example:


    $ umount /mnt
    

ProcedureHow to Store a CIFS Persistent Password

Interactions with a CIFS file server require authentication. For instance, when you view the shares available on a server or you try to mount a share on your system, the transaction is authenticated.


Note –

A persistent password is not needed when Kerberos is configured on the client and server and you have a Kerberos ticket-granting ticket (TGT). In such configurations, you can view and mount shares without specifying a password.


You can supply the password each time that you make a connection to the server, or you can store a persistent password to be automatically used for these transactions.


Note –

You can store a persistent password for each user on the CIFS server that you use to access shares.


The password you store persists until any of the following occur:

  1. Store the persistent password for the CIFS server.


    $ smbutil login user
    Password:

    The following command stores the persistent password for terry@solarsystem. Each time Terry performs a transaction with solarsystem, the persistent password is used to perform the authentication.


    $ smbutil login terry@solarsystem
    Password:

ProcedureHow to Configure the PAM Module to Store a CIFS Persistent Password

When installed, the pam_smbfs_login.so.1 module enables you to store a persistent password the same as if you had run the smbutil login command for PAM_USER in the user's or system's default domain.

This optional functionality is meant to be used only in environments that do not run Active Directory or Kerberos, but which synchronize passwords between Solaris clients and their CIFS/SMB servers.

For more information, see the pam_smbfs_login(5) man page.

  1. Use your login name and password to store a persistent password.

    Add the following line to the /etc/pam.conf file after the other login entries:


    login   auth optional           pam_smbfs_login.so.1

    This action adds a persistent password entry as if you had run the smbutil login command.


    Note –

    The PAM module implements a privilege to permit it to run as superuser to store your password.


  2. Verify that your persistent password is stored.


    $ smbutil login -c user
    

Example 4–1 Configuring the PAM Module to Store a Persistent Password

The following example shows how the domain is chosen. The system default is WORKGROUP. The WORKGROUP domain is overridden by any default from SMF, and finally by any default from the user's .nsmbrc file.

This example shows a default domain in SMF and for user terry:


# sharectl set -p section=default -p domain=AAA smbfs
# sharectl get smbfs
[default]
domain=AAA

A root login uses the domain from SMF:


# smbutil login -c terry
Keychain entry exists for AAA/terry.

A login as terry uses the domain from the ~terry/.nsmbrc file:


$ ls /.nsmbrc
/.nsmbrc: No such file or directory

$ cat ~/.nsmbrc
[default]
domain=MYDOMAIN
$ ls -l ~/.nsmbrc
-rw-r--r--   1 terry  staff         26 Feb 13 10:15 /home/terry/.nsmbrc
$ smbutil login terry
Keychain entry exists for MYDOMAIN/terry.

If Terry puts a password in ~terry/.nsmbrc, he must remove read permission. Also, because Terry's home directory is on an NFS server, the PAM module running as root cannot access Terry's file, so Terry would see the following and use the SMF domain instead:


$ chmod 400 .nsmbrc
$ logout

solarsystem console login: terry
Password:
Can't open /home/terry/.nsmbrc: Permission denied
$ su
Password:
# smbutil login -c terry
Keychain entry exists for AAA/terry.

ProcedureHow to Delete a CIFS Persistent Password

Use this procedure to delete persistent passwords that are stored by the smbutil login command.

If you want to delete all persistent passwords, see How to Delete All CIFS Persistent Passwords.

  1. Delete a persistent password for the specified server by doing one of the following:

    • To delete the persistent password for a specified user, type:


      $ smbutil logout user@server
      

      For example, the following command removes the persistent password for terry@solarsystem:


      $ smbutil logout terry@solarsystem
      

      After the password is deleted, Terry is prompted for his password each time that he performs a transaction with solarsystem.

    • To delete the password for the user running the smbutil logout command, type:


      $ smbutil logout server
      

      For example, when user dana runs the following command, he removes his persistent password for solarsystem:


      $ smbutil logout solarsystem
      

      After the password is deleted, Dana is prompted for his password each time that he performs a transaction with solarsystem.

