Rowland Penny
2024-Feb-07 11:27 UTC
[Samba] Samba, Kerberos, Autofs: Shares get disconnected
On Wed, 7 Feb 2024 11:57:28 +0100 Kees van Vloten via samba <samba at lists.samba.org> wrote:> > Op 07-02-2024 om 11:34 schreef Rowland Penny via samba: > > On Wed, 7 Feb 2024 10:34:15 +0100 > > Kees van Vloten via samba <samba at lists.samba.org> wrote: > > > >> Op 07-02-2024 om 10:11 schreef Pluess, Tobias: > >>> Hi Kees, > >>> > >>> I do not think the share keeps being mounted while nobody is > >>> logged in, as I try to use autofs which only mounts shares when > >>> they are actually accessed. > >>> So the scenario is > >>> > >>> a) some user logs into his workstation, Kerberos ticket is created > >>> b) the user accesses the share, works fine > >>> c) user does not switch off PC, e.g. because some programs need to > >>> continue running during the weekend > >>> d) when user returns after more than 10 hours have passed, he is > >>> still logged into his workstation, but the ticket is expired and > >>> he cannot any more access the share, and autofs cannot remount > >>> it, as the ticket has expired. > >>> > >>> How do I use the machine account for mounting? > >> For me there are 2 questions here: > >> > >> 1. Why does the user ticket expire while he is logged in? > >> > >> 2. How to mount the share with the machine account? > >> > >> ad. 1. I had a similar issue in 03-2022, read the details and > >> solution here: > >> https://lists.samba.org/archive/samba/2022-March/239876.html > >> > >> ad. 2. @Rowland, do you have the details at hand for this? I will > >> look into it when unix-extensions for smb3.11 are implemented. The > >> idea is to use the machine account's user and ticket, then the > >> ticket is managed by winbind. > >> > > I think the problem here is the word 'autofs', which I presume was > > originally short for 'automatic filesystem' or mount when required. > > > > Now if you want the share to be permanent (or as permanent as > > possible), how to mount it ? > > How are your HDD's mounted ? > > In fstab, need I say more ? > > > > Rowland > > Indeed /etc/fstab is probably the most logical place. The question > remains what mount options are required to make this work with the > machine account and would such a mount allow multi-user access given > that each user has sufficient permissions?mount -t cifs //yourserver/share /share -osec=krb5, username=MACHINE$,multiuser> > Now that I am writing that: "sufficient permissions" implies that the > user has a valid ticket. In other words question 1 needs? to be > addressed for this to work as well.If the user is an AD user logged into a domain joined Unix machine, then they have a valid ticket. Rowland
Kees van Vloten
2024-Feb-07 11:31 UTC
[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Op 07-02-2024 om 12:27 schreef Rowland Penny via samba:> On Wed, 7 Feb 2024 11:57:28 +0100 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Op 07-02-2024 om 11:34 schreef Rowland Penny via samba: >>> On Wed, 7 Feb 2024 10:34:15 +0100 >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: >>> >>>> Op 07-02-2024 om 10:11 schreef Pluess, Tobias: >>>>> Hi Kees, >>>>> >>>>> I do not think the share keeps being mounted while nobody is >>>>> logged in, as I try to use autofs which only mounts shares when >>>>> they are actually accessed. >>>>> So the scenario is >>>>> >>>>> a) some user logs into his workstation, Kerberos ticket is created >>>>> b) the user accesses the share, works fine >>>>> c) user does not switch off PC, e.g. because some programs need to >>>>> continue running during the weekend >>>>> d) when user returns after more than 10 hours have passed, he is >>>>> still logged into his workstation, but the ticket is expired and >>>>> he cannot any more access the share, and autofs cannot remount >>>>> it, as the ticket has expired. >>>>> >>>>> How do I use the machine account for mounting? >>>> For me there are 2 questions here: >>>> >>>> 1. Why does the user ticket expire while he is logged in? >>>> >>>> 2. How to mount the share with the machine account? >>>> >>>> ad. 1. I had a similar issue in 03-2022, read the details and >>>> solution here: >>>> https://lists.samba.org/archive/samba/2022-March/239876.html >>>> >>>> ad. 2. @Rowland, do you have the details at hand for this? I will >>>> look into it when unix-extensions for smb3.11 are implemented. The >>>> idea is to use the machine account's user and ticket, then the >>>> ticket is managed by winbind. >>>> >>> I think the problem here is the word 'autofs', which I presume was >>> originally short for 'automatic filesystem' or mount when required. >>> >>> Now if you want the share to be permanent (or as permanent as >>> possible), how to mount it ? >>> How are your HDD's mounted ? >>> In fstab, need I say more ? >>> >>> Rowland >> Indeed /etc/fstab is probably the most logical place. The question >> remains what mount options are required to make this work with the >> machine account and would such a mount allow multi-user access given >> that each user has sufficient permissions? > mount -t cifs //yourserver/share /share -osec=krb5, > username=MACHINE$,multiuser >> Now that I am writing that: "sufficient permissions" implies that the >> user has a valid ticket. In other words question 1 needs? to be >> addressed for this to work as well. > If the user is an AD user logged into a domain joined Unix machine, > then they have a valid ticket.The original issue was that the user's ticket did not get refreshed and then lost access to the share mounted with autofs. - Kees.> > Rowland > >