Pluess, Tobias
2024-Feb-12 08:38 UTC
[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Good day please excuse my delayed response. Thanks for the hint with the machine account. I will try this. I realised I can also manually refresh Kerberos tickets. I have the following: $ klist Valid starting Expires Service principal 02/12/2024 08:39:44 02/12/2024 18:39:44 krbtgt/CAMPUS renew until 02/13/2024 08:39:40 so this ticket is valid until 12. February 18:39. Fine. And I can refresh it using kinit -R. This also works. However, there is the line "renew until". I read that this means this very ticket can only be refreshed until 13. February 8:39. After that date, it is no longer possible to refresh this ticket. So I am still wondering how it could be possible to have a mountpoint that uses Kerberos and stays connected for longer than a couple days, without disconnecting and reconnecting again? is that even possible? Will try now the machine account as well, hopefully with better results. Concerning the questions for autofs: This is a service that automatically mounts any file systems as soon as they are accessed. I didn't want to put my network shares into the fstab, as this may cause trouble when the network is not reachable for some reason. With autofs, the shares are mounted as soon as they are accessed, and unmounted if no process is accessing them anymore. On Wed, Feb 7, 2024 at 12:32?PM Kees van Vloten via samba < samba at lists.samba.org> wrote:> > Op 07-02-2024 om 12:27 schreef Rowland Penny via samba: > > On Wed, 7 Feb 2024 11:57:28 +0100 > > Kees van Vloten via samba <samba at lists.samba.org> wrote: > > > >> Op 07-02-2024 om 11:34 schreef Rowland Penny via samba: > >>> On Wed, 7 Feb 2024 10:34:15 +0100 > >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: > >>> > >>>> Op 07-02-2024 om 10:11 schreef Pluess, Tobias: > >>>>> Hi Kees, > >>>>> > >>>>> I do not think the share keeps being mounted while nobody is > >>>>> logged in, as I try to use autofs which only mounts shares when > >>>>> they are actually accessed. > >>>>> So the scenario is > >>>>> > >>>>> a) some user logs into his workstation, Kerberos ticket is created > >>>>> b) the user accesses the share, works fine > >>>>> c) user does not switch off PC, e.g. because some programs need to > >>>>> continue running during the weekend > >>>>> d) when user returns after more than 10 hours have passed, he is > >>>>> still logged into his workstation, but the ticket is expired and > >>>>> he cannot any more access the share, and autofs cannot remount > >>>>> it, as the ticket has expired. > >>>>> > >>>>> How do I use the machine account for mounting? > >>>> For me there are 2 questions here: > >>>> > >>>> 1. Why does the user ticket expire while he is logged in? > >>>> > >>>> 2. How to mount the share with the machine account? > >>>> > >>>> ad. 1. I had a similar issue in 03-2022, read the details and > >>>> solution here: > >>>> https://lists.samba.org/archive/samba/2022-March/239876.html > >>>> > >>>> ad. 2. @Rowland, do you have the details at hand for this? I will > >>>> look into it when unix-extensions for smb3.11 are implemented. The > >>>> idea is to use the machine account's user and ticket, then the > >>>> ticket is managed by winbind. > >>>> > >>> I think the problem here is the word 'autofs', which I presume was > >>> originally short for 'automatic filesystem' or mount when required. > >>> > >>> Now if you want the share to be permanent (or as permanent as > >>> possible), how to mount it ? > >>> How are your HDD's mounted ? > >>> In fstab, need I say more ? > >>> > >>> Rowland > >> Indeed /etc/fstab is probably the most logical place. The question > >> remains what mount options are required to make this work with the > >> machine account and would such a mount allow multi-user access given > >> that each user has sufficient permissions? > > mount -t cifs //yourserver/share /share -osec=krb5, > > username=MACHINE$,multiuser > >> Now that I am writing that: "sufficient permissions" implies that the > >> user has a valid ticket. In other words question 1 needs to be > >> addressed for this to work as well. > > If the user is an AD user logged into a domain joined Unix machine, > > then they have a valid ticket. > > The original issue was that the user's ticket did not get refreshed and > then lost access to the share mounted with autofs. > > - Kees. > > > > > Rowland > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2024-Feb-12 09:19 UTC
[Samba] Samba, Kerberos, Autofs: Shares get disconnected
On Mon, 12 Feb 2024 09:38:01 +0100 "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:> Good day > > please excuse my delayed response. > Thanks for the hint with the machine account. I will try this. > I realised I can also manually refresh Kerberos tickets. > > I have the following: > > $ klist > Valid starting Expires Service principal > 02/12/2024 08:39:44 02/12/2024 18:39:44 krbtgt/CAMPUS > renew until 02/13/2024 08:39:40 > > so this ticket is valid until 12. February 18:39. Fine.Not really, my tickets have a renewal time of one week i.e. klist -c /tmp/krb5cc_11104 Ticket cache: FILE:/tmp/krb5cc_11104 Default principal: rowland at SAMDOM.EXAMPLE.COM Valid starting Expires Service principal 12/02/24 07:56:02 12/02/24 17:56:02 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM renew until 19/02/24 07:56:02>And I can > refresh it using kinit -R. This also works.You shouldn't have to manually refresh the ticket, winbind can do it for you.>However, there is the > line "renew until". I read that this means this very ticket can only > be refreshed until 13. February 8:39. After that date, it is no > longer possible to refresh this ticket. So I am still wondering how > it could be possible to have a mountpoint that uses Kerberos and > stays connected for longer than a couple days, without disconnecting > and reconnecting again? is that even possible?I Think we need to see your /etc/krb5.conf and the output of 'testparm -s'> > Will try now the machine account as well, hopefully with better > results.The machine ticket can mount a share, but you will also need 'multiuser' and your users will also require a valid ticket.> > Concerning the questions for autofs: > This is a service that automatically mounts any file systems as soon > as they are accessed. I didn't want to put my network shares into the > fstab, as this may cause trouble when the network is not reachable > for some reason. With autofs, the shares are mounted as soon as they > are accessed, and unmounted if no process is accessing them anymore. >Surely the network not being reachable is also a problem for autofs and what if the connection goes idle (for whatever reason), does autofs drop the connection ? Rowland