thr3ads.net - samba - [Samba] libpam_mount and sec=krb5 [Dec 2022]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2022-Dec-23 16:48 UTC

[Samba] libpam_mount and sec=krb5

On 23/12/2022 16:02, Stefan Kania via samba wrote:> Hi all,
> 
> I try to get pam-mount working with sec=krb5 I've got the following
config:
> ---------------------
> <volume
>  ??????? fstype="cifs"
>  ??????? server="fs-01.example.net"
>  ??????? path="users/%(DOMAIN_USER)"
>  ??????? mountpoint="/home/EXAMPLE/%(DOMAIN_USER)"
>  ??????? sgrp="domain users"
>  ???????
options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> 
> <volume
>  ??????? fstype="cifs"
>  ??????? server="fs-01.example.net"
>  ??????? path="abteilungen"
>  ??????? mountpoint="/abteilungen"
>  ??????? sgrp="domain users"
>  ???????
options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> ---------------------
> 
> When I connect with a user I see:
> ---------------------
> Dec 23 16:23:46 client-02 kernel: [?? 81.158008] CIFS: Attempting to 
> mount \\fs-01.example.net\users
> Dec 23 16:23:46 client-02 kernel: [?? 81.253128] CIFS: VFS: Verify user 
> has a krb5 ticket and keyutils is installed
> Dec 23 16:23:46 client-02 kernel: [?? 81.253134] CIFS: VFS: 
> \\fs-01.example.net Send error in SessSetup = -126
> Dec 23 16:23:46 client-02 kernel: [?? 81.253154] CIFS: VFS: cifs_mount 
> failed w/return code = -126
If I remember correctly, '-126' basically means 'help, I cannot find
the
kerberos ticket'.
> 
> ---------------------
> 
> When I switch to "sec=ntlmssp" pam-mount is working.
> 
> I then tried to get a ticket and access the share via smbclient:
> -----------------
> ktom at client-02:~$ kinit ktom
> ktom at EXAMPLE.NET's Password:
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
>  ??????? Principal: ktom at EXAMPLE.NET
> 
> ktom at client-02:~$ smbclient //fs-01/abteilungen
> Enter ktom at EXAMPLE.NET's password:
> Try "help" to get a list of possible commands.
> smb: \>
That isn't using kerberos, try adding '--use-kerberos=required'
> 
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
>  ??????? Principal: ktom at EXAMPLE.NET
> 
>  ? Issued??????????????? Expires?????????????? Principal
> Dec 23 16:44:49 2022? Dec 24 02:44:49 2022? krbtgt/EXAMPLE.NET at
EXAMPLE.NET
> Dec 23 16:46:09 2022? Dec 24 02:44:49 2022? cifs/fs-01 at EXAMPLE.NET
> -----------------
> 
> Here is my krb5.conf:
> ---------------
> [libdefaults]
>  ??????? default_realm = EXAMPLE.NET
>  ??????? dns_lookup_realm = false
>  ??????? dns_lookup_kdc = true
> ---------------
> 
> And smb.conf
> ---------------
> [global]
>  ??????? workgroup = example
>  ??????? realm = EXAMPLE.NET
>  ??????? security = ADS
>  ??????? winbind refresh tickets = yes
>  ??????? winbind use default domain = yes
>  ??????? template shell = /bin/bash
>  ??????? idmap config * : range = 100000 - 199999
>  ??????? idmap config EXAMPLE : backend = rid
>  ??????? idmap config EXAMPLE : range = 1000000 - 1999999
> ---------------
> 
> Any idea?
> 
It could be that pam_mount is looking for the kerberos ticket 
'/tmp/krb5cc_1001107' and as you can see, it is actually 
'/tmp/krb5cc_1001107_dUP4GZ'

Rowland

Stefan Kania

2022-Dec-23 16:55 UTC

head link

[Samba] libpam_mount and sec=krb5

Am 23.12.22 um 17:48 schrieb Rowland Penny via samba:>>
> 
> It could be that pam_mount is looking for the kerberos ticket 
> '/tmp/krb5cc_1001107' and as you can see, it is actually 
> '/tmp/krb5cc_1001107_dUP4GZ'
That's what I also thought, but this is the ticket filename creating 
when the user logs in to the system. Do you know a way to force the 
system NOT to add the last digits after the uid?

samba - Dec 2022 - libpam_mount and sec=krb5

[Samba] libpam_mount and sec=krb5

[Samba] libpam_mount and sec=krb5