9.2. Mounting an SMB Share
On Red Hat Enterprise Linux, the
cifs.ko file system module of the kernel provides support for the SMB protocol. However, to mount and work with SMB shares, you must also install the cifs-utils package:
yum install cifs-utils
The cifs-utils package provides utilities to:
- Mount SMB and CIFS shares
- Manage NT Lan Manager (NTLM) credentials in the kernel's keyring
- Set and display Access Control Lists (ACL) in a security descriptor on SMB and CIFS shares
9.2.1. Supported SMB Protocol Versions
cifs.ko kernel module supports the following SMB protocol versions:
- SMB 1
- SMB 2.0
- SMB 2.1
- SMB 3.0
Depending on the protocol version, not all SMB features are implemented.
126.96.36.199. UNIX Extensions Support
Samba uses the
CAP_UNIX capability bit in the SMB protocol to provide the UNIX extensions feature. These extensions are also supported by the
cifs.ko kernel module. However, both Samba and the kernel module support UNIX extensions only in the SMB 1 protocol.
To use UNIX extensions:
- Set the
server min protocoloption in the
[global]section in the
NT1. This is the default on Samba servers.
- Mount the share using the SMB 1 protocol by providing the
-o vers=1.0option to the
mountcommand. For example:
mount -t cifs -o vers=1.0,username=user_name //server_name/share_name /mnt/By default, the kernel module uses SMB 2 or the highest later protocol version supported by the server. Passing the
-o vers=1.0option to the
mountcommand forces that the kernel module uses the SMB 1 protocol that is required for using UNIX extensions.
To verify if UNIX extensions are enabled, display the options of the mounted share:
mount... //server/share on /mnt type cifs (...,unix,...)
unix entry is displayed in the list of mount options, UNIX extensions are enabled.
9.2.2. Manually Mounting an SMB Share
To manually mount an SMB share, use the
mount utility with the
-t cifs parameter:
# mount -t cifs -o username=user_name //server_name/share_name /mnt/ Password for user_name@//server_name/share_name: ********
-o options parameter, you can specify options that will be used to mount the share. For details, see Section 9.2.6, “Frequently Used Mount Options” and the OPTIONS section in the mount.cifs(8) man page.
Example 9.1. Mounting a Share Using an Encrypted SMB 3.0 Connection
To mount the
\\server\example\ share as the
DOMAIN\Administrator user over an encrypted SMB 3.0 connection into the
# mount -t cifs -o username=DOMAIN\Administrator,seal,vers=3.0 //server/example /mnt/ Password for user_name@//server_name/share_name: ********
9.2.3. Mounting an SMB Share Automatically When the System Boots
To mount an SMB share automatically when the system boots, add an entry for the share to the
/etc/fstab file. For example:
//server_name/share_name /mnt cifs credentials=/root/smb.cred 0 0
To enable the system to mount a share automatically, you must store the user name, password, and domain name in a credentials file. For details, see Section 9.2.4, “Authenticating To an SMB Share Using a Credentials File”.
In the fourth field of the
/etc/fstab file, specify mount options, such as the path to the credentials file. For details, see Section 9.2.6, “Frequently Used Mount Options” and the OPTIONS section in the mount.cifs(8) man page.
To verify that the share mounts successfully, enter:
9.2.4. Authenticating To an SMB Share Using a Credentials File
In certain situations, administrators want to mount a share without entering the user name and password. To implement this, create a credentials file. For example:
Procedure 9.1. Creating a Credentials File
- Create a file, such as
~/smb.cred, and specify the user name, password, and domain name that file:
username=user_name password=password domain=domain_name
- Set the permissions to only allow the owner to access the file:
chown user_name ~/smb.cred
chmod 600 ~/smb.cred
You can now pass the
credentials=file_name mount option to the
mount utility or use it in the
/etc/fstab file to mount the share without being prompted for the user name and password.
9.2.5. Performing a Multi-user SMB Mount
The credentials you provide to mount a share determine the access permissions on the mount point by default. For example, if you use the
DOMAIN\example user when you mount a share, all operations on the share will be executed as this user, regardless which local user performs the operation.
However, in certain situations, the administrator wants to mount a share automatically when the system boots, but users should perform actions on the share's content using their own credentials. The
multiuser mount options lets you configure this scenario.
multiuser, you must additionally set the
sec=security_type mount option to a security type which supports providing credentials in a non-interactive way, such as
krb5 or the
ntlmssp option with a credentials file. See the section called “Accessing a Share as a User”.
root user mounts the share using the
multiuser option and an account that has minimal access to the contents of the share. Regular users can then provide their user name and password to the current session's kernel keyring using the
cifscreds utility. If the user accesses the content of the mounted share, the kernel uses the credentials from the kernel keyring instead of the one initially used to mount the share.
Mounting a Share with the
To mount a share automatically with the
multiuser option when the system boots:
Procedure 9.2. Creating an
/etc/fstab File Entry with the
- Create the entry for the share in the
/etc/fstabfile. For example:
//server_name/share_name /mnt cifs multiuser,sec=ntlmssp,credentials=/root/smb.cred 0 0
- Mount the share:
If you do not want to mount the share automatically when the system boots, mount it manually by passing
-o multiuser,sec=security_type to the
mount command. For details about mounting an SMB share manually, see Section 9.2.2, “Manually Mounting an SMB Share”.
Verifying if an SMB Share is Mounted with the
To verify if a share is mounted with the
mount... //server_name/share_name on /mnt type cifs (sec=ntlmssp,multiuser,...)
Accessing a Share as a User
If an SMB share is mounted with the
multiuser option, users can provide their credentials for the server to the kernel's keyring:
cifscreds add -u SMB_user_name server_namePassword: ********
Now, when the user performs operations in the directory that contains the mounted SMB share, the server applies the file system permissions for this user, instead of the one initially used when the share was mounted.
Multiple users can perform operations using their own credentials on the mounted share at the same time.
9.2.6. Frequently Used Mount Options
When you mount an SMB share, the mount options determine:
- How the connection will be established with the server. For example, which SMB protocol version is used when connecting to the server.
- How the share will be mounted into the local file system. For example, if the system overrides the remote file and directory permissions to enable multiple local users to access the content on the server.
To set multiple options in the fourth field of the
/etc/fstab file or in the
-o parameter of a
mount command, separate them with commas. For example, see Procedure 9.2, “Creating an
/etc/fstab File Entry with the
The following list gives an overview of frequently used mount options:
Table 9.1. Frequently Used Mount Options
|Sets the path to the credentials file. See Section 9.2.4, “Authenticating To an SMB Share Using a Credentials File”.
|Sets the directory mode if the server does not support CIFS UNIX extensions.
|Sets the file mode if the server does not support CIFS UNIX extensions.
| Sets the password used to authenticate to the SMB server. Alternatively, specify a credentials file using the
| Enables encryption support for connections using SMB 3.0 or a later protocol version. Therefore, use
seal together with the
vers mount option set to
3.0 or later. See Example 9.1, “Mounting a Share Using an Encrypted SMB 3.0 Connection”.
Sets the security mode, such as
ntlmsspi, to enable NTLMv2 password hashing and enabled packet signing. For a list of supported values, see the option's description in the mount.cifs(8) man page.
If the server does not support the
ntlmv2 security mode, use
sec=ntlmssp, which is the default. For security reasons, do not use the insecure
ntlm security mode.
| Sets the user name used to authenticate to the SMB server. Alternatively, specify a credentials file using the
|Sets the SMB protocol version used for the communication with the server.
For a complete list, see the OPTIONS section in the mount.cifs(8) man page.