ProcedureHow to Customize Your Solaris CIFS Environment

You can customize your Solaris CIFS environment by creating a .nsmbrc configuration file in your home directory. For more information about the .nsmbrc file format, see the nsmbrc(4) man page.

  1. Create a file called .nsmbrc file in your home directory.

  2. Edit the .nsmbrc file to specify values for Solaris CIFS client properties.

    This example shows how user terry can configure the example.com environment by placing this .nsmbrc configuration file in his home directory.

    The default section describes the default domain, which is called SALES, and sets a default user of MYUSER. These default settings are inherited by other sections unless property values are overridden.

    FSERVER is a server section that defines a server called fserv.example.com. It is part of the SALES domain.

    RSERVER is a server section that defines a server called rserv.example.com that belongs to a new domain called REMGROUP.

    # Configuration file for example.com
    # Specify the Windows account name to use everywhere.
    [default]
    domain=SALES
    user=MYUSER
    
    # The 'FSERVER' is server in our domain.
    [FSERVER]
    addr=fserv.example.com
    
    # The 'RSERVER' is a server in another domain.
    [RSERVER]
    domain=REMGROUP
    addr=rserv.example.com

Managing CIFS Mounts in the Global Environment (Task Map)

The following table points to the tasks that superuser can perform to manage CIFS mounts.

Task 

Description 

For Instructions 

Mount a share on a public mount point, such as one in the root file system, so that many users can access the share. 

Some shares include files and directories that many people on a system might want to access, such as a global set of files or programs. In such cases, instead of each user mounting the share in his own directory, the system administrator can mount the share in a public place so that all users can access the share from the same location. 

How to Mount a Multiuser CIFS Share

Customize the global environment by using the sharectl command to set Solaris CIFS properties.

User-specified properties override global properties with the exception of security settings. 

How to Customize the Global Solaris CIFS Environment

View the global Solaris CIFS property settings by using the sharectl command.

If one property is set with different values in each section, all values are shown. 

How to View the Global Solaris CIFS Environment Property Settings

Add a CIFS share to an automounter map. 

Use this procedure if you want a CIFS share to be automatically mounted at boot time. 

How to Add an Automounter Entry for a CIFS Share

Delete all persistent passwords. 

Use this procedure if you want to clear all persistent passwords. 

How to Delete All CIFS Persistent Passwords

ProcedureHow to Mount a Multiuser CIFS Share

If you want to make a share available to one or more users on a system, you can mount the share on a mount point anywhere on the system. When you mount a share as superuser, you do not need to own the mount point.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Verify that the network/smb/client service is enabled.


    # svcs network/smb/client
    STATE          STIME    FMRI
    online         19:24:36 svc:/network/smb/client:default

    This service is enabled by default, so the usual state for the service is online. To enable the service, type the following command:


    # svcadm enable network/smb/client
    
  3. Find the share that you want to mount from a server.


    # smbutil view //server
    
  4. Specify the password at the prompt.

  5. Determine the mount point that you want to use.

    For example, you decide to mount shares on the /sales-tools mount point.

  6. Perform the mount.


    # mount -F smbfs //[workgroup;][user[:password]@]server/share mount-point
    

    For example, to mount the /tmp share from the solarsystem server on the /sales-tools mount point, type:


    # mount -F smbfs //solarsystem/tmp /sales-tools
    

ProcedureHow to Customize the Global Solaris CIFS Environment

You can customize the global Solaris CIFS environment by using the sharectl(1M) command. With the exception of the minauth property, globally set properties can be overridden by a value set in user's .nsmbrc file. The most secure value of the minauth property takes precedence over a less secure value set by the user or set in the global environment.

  1. Become superuser, assume an equivalent role, or use the “SMBFS Management” RBAC profile, which is part of the “File System Management” profile.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Determine which properties you want to set.

    For a description of the properties, see the nsmbrc(4) man page.

