samba - Feb 2024 - Samba, Kerberos, Autofs: Shares get disconnected

On Mon, 12 Feb 2024 09:38:01 +0100
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> Good day
> 
> please excuse my delayed response.
> Thanks for the hint with the machine account. I will try this.
> I realised I can also manually refresh Kerberos tickets.
> 
> I have the following:
> 
> $ klist
> Valid starting       Expires              Service principal
> 02/12/2024 08:39:44  02/12/2024 18:39:44  krbtgt/CAMPUS
> renew until 02/13/2024 08:39:40
> 
> so this ticket is valid until 12. February 18:39. Fine. 
Not really, my tickets have a renewal time of one week i.e.

klist -c /tmp/krb5cc_11104 
Ticket cache: FILE:/tmp/krb5cc_11104
Default principal: rowland at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
12/02/24 07:56:02  12/02/24 17:56:02  krbtgt/SAMDOM.EXAMPLE.COM at
SAMDOM.EXAMPLE.COM
	renew until 19/02/24 07:56:02

>And I can
> refresh it using kinit -R. This also works. 
You shouldn't have to manually refresh the ticket, winbind can do it
for you.
>However, there is the
> line "renew until". I read that this means this very ticket can
only
> be refreshed until 13. February 8:39. After that date, it is no
> longer possible to refresh this ticket. So I am still wondering how
> it could be possible to have a mountpoint that uses Kerberos and
> stays connected for longer than a couple days, without disconnecting
> and reconnecting again? is that even possible?
I Think we need to see your /etc/krb5.conf and the output of 'testparm
-s'
> 
> Will try now the machine account as well, hopefully with better
> results.
The machine ticket can mount a share, but you will also need
'multiuser' and your users will also require a valid ticket.
> 
> Concerning the questions for autofs:
> This is a service that automatically mounts any file systems as soon
> as they are accessed. I didn't want to put my network shares into the
> fstab, as this may cause trouble when the network is not reachable
> for some reason. With autofs, the shares are mounted as soon as they
> are accessed, and unmounted if no process is accessing them anymore.
> 
Surely the network not being reachable is also a problem for autofs and
what if the connection goes idle (for whatever reason), does autofs
drop the connection ?

Rowland

Dear Rowland

of course, if the network is unreachable, this is also a problem for
autofs. However, when a CIFS share is in the fstab and the network is
unreachable, you cannot boot, as it waits forever to mount all your fstab
entries, whereas with autofs, you can still boot, as there is nothing
really mounted yet.

I show you below my configurations of the server and client machines.

On the server:

# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
deadtime = 15
disable spoolss = Yes
load printers = No
log file = /var/log/samba/log.%I
logging = file
max log size = 1000
max xmit = 65535
netbios name = TANK
panic action = /usr/share/samba/panic-action %d
printcap name = /dev/null
realm = <redacted>
security = ADS
template homedir = /home/%U
template shell = /bin/bash
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = CAMPUS
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:zero_file_id = yes
fruit:posix_rename = yes
fruit:veto_appledouble = no
fruit:model = MacSamba
fruit:metadata = stream
shadow:delimiter = -20
shadow:snapprefix
^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
shadow:sort = desc
shadow:format = -%Y-%m-%d-%H%M
shadow:snapdir = .zfs/snapshot
idmap config campus : unix_primary_group = yes
idmap config campus : range = 500-9999999
idmap config campus : schema_mode = rfc2307
idmap config campus : backend = ad
idmap config * : range = 10000000-20000000
idmap config * : backend = tdb
delete veto files = Yes
include = /etc/samba/shares.conf
printing = bsd
valid users = @IAP_MW
veto files = /Thumbs.db/._*/.DS_Store/.Trash-*/.~lock*/
vfs objects = fruit acl_xattr shadow_copy2

[work]
comment = IAP MW Work folder
path = /storage/work
read only = No


and on the server, the krb5.conf:

# cat /etc/krb5.conf
[libdefaults]
    default_realm = <redacted>
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true

[realms]
    <redacted> = {
        kdc = <redacted>
        admin_server =<redacted>
    }




and on one client machine, i.e. workstation:

# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
log file = /var/log/samba/log.%I
logging = file
max log size = 1000
netbios name = TEST
panic action = /usr/share/samba/panic-action %d
realm = <redacted>
security = ADS
template homedir = /home/%U
template shell = /bin/bash
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = <redacted>
idmap config campus : unix_primary_group = yes
idmap config campus : range = 500-9999999
idmap config campus : schema_mode = rfc2307
idmap config campus : backend = ad
idmap config * : range = 10000000-20000000
idmap config * : backend = tdb


# cat /etc/krb5.conf
[libdefaults]
    default_realm = <redacted>
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    fcc-mit-ticketflags = true

[realms]
    <redacted> = {
        kdc = <redacted>
        admin_server = <redacted>
    }


Kerberos seems to work, as I can successfully kinit, klist and kdestroy as
well as kinit -R.

