On 23/12/2022 18:31, Stefan Kania via samba wrote:>
>
> Am 23.12.22 um 18:29 schrieb Stefan Kania via samba:
>>
>>
>> Am 23.12.22 um 18:17 schrieb Rowland Penny via samba:
>>>
>>>
>>> On 23/12/2022 16:55, Stefan Kania via samba wrote:
>>>>
>>>>
>>>> Am 23.12.22 um 17:48 schrieb Rowland Penny via samba:
>>>>>>
>>>>>
>>>>> It could be that pam_mount is looking for the kerberos
ticket
>>>>> '/tmp/krb5cc_1001107' and as you can see, it is
actually
>>>>> '/tmp/krb5cc_1001107_dUP4GZ'
>>>>
>>>> That's what I also thought, but this is the ticket filename
creating
>>>> when the user logs in to the system. Do you know a way to force
the
>>>> system NOT to add the last digits after the uid?
>>>>
>>>
>>> I think there is a parameter you can set, try reading the krb5.conf
>>> manpage. Have you tried turning on debug in pam_mount.conf.xml ?
>>>
>>
>> Yes, and I got the same error :-(.
>>
>> One more thing:
>>
>> I just testet kinit together with MIT-Kerberos and OpenLDAP and there
>> I got a filename krb5cc_<uid> without the suffix after the uid,
so it
>> must have something to do with heimdal-kerberos if so, it would be bad.
>>
>>
>>> Rowland
>>>
>>
>>
>
> I found out, Heimdal is NOT using default_ccache_name but
> default_cc_name. I now changed my krb5.conf to:
> -----------------
> [libdefaults]
> ??????? default_realm = EXAMPLE.NET
> ??????? dns_lookup_realm = false
> ??????? dns_lookup_kdc = true
> ??????? default_cc_name = FILE:/tmp/krb5cc_%{uid}
>
> -----------------
> But still the same, but it has someting to do with Heimdal-Kerberos.
> Change the filename together with MIT-Kerberos and OpenLDAP works.
>
>
Sorry Stefan, but it works for me.
Installed on Debian bullseye:
apt install libpam-mount cifs-utils hxtools keyutils
Changed /etc/krb5.conf to this:
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
[realms]
SAMDOM.EXAMPLE.COM = {
default_domain = samdom.example.com
}
[domain_realm]
samdom.example.com = SAMDOM.EXAMPLE.COM
.samdom.example.com = SAMDOM.EXAMPLE.COM
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
set /etc/security/pam_mount.conf.xml to this:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<!--<debug enable="0" /> -->
<debug enable="3" />
<!-- Volume definitions -->
<volume
fstype="cifs"
server="devstation.samdom.example.com"
path="data"
mountpoint="/home/SAMDOM/data"
uid="10000-640000"
options="user=%(USER),domain=samdom,sec=krb5,cruid=%(USERUID),multiuser,vers=3.0"
/>
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions
allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other"
/>
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no"
kill="no" />
<!-- We need to over-ride the cifs mount command so that uid and gid are not
set as they would by default. This would result in a permission
denied error. -->
<cifsmount>mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
%(OPTIONS)"</cifsmount>
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true" />
</pam_mount>
Logged out as root and logged in as 'rowland'
This lead to this in /var/log/auth.log:
Dec 24 10:48:30 deb11 lightdm: pam_unix(lightdm:session): session opened
for user rowland(uid=11104) by (uid=0)
Dec 24 10:48:30 deb11 lightdm: (pam_mount.c:568): pam_mount 2.18:
entering session stage
Dec 24 10:48:30 deb11 lightdm: (mount.c:776): Could not get realpath of
/home/SAMDOM/data: No such file or directory
Dec 24 10:48:30 deb11 lightdm: (mount.c:246): Mount info: globalconf,
user=rowland <volume fstype="cifs"
server="devstation.samdom.example.com" path="data"
mountpoint="/home/SAMDOM/data"cipher="(null)"
fskeypath="(null)"
fskeycipher="(null)" fskeyhash="(null)"
options="user=rowland,domain=samdom,sec=krb5,cruid=11104,multiuser,vers=3.0"
/> fstab=0 ssh=0
Dec 24 10:48:30 deb11 lightdm: (mount.c:300): mkmountpoint: checking /home
Dec 24 10:48:30 deb11 lightdm: (mount.c:300): mkmountpoint: checking
/home/SAMDOM
Dec 24 10:48:30 deb11 lightdm: (mount.c:300): mkmountpoint: checking
/home/SAMDOM/data
Dec 24 10:48:30 deb11 lightdm: (mount.c:340): mkdir[0] /home/SAMDOM/data
Dec 24 10:48:30 deb11 lightdm: (mount.c:346): chown /home/SAMDOM/data ->
11104:10513
Dec 24 10:48:30 deb11 lightdm: (mount.c:655): Password will be sent to
helper as-is.
