Pluess, Tobias
2024-Feb-07 09:11 UTC
[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Hi Kees, I do not think the share keeps being mounted while nobody is logged in, as I try to use autofs which only mounts shares when they are actually accessed. So the scenario is a) some user logs into his workstation, Kerberos ticket is created b) the user accesses the share, works fine c) user does not switch off PC, e.g. because some programs need to continue running during the weekend d) when user returns after more than 10 hours have passed, he is still logged into his workstation, but the ticket is expired and he cannot any more access the share, and autofs cannot remount it, as the ticket has expired. How do I use the machine account for mounting? On Wed, Feb 7, 2024 at 9:56?AM Kees van Vloten <keesvanvloten at gmail.com> wrote:> > Op 06-02-2024 om 16:02 schreef Pluess, Tobias: > > Good day Kees, > > I have no special user to connect the share. Instead, I tried to use the > user's own Kerberos ticket, which seems to work fine. > I use the options > > sec=krb5,multiuser,cruid=$USER > > to mount the share. That seems to accept the user's Kerberos ticket which > is created when he logs in. > > best > Tobias > > It looks like the share remains mounted while the user logs out, is that > correct? > > In any case the user's kerberos ticket is not valid at some point in time > (likely after it expires after 10h) and hence the error "required key not > available". > > When the user is logged in, it will refresh the ticket on time, so this > does not (or at least, should not) happen. > > Why not unmount the share when the user logs out? > > Or if you want it to remain mounted, I would suggest to use the machine > account to mount it with a multi-user mount. The machine-account ticket > gets refreshed by winbind with the option Rowland suggested. > > - Kees. > > > > On Tue, Feb 6, 2024 at 1:37?PM Kees van Vloten via samba < > samba at lists.samba.org> wrote: > >> >> Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba: >> > Hi, >> > I am still trying to figure out the best settings for Samba and Kerberos >> > with autofs. >> > My setup so far works good, users can log in on their computers using AD >> > credentials, and they can access network shares with AD credentials as >> > well. This works perfect. >> > Also I notice that some Kerberos ticket is created upon user login, >> which >> > allows the users to access a Samba share without entering the password, >> > which is very convenient. >> > For this to work, I had to create the SPNs in AD. However, that worked. >> So >> > currently, it works all quite convenient. >> > Further, I have configured autofs to automatically mount for each user >> the >> > network shares they need. >> > For this, I used the "multiuser" and "sec=krb5" options. This also >> works as >> > I expected. However, I notice the following problem. >> > >> > Assume I log in on my workstation and I have a Samba share automounted >> (via >> > autofs) under /storage/work. Just after logging in into my workstation, >> I >> > can easily access the share without troubles. However, when I leave my >> > workstation running during the night and return the next morning, I >> notice >> > the /storage/work has been disconnected, even if I had some program >> running >> > there that accesses these data. Furthermore, autofs cannot anymore >> > automatically reconnect the network share, it claims "required key not >> > available". The only way to reconnect the share seems to be >> > >> > a) stop autofs >> > b) kdestroy >> > c) kinit, and enter the password >> > d) restart autofs >> > >> > then the share works again as normal. >> > I wonder, is this behaviour intentional or is this a bug or just >> > misconfiguration? I thought as long as I stay logged in on my >> workstation, >> > the Kerberos ticket does not expire. However according to above error >> > message from autofs this seems not to be the case. Can I somehow fix >> this? >> > It happens often that I leave my computer running over night, with some >> > program left open to access some network shares. Previously I did that >> with >> > a credentials file, but I still dislike this concept and would favour >> > autofs + Kerberos if possible. >> > >> > Thanks >> > best >> > Tobias >> >> A ticket expires after 10 hours (this is the default setting), I guess >> you need to do something to refresh it. Are you using the user's ticket >> to mount the share or do you have a special user that performs a >> multi-user mount? >> >> - Kees. >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Kees van Vloten
2024-Feb-07 09:34 UTC
