Ldap – Password prompt when accessing samba share through autofs

autofsldapsamba

We have a file server on Ubuntu Server 16.04 using Samba which uses an external LDAP server for authentication. Additionally, the LDAP server has an automount definition for the file server's Samba shares (with automountInformation: -fstype=cifs,rw,username=& ://fileserver/share/&) and tested working.

On our web server, we are automatically mounting the above mentioned shares. The problem is that when users cd into their shared home they will get a Please enter password with the systemd-tty-ask-password-agent tool! over Wall.

I've looked up that error message, and it seems that the "solution" is that users need to enter their password in another terminal session, which is not acceptable in our situation. After experimenting a bit with a colleague, and some reading around, we've found that restarting the autofs service twice will bring the password prompt to the current console. However, that is further unacceptable because autofs needs to be restarted twice (did I mention that requires sudo access?) for every password prompt (for every user).

Apologies for the long introduction. My question is, in our current setup is there any way we can have the systemd-tty-ask-password-agent tool prompt the users for their password on the same terminal session?

Best Answer

I found the solution/mistake, leaving it here in case somebody else finds themselves in this situation. As it turns out, the mistake resided in the mount command. The correct command should be automountInformation: -fstype=cifs,rw,username=<some-user>,password=<some-password>,uid=&,gid=<some-groupname> ://fileserver/share/&.

What happens is that when using autofs from LDAP, if you do not provide login credentials for the samba shares it will pass that request to your client, which will only be able to answer as root. Which was why systemd-tty-ask-password-agent --query will fail for regular users.

My full solution ended up being to create a dedicated user for samba login with membership in some-groupname. When an LDAP user tries to cd into a share on the client, their uid gets supplied and the requested directory gets automounted, with their unix permissions applied.

In other words, the username and password parameters are used for samba authentication, whereas the uid and gid are used for authorization.

Related Topic