thr3ads.net - samba - [Samba] libpam_mount and sec=krb5 [Dec 2022]

If this information is useful, please help other people find it:
Share via:

Stefan Kania

2022-Dec-23 16:02 UTC

[Samba] libpam_mount and sec=krb5

Hi all,

I try to get pam-mount working with sec=krb5 I've got the following config:
---------------------
<volume
         fstype="cifs"
         server="fs-01.example.net"
         path="users/%(DOMAIN_USER)"
         mountpoint="/home/EXAMPLE/%(DOMAIN_USER)"
         sgrp="domain users"
        
options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />

<volume
         fstype="cifs"
         server="fs-01.example.net"
         path="abteilungen"
         mountpoint="/abteilungen"
         sgrp="domain users"
        
options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
---------------------

When I connect with a user I see:
---------------------
Dec 23 16:23:46 client-02 kernel: [   81.158008] CIFS: Attempting to 
mount \\fs-01.example.net\users
Dec 23 16:23:46 client-02 kernel: [   81.253128] CIFS: VFS: Verify user 
has a krb5 ticket and keyutils is installed
Dec 23 16:23:46 client-02 kernel: [   81.253134] CIFS: VFS: 
\\fs-01.example.net Send error in SessSetup = -126
Dec 23 16:23:46 client-02 kernel: [   81.253154] CIFS: VFS: cifs_mount 
failed w/return code = -126

---------------------

When I switch to "sec=ntlmssp" pam-mount is working.

I then tried to get a ticket and access the share via smbclient:
-----------------
ktom at client-02:~$ kinit ktom
ktom at EXAMPLE.NET's Password:
ktom at client-02:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
         Principal: ktom at EXAMPLE.NET

ktom at client-02:~$ smbclient //fs-01/abteilungen
Enter ktom at EXAMPLE.NET's password:
Try "help" to get a list of possible commands.
smb: \>

ktom at client-02:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
         Principal: ktom at EXAMPLE.NET

   Issued                Expires               Principal
Dec 23 16:44:49 2022  Dec 24 02:44:49 2022  krbtgt/EXAMPLE.NET at EXAMPLE.NET
Dec 23 16:46:09 2022  Dec 24 02:44:49 2022  cifs/fs-01 at EXAMPLE.NET
-----------------

Here is my krb5.conf:
---------------
[libdefaults]
         default_realm = EXAMPLE.NET
         dns_lookup_realm = false
         dns_lookup_kdc = true
---------------

And smb.conf
---------------
[global]
         workgroup = example
         realm = EXAMPLE.NET
         security = ADS
         winbind refresh tickets = yes
         winbind use default domain = yes
         template shell = /bin/bash
         idmap config * : range = 100000 - 199999
         idmap config EXAMPLE : backend = rid
         idmap config EXAMPLE : range = 1000000 - 1999999
---------------

Any idea?

Stefan Kania

2022-Dec-23 16:08 UTC

head link

[Samba] libpam_mount and sec=krb5

I forgot :-)

If I login as "root" get a ticket for the user "ktom" and
then do a:
--------------
'mount' '-t' 'cifs'
'//fs-01.example.net/users/ktom'
'/home/EXAMPLE/ktom' '-o' 
'username=ktom,uid=1001107,gid=1000513,sec=krb5,cruid,workgroup=EXAMPLE,vers=3.1.1'
--------------
So giving the command pam-mount is using, everything works fine.

Am 23.12.22 um 17:02 schrieb Stefan Kania via samba:> Hi all,
> 
> I try to get pam-mount working with sec=krb5 I've got the following
config:
> ---------------------
> <volume
>  ??????? fstype="cifs"
>  ??????? server="fs-01.example.net"
>  ??????? path="users/%(DOMAIN_USER)"
>  ??????? mountpoint="/home/EXAMPLE/%(DOMAIN_USER)"
>  ??????? sgrp="domain users"
>  ???????
options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> 
> <volume
>  ??????? fstype="cifs"
>  ??????? server="fs-01.example.net"
>  ??????? path="abteilungen"
>  ??????? mountpoint="/abteilungen"
>  ??????? sgrp="domain users"
>  ???????
options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> ---------------------
> 
> When I connect with a user I see:
> ---------------------
> Dec 23 16:23:46 client-02 kernel: [?? 81.158008] CIFS: Attempting to 
> mount \\fs-01.example.net\users
> Dec 23 16:23:46 client-02 kernel: [?? 81.253128] CIFS: VFS: Verify user 
> has a krb5 ticket and keyutils is installed
> Dec 23 16:23:46 client-02 kernel: [?? 81.253134] CIFS: VFS: 
> \\fs-01.example.net Send error in SessSetup = -126
> Dec 23 16:23:46 client-02 kernel: [?? 81.253154] CIFS: VFS: cifs_mount 
> failed w/return code = -126
> 
> ---------------------
> 
> When I switch to "sec=ntlmssp" pam-mount is working.
> 
> I then tried to get a ticket and access the share via smbclient:
> -----------------
> ktom at client-02:~$ kinit ktom
> ktom at EXAMPLE.NET's Password:
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
>  ??????? Principal: ktom at EXAMPLE.NET
> 
> ktom at client-02:~$ smbclient //fs-01/abteilungen
> Enter ktom at EXAMPLE.NET's password:
> Try "help" to get a list of possible commands.
> smb: \>
> 
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
>  ??????? Principal: ktom at EXAMPLE.NET
> 
>  ? Issued??????????????? Expires?????????????? Principal
> Dec 23 16:44:49 2022? Dec 24 02:44:49 2022? krbtgt/EXAMPLE.NET at
EXAMPLE.NET
> Dec 23 16:46:09 2022? Dec 24 02:44:49 2022? cifs/fs-01 at EXAMPLE.NET
> -----------------
> 
> Here is my krb5.conf:
> ---------------
> [libdefaults]
>  ??????? default_realm = EXAMPLE.NET
>  ??????? dns_lookup_realm = false
>  ??????? dns_lookup_kdc = true
> ---------------
> 
> And smb.conf
> ---------------
> [global]
>  ??????? workgroup = example
>  ??????? realm = EXAMPLE.NET
>  ??????? security = ADS
>  ??????? winbind refresh tickets = yes
>  ??????? winbind use default domain = yes
>  ??????? template shell = /bin/bash
>  ??????? idmap config * : range = 100000 - 199999
>  ??????? idmap config EXAMPLE : backend = rid
>  ??????? idmap config EXAMPLE : range = 1000000 - 1999999
> ---------------
> 
> Any idea?
> 
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre 
Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter 
https://www.dgn.de/dgncert/index.html