Dec 24 10:48:30 deb11 lightdm: command: 'mount' '-t'
'cifs'
'//devstation.samdom.example.com/data' '/home/SAMDOM/data'
'-o'
'user=rowland,domain=samdom,sec=krb5,cruid=11104,multiuser,vers=3.0'
..............................................
Dec 24 10:48:31 deb11 lightdm: (mount.c:549): 229 27 0:37 /
/home/SAMDOM/data rw,relatime shared:129 - cifs
//devstation.samdom.example.com/data
rw,vers=3.0,sec=krb5,cruid=11104,cache=strict,multiuser,domain=samdom,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.5,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=5
Dec 24 10:48:31 deb11 lightdm: command: 'pmvarrun' '-u'
'rowland' '-o' '1'
Dec 24 10:48:31 deb11 lightdm: (pam_mount.c:441): pmvarrun says login
count is 1
Dec 24 10:48:31 deb11 lightdm: (pam_mount.c:660): done opening session
(ret=0)
Dec 24 10:48:31 deb11 systemd-logind[450]: New session 17 of user rowland.
And this in /var/log/syslog:
Dec 24 10:48:30 deb11 cifs.upcall: key description:
cifs.spnego;0;0;39010000;ver=0x2;host=devstation.samdom.example.com;ip4=192.168.1.5;sec=krb5;uid=0x0;creduid=0x2b60;user=rowland;pid=0x887b2
Dec 24 10:48:30 deb11 cifs.upcall: ver=2
Dec 24 10:48:30 deb11 cifs.upcall: host=devstation.samdom.example.com
Dec 24 10:48:30 deb11 cifs.upcall: ip=192.168.1.5
Dec 24 10:48:30 deb11 cifs.upcall: sec=1
Dec 24 10:48:30 deb11 cifs.upcall: uid=0
Dec 24 10:48:30 deb11 cifs.upcall: creduid=11104
Dec 24 10:48:30 deb11 cifs.upcall: user=rowland
Dec 24 10:48:30 deb11 cifs.upcall: pid=559026
Dec 24 10:48:30 deb11 cifs.upcall: get_cachename_from_process_env:
pathname=/proc/559026/environ
Dec 24 10:48:30 deb11 cifs.upcall: get_cachename_from_process_env:
cachename = FILE:/tmp/krb5cc_11104
Dec 24 10:48:30 deb11 cifs.upcall: get_existing_cc: default ccache is
FILE:/tmp/krb5cc_11104
Dec 24 10:48:30 deb11 cifs.upcall: handle_krb5_mech: getting service
ticket for devstation.samdom.example.com
Dec 24 10:48:30 deb11 cifs.upcall: handle_krb5_mech: obtained service ticket
Dec 24 10:48:30 deb11 cifs.upcall: Exit status 0
And when I went to --> Places --> Computer --> File System --> home
-->
SAMDOM
There was a folder named 'data' which contained files and folders from
//devstation/data.
When I looked in /tmp, I found 'krb5cc_11104', and running 'getent
passwd rowland produced this:
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash
Rowland