Chapter 10.  File Access

Table of Contents

10.1. Accessing Windows File Servers
10.1.1. Introduction
10.1.2. Requirements
10.1.3. Mounting and Unmounting Shares
10.2. Restricting write access to users home directory
10.2.1. Introduction
10.2.2. Activation
10.2.3. Configuration
10.2.4. Security Considerations and Limitations

10.1.  Accessing Windows File Servers

10.1.1.  Introduction

This chapter describes how to setup a ThinLinc server to access Windows file servers via the SMB/CIFS protocol. CIFS is a modern version of SMB. In this document, we use the term CIFS, but the procedure described in this documentation works for SMB servers as well.

CIFS is different from NFS in that CIFS mounts are per user, not per system. For example, with NFS, it's possible to mount all network file systems when the server boots. One NFS mount can be used by all users on the system. With CIFS, each user must have their own mounts. Also, when mounting a CIFS file system, the password of the user is usually required.

ThinLinc and many other Linux applications requires that hard links are supported in the user's home directory. There are often other POSIX file system semantic requirements as well. This means that the user's home directories cannot be a mounted CIFS filesystem. The Linux CIFS client (smbfs) does not support all POSIX file operations, such as hard links. The newer CIFS client (cifsfs) supports the CIFS UNIX extensions, but few CIFS servers support this and this feature has not been tested with ThinLinc.

ThinLinc includes two utility programs for dealing with CIFS mounts: tl-mount-cifs and tl-umount-all-cifs . These are described below.

The method described in this chapter mounts all CIFS shares below the directory ~/winshares. The user's CIFS home directory, if any, is mounted at ~/winshares/home.

10.1.2.  Requirements

10.1.2.1.  CIFS Server Requirements

This document assumes that you are using a Windows file server. However, you should be able to use any CIFS file server.

Usernames and passwords must be synchronized between the file server and the ThinLinc server. Usually, this is accomplished by letting the ThinLinc servers and the CIFS file server use a common directory server. For details, please refer to Chapter 9, Authentication in ThinLinc .

10.1.2.2.  ThinLinc Server Requirements

Either of smbmount/smbumount or mount.cifs/umount.cifs must be installed. On Red Hat distributions, they are available in the package samba-client. Refer to your distribution for how to install these applications.

The programs smbmnt/smbumount and mount.cifs/umount.cifs must be setuid root. This is accomplished by the following commands:

# chmod u+s /usr/bin/smbmnt /usr/bin/smbumount
# chmod u+s /sbin/mount.cifs /sbin/umount.cifs

10.1.3.  Mounting and Unmounting Shares

10.1.3.1.  Using tl-mount-cifs

tl-mount-cifs is a small wrapper for smbmount and mount.cifs , which adds:

  1. Automatically selects which file system implementation to use. cifsfs is used if the command mount.cifs is available. Otherwise, smbfs is tried.

  2. Automatically submits password, using the ThinLinc Single Sign-On mechanism.

  3. Automatically creates mount point directory, if it does not exist.

  4. Can optionally fetch the service and drive letter corresponding to the users home directory specified in Active Directory.

  5. Will automatically use the options specified in Hiveconf (as explained below).

The syntax for tl-mount-cifs resembles smbmount/mount.cifs :

tl-mount-cifs [-r] [--verbose] [-o options] service mount-point

tl-mount-cifs [-r] [--verbose] [-o options] --homedir [mount-point]

The -r option removes the mount point if the mount fails. The --verbose option executes both tl-mount-cifs and the actual mount command with debugging information. Additional mount options can be specified using the -o options option. Refer to the smbmount/mount.cifs documentation for more information. If the --homedir option is specified, it is not necessary to specify the service to mount. Instead, the service corresponding to the users home directory will be fetched automatically from Active Directory. This requires that the Samba net command is available. When --homedir is used, the mount-point argument is optional. If omitted, the service will be mounted on a directory in the users home directory corresponding to the drive letter specified in Active Directory (without the trailing colon).

The Hiveconf parameter /utils/tl-mount-cifs/cifsmount_args specifies default arguments for the tl-mount-cifs command. This Hiveconf parameter is normally found in /opt/thinlinc/etc/conf.d/tl-mount-cifs.hconf. The default value of this parameter is "-o dir_mode=0700", which makes CIFS mounts user-private. This option is however only recognized by mount.cifs .

Example 1: User "johndoe" has a home directory on the CIFS file server \\alabama, shared as "johndoe$", which should be mounted on /home/johndoe/winshares/home. To do this, he runs the following command:

$ tl-mount-cifs -r //alabama/johndoe$ ~/winshares/home

Example 2: User "johndoe" is part of a workgroup that shares files using a share called "project" on the file server \\alabama. This share can be mounted on /home/johndoe/winshares/project with the following command:

$ tl-mount-cifs //alabama/project ~/winshares/project

Example 3: If a home directory and home drive is specified in Active Directory, the home directory of user "johndoe" can be executed with the command:

$ tl-mount-cifs --homedir

10.1.3.2.  Using tl-umount-all-cifs

tl-umount-all-cifs is a utility that unmounts the current user's mounted CIFS shares (all CIFS mounts below the user's home directory). It requires no arguments. The optional argument -a will unmount all CIFS filesystems on the host.

10.1.3.3.  Mounting Shares at Login

Often, it's convenient to automatically mount CIFS shares for all users upon login. This can be accomplished by creating a script in /opt/thinlinc/etc/xstartup.d. It can be named anything. The script should contain something like:

#!/bin/sh
/opt/thinlinc/bin/tl-mount-cifs //alabama/${USER}$ ~/winshares/home

You should also make sure that tl-umount-all-cifs runs at logout. This can be done with the following command:

# ln -s /opt/thinlinc/bin/tl-umount-all-cifs /opt/thinlinc/etc/xlogout.d