Using LDAP: how to log in with SSH, mounting the Samba home directory with autofs?
Well, as long as you're on Linux and if you use password authentication for the initial login, then you can have a PAM module which stashes the password in a kernel keyring where mount.cifs can pick it up. I'm not 100% sure whether cifs-utils currently comes with one, but it does have a cifscreds
CLI tool which does the same.
Still, personally I would just set up Kerberos authentication instead of LDAP. (That is, leaving LDAP to do only the job of a directory service.) Overall Kerberos is just like LDAP: looks complex from the outside, turns out to be very simple when you look closer, except for the million quirks, edge cases and odd decisions going back to 1980s that make it complex again.
It's going to be a bit more versatile than SMB-specific PAM hacks – the same tickets can be used for accessing SMB, NFS, LDAP, HTTP, SSH... You can even reuse your existing LDAP server as the KDC database backend, getting replication for free without having to deal with kprop.
Note that with mount.cifs, both Kerberos and cifscreds are intended to be used when mounting the share with the multiuser
option, which gives you NFS-like behavior – the same SMB mount can be accessed by several users, and the kernel will automatically use the correct SMB credentials for each uid.
And as for SSH public-key authentication, there's not much you can do automatically – either you retrieve a credentials file and use it with cifscreds
, or you retrieve a credentials file and use it with kinit
... Again I think the latter is more versatile.