  3. Set a property value for the global Solaris CIFS environment.


    # sharectl set [-h] [-p property=value] … smbfs
    

    For example, to specify a default workgroup name of SALES for the default section, type:


    # sharectl set -p section=default -p workgroup=SALES smbfs
    

ProcedureHow to View the Global Solaris CIFS Environment Property Settings

You can view the global Solaris CIFS environment property settings by using the sharectl(1M) command.

If you set a value for the same property in more than one section, the sharectl get output includes the section name, property name, and value.

  1. Determine which properties you want to view.

    For a description of the properties, see the nsmbrc(4) man page.

    • To view the value for a specific property, type:


      $ sharectl get [-p property] … smbfs
      

      For example, to view the values for the timeout property, type:


      $ sharectl get -p timeout smbfs
      [SALES] timeout=5
      [default] timeout=10
    • To view all of the property settings, type:


      $ sharectl get smbfs
      [SALES]
      password=$$178465324253e0c07
      timeout=5
      
      [default]
      timeout=10

ProcedureHow to Add an Automounter Entry for a CIFS Share

You can add a CIFS share to an automount map, such as the /etc/auto_direct file, so that the share will be automatically mounted when a user accesses the mount point. You cannot add these automount entries to the /etc/auto_master file.

To successfully use the automount feature, you must store a persistent password for authentication to mount the share. See How to Store a CIFS Persistent Password.


Caution – Caution –

When a user mounts a remote CIFS share by using smbfs, all accesses through that mount, even by other users, are as the user who established the mount.

For shares that will only be used by the owner, you should restrict access to the share by using the dirperms mount option to ensure that only the owner can access the share.


  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Edit the /etc/auto_master file to refer to the automount map.

    For example, to add automount entries to the /etc/auto_direct file, add the following line to the /etc/auto_master file:

    /-	auto_direct
  3. Edit the automount map to add the mapping.

    The following examples show the changes to the automount map, in this example the /etc/auto_direct file, to configure automount maps.

    • To configure a private automount (a share that will only be accessed by the owner) of the //solarsystem/test share on the /sam-test mount point, create the following entry in the /etc/auto_direct file:

      /sam-test -fstype=smbfs,dirperms=0700,uid=sam //solarsystem/test

      The dirperms=0700 mount option ensures that only the owner can access the share. The uid=sam mount option ensures that the share root and everything in the share is owned by user sam.

    • To configure a public automount of the //solarsystem/public share on the /PUBLIC mount point, create the following entry in the /etc/auto_direct file:

      /PUBLIC -fstype=smbfs //solarsystem/public

      The dirperms=0555 mount option ensures that everyone has read and execute access to the share.

    • To configure a public automount of a share and to specify the password to be used for authentication, create the following entry in the /etc/auto_direct file:

      /PUBLIC -fstype=smbfs //guest:guest@solarsystem/public

      This entry specifies that all access to the //solarsystem/public share is done as the user guest and uses the specified password, which in this example is guest. The dirperms=0777 mount option ensures that everyone has read, write, and execute access to the share.

    • To configure a public automount of a share that can be accessed anonymously, which does not require a password, specify the noprompt option:

      /PUBLIC -noprompt,fstype=smbfs //solarsystem/public

      The noprompt mount option suppresses the prompting for a password when mounting the share. The dirperms=0555 mount option ensures that everyone has read and execute access to the share.

  4. Run the automount command to read the /etc/auto_master file.


    # automount
    
  5. Access the automounted share.

    The share is automounted when a user accesses the mounted share, such as by using the ls or cd command.


    $ ls /PUBLIC
    bin docs

    After the CIFS share is mounted, a user can use regular Solaris commands to access the files. Automounted shares are automatically unmounted after a period of inactivity.

ProcedureHow to Delete All CIFS Persistent Passwords

Use this procedure to delete all of the persistent passwords that are used to authenticate CIFS transactions.

If you only want to delete the persistent passwords for a particular user, see How to Delete a CIFS Persistent Password.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Delete all of the persistent passwords.


    # smbutil logoutall
    

    After the persistent passwords are deleted, each time a user performs a transaction with a CIFS server, he is prompted for his password.