Thanks,
best
Tobias


On Mon, Feb 12, 2024 at 10:20?AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 12 Feb 2024 09:38:01 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org>
wrote:
>
> > Good day
> >
> > please excuse my delayed response.
> > Thanks for the hint with the machine account. I will try this.
> > I realised I can also manually refresh Kerberos tickets.
> >
> > I have the following:
> >
> > $ klist
> > Valid starting       Expires              Service principal
> > 02/12/2024 08:39:44  02/12/2024 18:39:44  krbtgt/CAMPUS
> > renew until 02/13/2024 08:39:40
> >
> > so this ticket is valid until 12. February 18:39. Fine.
>
> Not really, my tickets have a renewal time of one week i.e.
>
> klist -c /tmp/krb5cc_11104
> Ticket cache: FILE:/tmp/krb5cc_11104
> Default principal: rowland at SAMDOM.EXAMPLE.COM
>
> Valid starting     Expires            Service principal
> 12/02/24 07:56:02  12/02/24 17:56:02  krbtgt/
> SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>         renew until 19/02/24 07:56:02
>
>
> >And I can
> > refresh it using kinit -R. This also works.
>
> You shouldn't have to manually refresh the ticket, winbind can do it
> for you.
>
> >However, there is the
> > line "renew until". I read that this means this very ticket
can only
> > be refreshed until 13. February 8:39. After that date, it is no
> > longer possible to refresh this ticket. So I am still wondering how
> > it could be possible to have a mountpoint that uses Kerberos and
> > stays connected for longer than a couple days, without disconnecting
> > and reconnecting again? is that even possible?
>
> I Think we need to see your /etc/krb5.conf and the output of 'testparm
> -s'
>
> >
> > Will try now the machine account as well, hopefully with better
> > results.
>
> The machine ticket can mount a share, but you will also need
> 'multiuser' and your users will also require a valid ticket.
>
> >
> > Concerning the questions for autofs:
> > This is a service that automatically mounts any file systems as soon
> > as they are accessed. I didn't want to put my network shares into
the
> > fstab, as this may cause trouble when the network is not reachable
> > for some reason. With autofs, the shares are mounted as soon as they
> > are accessed, and unmounted if no process is accessing them anymore.
> >
>
> Surely the network not being reachable is also a problem for autofs and
> what if the connection goes idle (for whatever reason), does autofs
> drop the connection ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hallo again,

I would like to ask if there exists any possibility to have a Samba mount
point with multiuser and with a credentials file or something similar.
After a couple weeks testing I just find that my shares get disconnected
after one week, which is not acceptable: I have stored some large project
files on the Samba share which is opened in some calculation software, and
simulations take up to one month; during this time, the computer needs
access to the Samba share.
I am considering a plain old credentials file now, with a service account,
but two things I dislike about this approach:

a) credentials file contains clear text password;
b) as the permissions of the service account will be used, all users will
be able to access the share, i.e. access permissions of the service account
are considered, and not of the currently logged in user.

So I am really sorry for asking again, but is it even possible with Linux
or probably not?

Thanks!
best
Tobias




On Mon, Feb 12, 2024 at 10:20?AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 12 Feb 2024 09:38:01 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org>
wrote:
>
> > Good day
> >
> > please excuse my delayed response.
> > Thanks for the hint with the machine account. I will try this.
> > I realised I can also manually refresh Kerberos tickets.
> >
> > I have the following:
> >
> > $ klist
> > Valid starting       Expires              Service principal
> > 02/12/2024 08:39:44  02/12/2024 18:39:44  krbtgt/CAMPUS
> > renew until 02/13/2024 08:39:40
> >
> > so this ticket is valid until 12. February 18:39. Fine.
>
> Not really, my tickets have a renewal time of one week i.e.
>
> klist -c /tmp/krb5cc_11104
> Ticket cache: FILE:/tmp/krb5cc_11104
> Default principal: rowland at SAMDOM.EXAMPLE.COM
>
> Valid starting     Expires            Service principal
> 12/02/24 07:56:02  12/02/24 17:56:02  krbtgt/
> SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>         renew until 19/02/24 07:56:02
>
>
> >And I can
> > refresh it using kinit -R. This also works.
>
> You shouldn't have to manually refresh the ticket, winbind can do it
> for you.
>
> >However, there is the
> > line "renew until". I read that this means this very ticket
can only
> > be refreshed until 13. February 8:39. After that date, it is no
> > longer possible to refresh this ticket. So I am still wondering how
> > it could be possible to have a mountpoint that uses Kerberos and
> > stays connected for longer than a couple days, without disconnecting
> > and reconnecting again? is that even possible?
>
> I Think we need to see your /etc/krb5.conf and the output of 'testparm
> -s'
>
> >
> > Will try now the machine account as well, hopefully with better
> > results.
>
> The machine ticket can mount a share, but you will also need
> 'multiuser' and your users will also require a valid ticket.
>
> >
> > Concerning the questions for autofs:
> > This is a service that automatically mounts any file systems as soon
> > as they are accessed. I didn't want to put my network shares into
the
> > fstab, as this may cause trouble when the network is not reachable
> > for some reason. With autofs, the shares are mounted as soon as they
> > are accessed, and unmounted if no process is accessing them anymore.
> >
>
> Surely the network not being reachable is also a problem for autofs and
> what if the connection goes idle (for whatever reason), does autofs
> drop the connection ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>