Mount SMB volume on Linux without storing password in plaintext
-
I have a Linux machine at work. The company uses this Windows Domain thingy I never cared to learn how it works. There's one network share I need, and I'd like to mount it. But all the commands I've found provide domain password in plaintext, either directly in command line, the mount options, or some file. I want to avoid storing credentials in plaintext. I also want to avoid typing it on every login (especially since it's identical to user login credentials). I also want to delay mount until after I get internet connection since I login to Wi-Fi only after login.
I tried pam-mount, but it took so long to setup I didn't test it yet. In the meantime, any other suggestions? I'm using Ubuntu 16.04 with Gnome, if it matters.
-
@gąska said in Mount SMB volume on Linux without storing password in plaintext:
But all the commands I've found provide domain password in plaintext, either directly in command line, the mount options, or some file. I want to avoid storing credentials in plaintext. I also want to avoid typing it on every login (especially since it's identical to user login credentials). I also want to delay mount until after I get internet connection since I login to Wi-Fi only after login.
You're going to have to specify credentials somewhere. File is a good option. On a Windows domain you can also use a Kerberos keytab file that contains the domain key. (It's not the plaintext password but can still be used to authenticate to the domain, so don't let it get compromised.)
-
@heterodox said in Mount SMB volume on Linux without storing password in plaintext:
@gąska said in Mount SMB volume on Linux without storing password in plaintext:
But all the commands I've found provide domain password in plaintext, either directly in command line, the mount options, or some file. I want to avoid storing credentials in plaintext. I also want to avoid typing it on every login (especially since it's identical to user login credentials). I also want to delay mount until after I get internet connection since I login to Wi-Fi only after login.
You're going to have to specify credentials somewhere. File is a good option.
A keyring is much better. I do that for Wi-Fi - can't I do the same for SMB?
-
@gąska said in Mount SMB volume on Linux without storing password in plaintext:
A keyring is much better. I do that for Wi-Fi - can't I do the same for SMB?
Not that I know of, but keep in mind my experience is all with servers, not workstations; servers don't indulge in abstractions like a keyring (the credentials are still stored in a file, that file's just encrypted with another key that you enter interactively).
Doing some quick Googling, it looks like if you go to the network share in Gnome, you should be prompted for credentials and have the option to save them (in "Seahorse", whatever the fuck that is). Is that mechanism not working for you? I suspect you're trying to do something with a command that's built in to your desktop environment.
-
@heterodox said in Mount SMB volume on Linux without storing password in plaintext:
Doing some quick Googling, it looks like if you go to the network share in Gnome, you should be prompted for credentials and have the option to save them (in "Seahorse", whatever the fuck that is). Is that mechanism not working for you?
Hard to say; it doesn't seem to exist in my system. Just like "turn numlock on" checkbox in keyboard settings.
@heterodox said in Mount SMB volume on Linux without storing password in plaintext:
I suspect you're trying to do something with a command that's built in to your desktop environment.
Mostly because the very first result when I google for "ubuntu 16.04 mount windows share" is to
sudo mount -t cifs //WINSRV/SHARE ~/localmount -o user=userid,pass=mypass,dir_mode=0777,file_mode=0777. If there was a nice GUI for that installed by default, surely everyone would say to use that, right?Anyway, I just found out that the file manager (whatever it's called) has a "Connect to Server" option in sidebar just under the list of all the useless default folders. I found it by googling the above, but with "gnome" instead of "ubuntu". Gonna see if it works on Monday when I'm back at work.
-
@gąska said in Mount SMB volume on Linux without storing password in plaintext:
If there was a nice GUI for that installed by default, surely everyone would say to use that, right?
No, because Linux enthusiasts delight in using the most overcomplicated solutions possible. Also (Toby more fare), because they don't want to provide one solution for Gnome, one for KDE, one for xfce, etc. so they provide a much harder but "universal" solution. If you're looking for the "right" way to do something, I'd recommend looking at the Ubuntu documentation first, which if I recall is quite good.
"Connect to server" is what I was thinking of. Should do what you want.
-
@heterodox said in Mount SMB volume on Linux without storing password in plaintext:
Also (Toby more fare), because they don't want to provide one solution for Gnome, one for KDE, one for xfce, etc.
Instead they provide one solution for SMB, one for CIFS, one for NFS, one for fstab, one for PAM...
@heterodox said in Mount SMB volume on Linux without storing password in plaintext:
If you're looking for the "right" way to do something, I'd recommend looking at the Ubuntu documentation first, which if I recall is quite good.
I didn't even know such thing exists until you mentioned it just now. Yay for googlability! But yeah, it says exactly what to do in a very simple way (unlike Ubuntu Wiki, which is cesspool). Though after just 10 seconds I've acquired immense hatred for the website - it automatically translated everything to Polish even though I never asked for it - but it only translated some things and left others. What's worse, there's nothing in the URL you can change to disable it.
-
@gąska
You should be able to mount throughsmbby enteringsmb://servername/shareinto the file manager's address bar, it should ask for password and store it somewhere out-of-sight.
Installfusesmb smbclientor othersmb-related packages until it starts working.
-
@gąska said in Mount SMB volume on Linux without storing password in plaintext:
If there was a nice GUI for that installed by default, surely everyone would say to use that, right?
Back up a second and think about that, remembering that you’re talking of people explaining how to do things in Linux here.
-
@gąska said in Mount SMB volume on Linux without storing password in plaintext:
I want to avoid storing credentials in plaintext.
Understandable, but that was the easiest method I found when setting this stuff up. On the plus side, I put the file well under
/rootand made it so that it most definitely wasn't readable by ordinary users, and got all the path details and everything in/etc/fstabso that users (in the right group) could justmount /the/mountpointand and it would Just Work™.I forget the exact details. I do remember that SMB is less annoying than sshfs, and that I left the project before the next stage of my plan could be enacted (putting the whole system into userspace so that system responsivity could be maintained in the face of spotty networking on the remote side)…
