samba - Feb 2024 - Samba, Kerberos, Autofs: Shares get disconnected

Op 07-02-2024 om 10:11 schreef Pluess, Tobias:
> Hi Kees,
>
> I do not think the share keeps being mounted while nobody is logged 
> in, as I try to use autofs which only mounts shares when they are 
> actually accessed.
> So the scenario is
>
> a) some user logs into his workstation, Kerberos ticket is created
> b) the user accesses the share, works fine
> c) user does not switch off PC, e.g. because some programs need to 
> continue running during the weekend
> d) when user returns after more than 10 hours have passed, he is still 
> logged into his workstation, but the ticket is expired and he cannot 
> any more access the share, and autofs cannot remount it, as the ticket 
> has expired.
>
> How do I use the machine account for mounting?
For me there are 2 questions here:

1. Why does the user ticket expire while he is logged in?

2. How to mount the share with the machine account?

ad. 1. I had a similar issue in 03-2022, read the details and solution 
here: https://lists.samba.org/archive/samba/2022-March/239876.html

ad. 2. @Rowland, do you have the details at hand for this? I will look 
into it when unix-extensions for smb3.11 are implemented. The idea is to 
use the machine account's user and ticket, then the ticket is managed by 
winbind.

- Kees.
>
>
> On Wed, Feb 7, 2024 at 9:56?AM Kees van Vloten 
> <keesvanvloten at gmail.com> wrote:
>
>
>     Op 06-02-2024 om 16:02 schreef Pluess, Tobias:
>>     Good day Kees,
>>
>>     I have no special user to connect the share. Instead, I tried to
>>     use the user's own Kerberos ticket, which seems to work fine.
>>     I use the options
>>
>>     sec=krb5,multiuser,cruid=$USER
>>
>>     to mount the share. That seems to accept the user's Kerberos
>>     ticket which is created when he logs in.
>>
>>     best
>>     Tobias
>
>     It looks like the share remains mounted while the user logs out,
>     is that correct?
>
>     In any case the user's kerberos ticket is not valid at some point
>     in time (likely after it expires after 10h) and hence the error
>     "required key not available".
>
>     When the user is logged in, it will refresh the ticket on time, so
>     this does not (or at least, should not) happen.
>
>     Why not unmount the share when the user logs out?
>
>     Or if you want it to remain mounted, I would suggest to use the
>     machine account to mount it with a multi-user mount. The
>     machine-account ticket gets refreshed by winbind with the option
>     Rowland suggested.
>
>     - Kees.
>
>>
>>
>>     On Tue, Feb 6, 2024 at 1:37?PM Kees van Vloten via samba
>>     <samba at lists.samba.org> wrote:
>>
>>
>>         Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba:
>>         > Hi,
>>         > I am still trying to figure out the best settings for
Samba
>>         and Kerberos
>>         > with autofs.
>>         > My setup so far works good, users can log in on their
>>         computers using AD
>>         > credentials, and they can access network shares with AD
>>         credentials as
>>         > well. This works perfect.
>>         > Also I notice that some Kerberos ticket is created upon
>>         user login, which
>>         > allows the users to access a Samba share without entering
>>         the password,
>>         > which is very convenient.
>>         > For this to work, I had to create the SPNs in AD. However,
>>         that worked. So
>>         > currently, it works all quite convenient.
>>         > Further, I have configured autofs to automatically mount
>>         for each user the
>>         > network shares they need.
>>         > For this, I used the "multiuser" and
"sec=krb5" options.
>>         This also works as
>>         > I expected. However, I notice the following problem.
>>         >
>>         > Assume I log in on my workstation and I have a Samba share
>>         automounted (via
>>         > autofs) under /storage/work. Just after logging in into my
>>         workstation, I
>>         > can easily access the share without troubles. However,
when
>>         I leave my
>>         > workstation running during the night and return the next
>>         morning, I notice
>>         > the /storage/work has been disconnected, even if I had
some
>>         program running
>>         > there that accesses these data. Furthermore, autofs cannot
>>         anymore
>>         > automatically reconnect the network share, it claims
>>         "required key not
>>         > available". The only way to reconnect the share seems
to be
>>         >
>>         > a) stop autofs
>>         > b) kdestroy
>>         > c) kinit, and enter the password
>>         > d) restart autofs
>>         >
>>         > then the share works again as normal.
>>         > I wonder, is this behaviour intentional or is this a bug
or
>>         just
>>         > misconfiguration? I thought as long as I stay logged in on
>>         my workstation,
>>         > the Kerberos ticket does not expire. However according to
>>         above error
>>         > message from autofs this seems not to be the case. Can I
>>         somehow fix this?
>>         > It happens often that I leave my computer running over
>>         night, with some
>>         > program left open to access some network shares.
Previously
>>         I did that with
>>         > a credentials file, but I still dislike this concept and
>>         would favour
>>         > autofs + Kerberos if possible.
>>         >
>>         > Thanks
>>         > best
>>         > Tobias
>>
>>         A ticket expires after 10 hours (this is the default
>>         setting), I guess
>>         you need to do something to refresh it. Are you using the
>>         user's ticket
>>         to mount the share or do you have a special user that performs
a
>>         multi-user mount?
>>
>>         - Kees.
>>
>>
>>         -- 
>>         To unsubscribe from this list go to the following URL and
>>         read the
>>         instructions: https://lists.samba.org/mailman/options/samba
>>

On Wed, 7 Feb 2024 10:34:15 +0100
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> 
> Op 07-02-2024 om 10:11 schreef Pluess, Tobias:
> > Hi Kees,
> >
> > I do not think the share keeps being mounted while nobody is logged 
> > in, as I try to use autofs which only mounts shares when they are 
> > actually accessed.
> > So the scenario is
> >
> > a) some user logs into his workstation, Kerberos ticket is created
> > b) the user accesses the share, works fine
> > c) user does not switch off PC, e.g. because some programs need to 
> > continue running during the weekend
> > d) when user returns after more than 10 hours have passed, he is
> > still logged into his workstation, but the ticket is expired and he
> > cannot any more access the share, and autofs cannot remount it, as
> > the ticket has expired.
> >
> > How do I use the machine account for mounting?
> 
> For me there are 2 questions here:
> 
> 1. Why does the user ticket expire while he is logged in?
> 
> 2. How to mount the share with the machine account?
> 
> ad. 1. I had a similar issue in 03-2022, read the details and
> solution here:
> https://lists.samba.org/archive/samba/2022-March/239876.html
> 
> ad. 2. @Rowland, do you have the details at hand for this? I will
> look into it when unix-extensions for smb3.11 are implemented. The
> idea is to use the machine account's user and ticket, then the ticket
> is managed by winbind.
> 
I think the problem here is the word 'autofs', which I presume was
originally short for 'automatic filesystem' or mount when required.

Now if you want the share to be permanent (or as permanent as possible),
how to mount it ?
How are your HDD's mounted ?
In fstab, need I say more ?

Rowland