samba - Apr 2017 - Good practices to make a Kerberos "mount.cifs" launched by root but with the credentials of another user

Hi,

I have a Debian Stretch computer which is a "samba4 member
server" of an Samba4 AD domain (versions etc. are mentioned
at the end of the message). I think my config is OK and I
can open a _graphical_ session with an AD account user. The
display manager of the computer is Lightdm. For for instance,
I can open a graphical session with the AD account bob (uid
== 14001). In this case, I have the environment variable
KRB5CCNAME which is well set in the graphical session of bob:

  # In a gnome-terminal of the bob graphical session, I have:
  bob at stretch:~$ env | grep KR
  KRB5CCNAME=FILE:/tmp/krb5cc_14001_I1H5wf

  bob at stretch:~$ ls -l /tmp/krb5cc_14001_I1H5wf
  -rw------- 1 bob domusers 3534 Apr 11 15:43 /tmp/krb5cc_14001_I1H5wf

The display manager Lightdm uses PAM and especially pam_krb5
and it's this lib which has created the credentials cache file
/tmp/krb5cc_14001_I1H5wf where 14001 is the uid of bob and
"I1H5wf" is just a random string generated by pam_krb5.

Then, I have a logon script which is set by Lightdm via this
config:

    root at stretch:~# cat /etc/lightdm/lightdm.conf.d/custom.conf
    [SeatDefaults]
      ...
      session-setup-script = /usr/local/bin/logon

Important: this script is run as _root_ and during the execution
of this script the envvar USER is well set and I have USER == "bob"
_but_ no KRB5CCNAME envvar is set. The KRB5CCNAME envvar is set
in the graphical session of bob but not during the execution of
the logon script.

In the logon script, I want to make the mounts of shares with
mount.cifs. Here is my problem: what is the proper way to mount
with mount.cifs shares of "bob" with Kerberos authentication?

If I have well understood, I have to set the envvar KRB5CCNAME
and pass it to the mount.cifs command. So currently, I make this
in the logon script (and it _works_):

  KRB5CCNAME=$(find /tmp/ -maxdepth 1 -mindepth 1 -type f -name
'krb5cc_*' -user bob)

  KRB5CCNAME=$KRB5CCNAME mount.cifs //samba.athome.priv/myhome /mnt/docs/ \
      -o username=bob,domain=ATHOME.PRIV,sec=krb5i,cruid=bob

But I have the feeling that I miss completely the "Kerberos" good
practices by this way.

What is the good practice to make a "mount.cifs" of a share for a
specific AD user (bob) via Kerberos authentication in a script
which is launched by root and without specific information
concerning the path of credential cache file of the specific user
(no envvar KRB5CCNAME is set)?

NB: I really want to manage mounts in logon with a shell script
run as root because I need flexibility (for instance make some
mounts if the user is in the group "foo" and some other mounts
if not etc).

Thanks in advance for your help.
François Lafont

The member server
* OS          => Debian Stretch
* Samba       => 4.5.8 (from the distribution)
* mount.cifs  => 6.7   (from the distribution)
* libkrb5     => 1.15  (from the distribution)
* libpam-krb5 => 4.7   (from the distribution)

I don't think it's relevant here but just in case, my Samba4
_AD_ server is a Ubuntu Xenial with Samba4 version 4.5.4
installed from sources.