SMB auto-mount¶
Mounting SMB automatically on a Unix system is not-so-forward, navigating posts from stackoverflow and forums will most likely result in trying out old and deprecated solutions.
Here are my experiences with mounting samba shares:
cifs
is the newer implementation for the smb proctocol in the kernel. The oldersmbfs
is deprecated, without any maintainers and is only available due to backwards compability.- Credentials for
cifs
basically requires a plaintext file containingusername=
andpassword=
which is referenced during mount, which is truly horrifying security wise.- Creating a file at
/root/.smbcredentials
withchmod 0600
permissions is as secure as it gets. - If you got a better alternative, please reach out.
- Creating a file at
- Kerberos does not look like a sane solution for single-users.
autofs
is deprecated and superseeded by thesystemd
moduleremote-fs
.- Be careful mounting remote locations in
/etc/stab
, as they will not work when you are not in your local network. In worst case, it will make your computer panic during boot. - Follow principle of least privilege, create a seperate user on the smb server with access to only the folders that you are going to mount.
Here is a example of a line I use in /etc/fstab
1 |
|
Breakdown of the flags used:
Flag | Description |
---|---|
_netdev | wait for networking service to start before attempting this mount |
vers=3 | use SMBv3.0 protocol version and above |
x-systemd.automount | establish remote connection to share and mount only when local directory is accessed |
x-systemd.idle-timeout=15min | unmount share if the local directory has not been accessed for over x minutes |
rw | enable read-write access on remote share |
dir_mode=0775 | default directory permission |
file_mode=0664 | default file permission |
iocharset=utf8 | allows access to files with names in non-English languages |
uid=fredrick | makes the user owner of the mounted share |
gid=users | makes the group owner of the mounted share |
credentials=/root/.smbcredentials | path to credentials file which contains lines with username= and password= , can be stored in home dir, recommend permission 600 on file for security. |
This requires a credentials file stored in /root
containing your smb credentials
1 2 3 4 |
|
Set the permission to 0600
so that only root can access it
1 |
|
To reload entries in /etc/fstab
, run the following command
1 |
|
We don't need to use
mount -a
, as systemd will automatically mount the remote folder when you access the local folder, the command will work, but systemd will unmount the folder when the idle-timeout for the share is activated.
You should now be able to see the files from the remote share in the local folder you specified in /etc/fstab
, such as navigating to /mnt/nas/media
in the example above.
Debugging¶
The following command will monitor kernel logs, where CIFS errors should be present
1 |
|
Errors here can be a bit cryptic. I found out that error -13
can be a indicator for a credentials file misconfiguration,.
After making changes to /etc/fstab
or the credentials file, restart the systemd component for remote-fs
1 |
|
If all is well, dmesg
should output the following
1 2 3 4 |
|