[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Op 07-02-2024 om 10:11 schreef Pluess, Tobias:> Hi Kees, > > I do not think the share keeps being mounted while nobody is logged > in, as I try to use autofs which only mounts shares when they are > actually accessed. > So the scenario is > > a) some user logs into his workstation, Kerberos ticket is created > b) the user accesses the share, works fine > c) user does not switch off PC, e.g. because some programs need to > continue running during the weekend > d) when user returns after more than 10 hours have passed, he is still > logged into his workstation, but the ticket is expired and he cannot > any more access the share, and autofs cannot remount it, as the ticket > has expired. > > How do I use the machine account for mounting?For me there are 2 questions here: 1. Why does the user ticket expire while he is logged in? 2. How to mount the share with the machine account? ad. 1. I had a similar issue in 03-2022, read the details and solution here: https://lists.samba.org/archive/samba/2022-March/239876.html ad. 2. @Rowland, do you have the details at hand for this? I will look into it when unix-extensions for smb3.11 are implemented. The idea is to use the machine account's user and ticket, then the ticket is managed by winbind. - Kees.> > > On Wed, Feb 7, 2024 at 9:56?AM Kees van Vloten > <keesvanvloten at gmail.com> wrote: > > > Op 06-02-2024 om 16:02 schreef Pluess, Tobias: >> Good day Kees, >> >> I have no special user to connect the share. Instead, I tried to >> use the user's own Kerberos ticket, which seems to work fine. >> I use the options >> >> sec=krb5,multiuser,cruid=$USER >> >> to mount the share. That seems to accept the user's Kerberos >> ticket which is created when he logs in. >> >> best >> Tobias > > It looks like the share remains mounted while the user logs out, > is that correct? > > In any case the user's kerberos ticket is not valid at some point > in time (likely after it expires after 10h) and hence the error > "required key not available". > > When the user is logged in, it will refresh the ticket on time, so > this does not (or at least, should not) happen. > > Why not unmount the share when the user logs out? > > Or if you want it to remain mounted, I would suggest to use the > machine account to mount it with a multi-user mount. The > machine-account ticket gets refreshed by winbind with the option > Rowland suggested. > > - Kees. > >> >> >> On Tue, Feb 6, 2024 at 1:37?PM Kees van Vloten via samba >> <samba at lists.samba.org> wrote: >> >> >> Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba: >> > Hi, >> > I am still trying to figure out the best settings for Samba >> and Kerberos >> > with autofs. >> > My setup so far works good, users can log in on their >> computers using AD >> > credentials, and they can access network shares with AD >> credentials as >> > well. This works perfect. >> > Also I notice that some Kerberos ticket is created upon >> user login, which >> > allows the users to access a Samba share without entering >> the password, >> > which is very convenient. >> > For this to work, I had to create the SPNs in AD. However, >> that worked. So >> > currently, it works all quite convenient. >> > Further, I have configured autofs to automatically mount >> for each user the >> > network shares they need. >> > For this, I used the "multiuser" and "sec=krb5" options. >> This also works as >> > I expected. However, I notice the following problem. >> > >> > Assume I log in on my workstation and I have a Samba share >> automounted (via >> > autofs) under /storage/work. Just after logging in into my >> workstation, I >> > can easily access the share without troubles. However, when >> I leave my >> > workstation running during the night and return the next >> morning, I notice >> > the /storage/work has been disconnected, even if I had some >> program running >> > there that accesses these data. Furthermore, autofs cannot >> anymore >> > automatically reconnect the network share, it claims >> "required key not >> > available". The only way to reconnect the share seems to be >> > >> > a) stop autofs >> > b) kdestroy >> > c) kinit, and enter the password >> > d) restart autofs >> > >> > then the share works again as normal. >> > I wonder, is this behaviour intentional or is this a bug or >> just >> > misconfiguration? I thought as long as I stay logged in on >> my workstation, >> > the Kerberos ticket does not expire. However according to >> above error >> > message from autofs this seems not to be the case. Can I >> somehow fix this? >> > It happens often that I leave my computer running over >> night, with some >> > program left open to access some network shares. Previously >> I did that with >> > a credentials file, but I still dislike this concept and >> would favour >> > autofs + Kerberos if possible. >> > >> > Thanks >> > best >> > Tobias >> >> A ticket expires after 10 hours (this is the default >> setting), I guess >> you need to do something to refresh it. Are you using the >> user's ticket >> to mount the share or do you have a special user that performs a >> multi-user mount? >> >> - Kees. >> >> >> -- >> To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >>