samba - Feb 2024 - Samba, Kerberos, Autofs: Shares get disconnected

Hi,
I am still trying to figure out the best settings for Samba and Kerberos
with autofs.
My setup so far works good, users can log in on their computers using AD
credentials, and they can access network shares with AD credentials as
well. This works perfect.
Also I notice that some Kerberos ticket is created upon user login, which
allows the users to access a Samba share without entering the password,
which is very convenient.
For this to work, I had to create the SPNs in AD. However, that worked. So
currently, it works all quite convenient.
Further, I have configured autofs to automatically mount for each user the
network shares they need.
For this, I used the "multiuser" and "sec=krb5" options.
This also works as
I expected. However, I notice the following problem.

Assume I log in on my workstation and I have a Samba share automounted (via
autofs) under /storage/work. Just after logging in into my workstation, I
can easily access the share without troubles. However, when I leave my
workstation running during the night and return the next morning, I notice
the /storage/work has been disconnected, even if I had some program running
there that accesses these data. Furthermore, autofs cannot anymore
automatically reconnect the network share, it claims "required key not
available". The only way to reconnect the share seems to be

a) stop autofs
b) kdestroy
c) kinit, and enter the password
d) restart autofs

then the share works again as normal.
I wonder, is this behaviour intentional or is this a bug or just
misconfiguration? I thought as long as I stay logged in on my workstation,
the Kerberos ticket does not expire. However according to above error
message from autofs this seems not to be the case. Can I somehow fix this?
It happens often that I leave my computer running over night, with some
program left open to access some network shares. Previously I did that with
a credentials file, but I still dislike this concept and would favour
autofs + Kerberos if possible.

Thanks
best
Tobias

Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba:
> Hi,
> I am still trying to figure out the best settings for Samba and Kerberos
> with autofs.
> My setup so far works good, users can log in on their computers using AD
> credentials, and they can access network shares with AD credentials as
> well. This works perfect.
> Also I notice that some Kerberos ticket is created upon user login, which
> allows the users to access a Samba share without entering the password,
> which is very convenient.
> For this to work, I had to create the SPNs in AD. However, that worked. So
> currently, it works all quite convenient.
> Further, I have configured autofs to automatically mount for each user the
> network shares they need.
> For this, I used the "multiuser" and "sec=krb5"
options. This also works as
> I expected. However, I notice the following problem.
>
> Assume I log in on my workstation and I have a Samba share automounted (via
> autofs) under /storage/work. Just after logging in into my workstation, I
> can easily access the share without troubles. However, when I leave my
> workstation running during the night and return the next morning, I notice
> the /storage/work has been disconnected, even if I had some program running
> there that accesses these data. Furthermore, autofs cannot anymore
> automatically reconnect the network share, it claims "required key not
> available". The only way to reconnect the share seems to be
>
> a) stop autofs
> b) kdestroy
> c) kinit, and enter the password
> d) restart autofs
>
> then the share works again as normal.
> I wonder, is this behaviour intentional or is this a bug or just
> misconfiguration? I thought as long as I stay logged in on my workstation,
> the Kerberos ticket does not expire. However according to above error
> message from autofs this seems not to be the case. Can I somehow fix this?
> It happens often that I leave my computer running over night, with some
> program left open to access some network shares. Previously I did that with
> a credentials file, but I still dislike this concept and would favour
> autofs + Kerberos if possible.
>
> Thanks
> best
> Tobias
A ticket expires after 10 hours (this is the default setting), I guess 
you need to do something to refresh it. Are you using the user's ticket 
to mount the share or do you have a special user that performs a 
multi-user mount?

- Kees.

On Tue, 6 Feb 2024 13:27:29 +0100
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> Hi,
> I am still trying to figure out the best settings for Samba and
> Kerberos with autofs.
> My setup so far works good, users can log in on their computers using
> AD credentials, and they can access network shares with AD
> credentials as well. This works perfect.
> Also I notice that some Kerberos ticket is created upon user login,
> which allows the users to access a Samba share without entering the
> password, which is very convenient.
> For this to work, I had to create the SPNs in AD. However, that
> worked. So currently, it works all quite convenient.
> Further, I have configured autofs to automatically mount for each
> user the network shares they need.
> For this, I used the "multiuser" and "sec=krb5"
options. This also
> works as I expected. However, I notice the following problem.
> 
> Assume I log in on my workstation and I have a Samba share
> automounted (via autofs) under /storage/work. Just after logging in
> into my workstation, I can easily access the share without troubles.
> However, when I leave my workstation running during the night and
> return the next morning, I notice the /storage/work has been
> disconnected, even if I had some program running there that accesses
> these data. Furthermore, autofs cannot anymore automatically
> reconnect the network share, it claims "required key not
available".
> The only way to reconnect the share seems to be
> 
> a) stop autofs
> b) kdestroy
> c) kinit, and enter the password
> d) restart autofs
> 
> then the share works again as normal.
> I wonder, is this behaviour intentional or is this a bug or just
> misconfiguration? I thought as long as I stay logged in on my
> workstation, the Kerberos ticket does not expire. However according
> to above error message from autofs this seems not to be the case. Can
> I somehow fix this? It happens often that I leave my computer running
> over night, with some program left open to access some network
> shares. Previously I did that with a credentials file, but I still
> dislike this concept and would favour autofs + Kerberos if possible.
> 
> Thanks
> best
> Tobias
Do you have 'winbind refresh tickets = yes' set in your smb.conf file ?
It defaults to 'no'

Rowland

Hi.

Am 06.02.24 um 13:27 schrieb Pluess, Tobias via samba:
> Hi,
> I am still trying to figure out the best settings for Samba and Kerberos
> with autofs.
> My setup so far works good, users can log in on their computers using AD
> credentials, and they can access network shares with AD credentials as
> well. This works perfect.
> Also I notice that some Kerberos ticket is created upon user login, which
> allows the users to access a Samba share without entering the password,
> which is very convenient.
> For this to work, I had to create the SPNs in AD. However, that worked. So
> currently, it works all quite convenient.
> Further, I have configured autofs to automatically mount for each user the
> network shares they need.
> For this, I used the "multiuser" and "sec=krb5"
options. This also works as
> I expected. However, I notice the following problem.
This works for me.

I have this in "/etc/auto.cifs"

Share -fstype=cifs,multiuser,cruid=${UID},sec=krb5 ://server/Share


and this in "/etc/auto.master"

/cifs /etc/auto.cifs --timeout=300 --ghost


This ways if the share is not used it is unmounted and mounted again 
when the folder is opened.

But my Kerberos ticket is renewed automatically.

By the was which SPNs did you create? I did not have to do this.


Regards

Christian