Kees van Vloten
2024-Feb-06 12:36 UTC
[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba:> Hi, > I am still trying to figure out the best settings for Samba and Kerberos > with autofs. > My setup so far works good, users can log in on their computers using AD > credentials, and they can access network shares with AD credentials as > well. This works perfect. > Also I notice that some Kerberos ticket is created upon user login, which > allows the users to access a Samba share without entering the password, > which is very convenient. > For this to work, I had to create the SPNs in AD. However, that worked. So > currently, it works all quite convenient. > Further, I have configured autofs to automatically mount for each user the > network shares they need. > For this, I used the "multiuser" and "sec=krb5" options. This also works as > I expected. However, I notice the following problem. > > Assume I log in on my workstation and I have a Samba share automounted (via > autofs) under /storage/work. Just after logging in into my workstation, I > can easily access the share without troubles. However, when I leave my > workstation running during the night and return the next morning, I notice > the /storage/work has been disconnected, even if I had some program running > there that accesses these data. Furthermore, autofs cannot anymore > automatically reconnect the network share, it claims "required key not > available". The only way to reconnect the share seems to be > > a) stop autofs > b) kdestroy > c) kinit, and enter the password > d) restart autofs > > then the share works again as normal. > I wonder, is this behaviour intentional or is this a bug or just > misconfiguration? I thought as long as I stay logged in on my workstation, > the Kerberos ticket does not expire. However according to above error > message from autofs this seems not to be the case. Can I somehow fix this? > It happens often that I leave my computer running over night, with some > program left open to access some network shares. Previously I did that with > a credentials file, but I still dislike this concept and would favour > autofs + Kerberos if possible. > > Thanks > best > TobiasA ticket expires after 10 hours (this is the default setting), I guess you need to do something to refresh it. Are you using the user's ticket to mount the share or do you have a special user that performs a multi-user mount? - Kees.
Pluess, Tobias
2024-Feb-06 15:02 UTC
[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Good day Kees, I have no special user to connect the share. Instead, I tried to use the user's own Kerberos ticket, which seems to work fine. I use the options sec=krb5,multiuser,cruid=$USER to mount the share. That seems to accept the user's Kerberos ticket which is created when he logs in. best Tobias On Tue, Feb 6, 2024 at 1:37?PM Kees van Vloten via samba < samba at lists.samba.org> wrote:> > Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba: > > Hi, > > I am still trying to figure out the best settings for Samba and Kerberos > > with autofs. > > My setup so far works good, users can log in on their computers using AD > > credentials, and they can access network shares with AD credentials as > > well. This works perfect. > > Also I notice that some Kerberos ticket is created upon user login, which > > allows the users to access a Samba share without entering the password, > > which is very convenient. > > For this to work, I had to create the SPNs in AD. However, that worked. > So > > currently, it works all quite convenient. > > Further, I have configured autofs to automatically mount for each user > the > > network shares they need. > > For this, I used the "multiuser" and "sec=krb5" options. This also works > as > > I expected. However, I notice the following problem. > > > > Assume I log in on my workstation and I have a Samba share automounted > (via > > autofs) under /storage/work. Just after logging in into my workstation, I > > can easily access the share without troubles. However, when I leave my > > workstation running during the night and return the next morning, I > notice > > the /storage/work has been disconnected, even if I had some program > running > > there that accesses these data. Furthermore, autofs cannot anymore > > automatically reconnect the network share, it claims "required key not > > available". The only way to reconnect the share seems to be > > > > a) stop autofs > > b) kdestroy > > c) kinit, and enter the password > > d) restart autofs > > > > then the share works again as normal. > > I wonder, is this behaviour intentional or is this a bug or just > > misconfiguration? I thought as long as I stay logged in on my > workstation, > > the Kerberos ticket does not expire. However according to above error > > message from autofs this seems not to be the case. Can I somehow fix > this? > > It happens often that I leave my computer running over night, with some > > program left open to access some network shares. Previously I did that > with > > a credentials file, but I still dislike this concept and would favour > > autofs + Kerberos if possible. > > > > Thanks > > best > > Tobias > > A ticket expires after 10 hours (this is the default setting), I guess > you need to do something to refresh it. Are you using the user's ticket > to mount the share or do you have a special user that performs a > multi-user mount? > > - Kees. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >