samba - Feb 2024 - Samba, Kerberos, Autofs: Shares get disconnected

Good day Kees,

I have no special user to connect the share. Instead, I tried to use the
user's own Kerberos ticket, which seems to work fine.
I use the options

sec=krb5,multiuser,cruid=$USER

to mount the share. That seems to accept the user's Kerberos ticket which
is created when he logs in.

best
Tobias


On Tue, Feb 6, 2024 at 1:37?PM Kees van Vloten via samba <
samba at lists.samba.org> wrote:
>
> Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba:
> > Hi,
> > I am still trying to figure out the best settings for Samba and
Kerberos
> > with autofs.
> > My setup so far works good, users can log in on their computers using
AD
> > credentials, and they can access network shares with AD credentials as
> > well. This works perfect.
> > Also I notice that some Kerberos ticket is created upon user login,
which
> > allows the users to access a Samba share without entering the
password,
> > which is very convenient.
> > For this to work, I had to create the SPNs in AD. However, that
worked.
> So
> > currently, it works all quite convenient.
> > Further, I have configured autofs to automatically mount for each user
> the
> > network shares they need.
> > For this, I used the "multiuser" and "sec=krb5"
options. This also works
> as
> > I expected. However, I notice the following problem.
> >
> > Assume I log in on my workstation and I have a Samba share automounted
> (via
> > autofs) under /storage/work. Just after logging in into my
workstation, I
> > can easily access the share without troubles. However, when I leave my
> > workstation running during the night and return the next morning, I
> notice
> > the /storage/work has been disconnected, even if I had some program
> running
> > there that accesses these data. Furthermore, autofs cannot anymore
> > automatically reconnect the network share, it claims "required
key not
> > available". The only way to reconnect the share seems to be
> >
> > a) stop autofs
> > b) kdestroy
> > c) kinit, and enter the password
> > d) restart autofs
> >
> > then the share works again as normal.
> > I wonder, is this behaviour intentional or is this a bug or just
> > misconfiguration? I thought as long as I stay logged in on my
> workstation,
> > the Kerberos ticket does not expire. However according to above error
> > message from autofs this seems not to be the case. Can I somehow fix
> this?
> > It happens often that I leave my computer running over night, with
some
> > program left open to access some network shares. Previously I did that
> with
> > a credentials file, but I still dislike this concept and would favour
> > autofs + Kerberos if possible.
> >
> > Thanks
> > best
> > Tobias
>
> A ticket expires after 10 hours (this is the default setting), I guess
> you need to do something to refresh it. Are you using the user's ticket
> to mount the share or do you have a special user that performs a
> multi-user mount?
>
> - Kees.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Op 06-02-2024 om 16:02 schreef Pluess, Tobias:
> Good day Kees,
>
> I have no special user to connect the share. Instead, I tried to use 
> the user's own Kerberos ticket, which seems to work fine.
> I use the options
>
> sec=krb5,multiuser,cruid=$USER
>
> to mount the share. That seems to accept the user's Kerberos ticket 
> which is created when he logs in.
>
> best
> Tobias
It looks like the share remains mounted while the user logs out, is that 
correct?

In any case the user's kerberos ticket is not valid at some point in 
time (likely after it expires after 10h) and hence the error "required 
key not available".

When the user is logged in, it will refresh the ticket on time, so this 
does not (or at least, should not) happen.

Why not unmount the share when the user logs out?

Or if you want it to remain mounted, I would suggest to use the machine 
account to mount it with a multi-user mount. The machine-account ticket 
gets refreshed by winbind with the option Rowland suggested.

- Kees.
>
>
> On Tue, Feb 6, 2024 at 1:37?PM Kees van Vloten via samba 
> <samba at lists.samba.org> wrote:
>
>
>     Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba:
>     > Hi,
>     > I am still trying to figure out the best settings for Samba and
>     Kerberos
>     > with autofs.
>     > My setup so far works good, users can log in on their computers
>     using AD
>     > credentials, and they can access network shares with AD
>     credentials as
>     > well. This works perfect.
>     > Also I notice that some Kerberos ticket is created upon user
>     login, which
>     > allows the users to access a Samba share without entering the
>     password,
>     > which is very convenient.
>     > For this to work, I had to create the SPNs in AD. However, that
>     worked. So
>     > currently, it works all quite convenient.
>     > Further, I have configured autofs to automatically mount for
>     each user the
>     > network shares they need.
>     > For this, I used the "multiuser" and
"sec=krb5" options. This
>     also works as
>     > I expected. However, I notice the following problem.
>     >
>     > Assume I log in on my workstation and I have a Samba share
>     automounted (via
>     > autofs) under /storage/work. Just after logging in into my
>     workstation, I
>     > can easily access the share without troubles. However, when I
>     leave my
>     > workstation running during the night and return the next
>     morning, I notice
>     > the /storage/work has been disconnected, even if I had some
>     program running
>     > there that accesses these data. Furthermore, autofs cannot anymore
>     > automatically reconnect the network share, it claims
"required
>     key not
>     > available". The only way to reconnect the share seems to be
>     >
>     > a) stop autofs
>     > b) kdestroy
>     > c) kinit, and enter the password
>     > d) restart autofs
>     >
>     > then the share works again as normal.
>     > I wonder, is this behaviour intentional or is this a bug or just
>     > misconfiguration? I thought as long as I stay logged in on my
>     workstation,
>     > the Kerberos ticket does not expire. However according to above
>     error
>     > message from autofs this seems not to be the case. Can I somehow
>     fix this?
>     > It happens often that I leave my computer running over night,
>     with some
>     > program left open to access some network shares. Previously I
>     did that with
>     > a credentials file, but I still dislike this concept and would
>     favour
>     > autofs + Kerberos if possible.
>     >
>     > Thanks
>     > best
>     > Tobias
>
>     A ticket expires after 10 hours (this is the default setting), I
>     guess
>     you need to do something to refresh it. Are you using the user's
>     ticket
>     to mount the share or do you have a special user that performs a
>     multi-user mount?
>
>     - Kees.
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>