Jake Carroll
2008-Aug-09 00:40 UTC
[Samba] Krb5 + Samba auth problem on subsequent volume mounts
Hi all,
I have, what I think is a relatively simple samba/kerberos problem
that I am not seeing the obvious side to. I'll explain the scenario.
I have an OpenLDAP KDC or Directory Master. For the purposes of this
conversation, it is the authentication server, and the bit that grants/
hands out all the ticket information. I have a Solaris 10 system
running the default Sun shipped Samba 3.0.28 (/usr/sfw/sbin/smbd).
This Solaris fileserver is connected via LDAP to the OpenLDAP master
and has an appropriate /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab
installed.
In my /etc/sfw/smb.conf, I have the simple "magic lines" to connect my
samba service to Kerberos as follows in the [global] section:
password server = somehost.somewhere.nowhere.interesting.here
workgroup = STAFF
realm = somehost.somewhere.nowhere.interesting.here
netbios name = somehost.somewhere.nowhere.interesting.here
netbios aliases = SUN SAM-FS HSM
security = SERVER
use kerberos keytab = yes
encrypt passwords = yes
So, once I have created some shares, all seems to go swimmingly. Users
connect using their SSO credentials, they are passed a ticket through
the TGT process and they are then allowed to write to the share/
directory/wherever I have specified.
The problem is, when my user decideds he/she/it has had enough of that
network mounted volume, they eject it. No big deal there - however,
when they REMOUNT the volume with their Kerberos ticket in-fact
(default ticket time out is 10 hours in my policy), they for SOME
reason authenticate as the "nobody" user - and as a result, get denied
access:
Some logs. A "healthy" connection to the service:
[2008/08/09 09:43:18, 1, pid=3893] smbd/service.c:(1033)
aaa.bb.ccc.ddd (aaa.bb.ccc.ddd) connect to service group_IT
initially as user zebra (uid=1027, gid=1028) (pid 3893)
Now, lets disconnect the share on the desktop:
[2008/08/09 09:46:50, 1, pid=3893] smbd/service.c:(1230)
aaa.bb.ccc.ddd (aaa.bb.ccc.ddd) closed connection to service group_IT
Now, lets try reconnecting with our kerberos ticket in-tact and see
what happens:
[2008/08/09 09:53:16, 4, pid=3953] smbd/reply.c:(506)
Client requested device type [A:] for share [GROUP_IT]
[2008/08/09 09:53:16, 5, pid=3953] smbd/service.c:(1205)
making a connection to 'normal' service group_it
[2008/08/09 09:53:16, 2, pid=3953] smbd/service.c:(605)
*guest user (from session setup) not permitted to access this share
(group_IT)*
*[2008/08/09 09:53:16, 3, pid=3953] smbd/error.c:(106)*
*error packet at smbd/reply.c(514) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED*
[2008/08/09 09:53:16, 5, pid=3953] lib/util.c:(484)
[2008/08/09 09:53:16, 5, pid=3953] lib/util.c:(494)
size=35
smb_com=0x75
smb_rcls=34
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=49153
smb_tid=65535
smb_pid=1
smb_uid=100
smb_mid=8
smt_wct=0
smb_bcc=0
[2008/08/09 09:53:20, 3, pid=3953] smbd/process.c:(1068)
Transaction 9 of length 43
[2008/08/09 09:53:20, 5, pid=3953] lib/util.c:(484)
[2008/08/09 09:53:20, 5, pid=3953] lib/util.c:(494)
size=39
smb_com=0x74
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=8
smb_flg2=49153
smb_tid=65535
smb_pid=1
smb_uid=100
smb_mid=9
smt_wct=2
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_bcc=0
What the? I've got a legit ticket:
MacbookPro:~ zebra$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: zebra@somehost.somewhere.nowhere.interesting.here
Valid Starting Expires Service Principal
08/09/08 09:42:32 08/09/08 19:42:32
krbtgt/somehost.somewhere.nowhere.interesting.here@somehost.somewhere.nowhere.interesting.here
renew until 08/16/08 09:42:32
Frustratingly, if I to a kdestroy on my ticket on the client desktop,
then remount the share, everything is perfect - I am the correct user,
and all goes according to plan again.
Has anyone ever come up against such issues? I am not sure if this is
*too* Kerberos oriented for the samba list, or it is something you see
all the time. Hopefully it is simply rectified.
Thanks for your time.
JC
Maybe Matching Threads
Wisdom of the Ancients