Rowland Penny

2022-Dec-23 16:48 UTC

head link

[Samba] libpam_mount and sec=krb5

On 23/12/2022 16:02, Stefan Kania via samba wrote:> Hi all,
> 
> I try to get pam-mount working with sec=krb5 I've got the following
config:
> ---------------------
> <volume
>  ??????? fstype="cifs"
>  ??????? server="fs-01.example.net"
>  ??????? path="users/%(DOMAIN_USER)"
>  ??????? mountpoint="/home/EXAMPLE/%(DOMAIN_USER)"
>  ??????? sgrp="domain users"
>  ???????
options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> 
> <volume
>  ??????? fstype="cifs"
>  ??????? server="fs-01.example.net"
>  ??????? path="abteilungen"
>  ??????? mountpoint="/abteilungen"
>  ??????? sgrp="domain users"
>  ???????
options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> ---------------------
> 
> When I connect with a user I see:
> ---------------------
> Dec 23 16:23:46 client-02 kernel: [?? 81.158008] CIFS: Attempting to 
> mount \\fs-01.example.net\users
> Dec 23 16:23:46 client-02 kernel: [?? 81.253128] CIFS: VFS: Verify user 
> has a krb5 ticket and keyutils is installed
> Dec 23 16:23:46 client-02 kernel: [?? 81.253134] CIFS: VFS: 
> \\fs-01.example.net Send error in SessSetup = -126
> Dec 23 16:23:46 client-02 kernel: [?? 81.253154] CIFS: VFS: cifs_mount 
> failed w/return code = -126
If I remember correctly, '-126' basically means 'help, I cannot find
the
kerberos ticket'.
> 
> ---------------------
> 
> When I switch to "sec=ntlmssp" pam-mount is working.
> 
> I then tried to get a ticket and access the share via smbclient:
> -----------------
> ktom at client-02:~$ kinit ktom
> ktom at EXAMPLE.NET's Password:
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
>  ??????? Principal: ktom at EXAMPLE.NET
> 
> ktom at client-02:~$ smbclient //fs-01/abteilungen
> Enter ktom at EXAMPLE.NET's password:
> Try "help" to get a list of possible commands.
> smb: \>
That isn't using kerberos, try adding '--use-kerberos=required'
> 
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
>  ??????? Principal: ktom at EXAMPLE.NET
> 
>  ? Issued??????????????? Expires?????????????? Principal
> Dec 23 16:44:49 2022? Dec 24 02:44:49 2022? krbtgt/EXAMPLE.NET at
EXAMPLE.NET
> Dec 23 16:46:09 2022? Dec 24 02:44:49 2022? cifs/fs-01 at EXAMPLE.NET
> -----------------
> 
> Here is my krb5.conf:
> ---------------
> [libdefaults]
>  ??????? default_realm = EXAMPLE.NET
>  ??????? dns_lookup_realm = false
>  ??????? dns_lookup_kdc = true
> ---------------
> 
> And smb.conf
> ---------------
> [global]
>  ??????? workgroup = example
>  ??????? realm = EXAMPLE.NET
>  ??????? security = ADS
>  ??????? winbind refresh tickets = yes
>  ??????? winbind use default domain = yes
>  ??????? template shell = /bin/bash
>  ??????? idmap config * : range = 100000 - 199999
>  ??????? idmap config EXAMPLE : backend = rid
>  ??????? idmap config EXAMPLE : range = 1000000 - 1999999
> ---------------
> 
> Any idea?
> 
It could be that pam_mount is looking for the kerberos ticket 
'/tmp/krb5cc_1001107' and as you can see, it is actually 
'/tmp/krb5cc_1001107_dUP4GZ'

Rowland

samba - Dec 2022 - libpam_mount and sec=krb5

[Samba] libpam_mount and sec=krb5

[Samba] libpam_mount and sec=krb5

[Samba] libpam_mount and sec=krb5