samba - Feb 2024 - Samba, Kerberos, Autofs: Shares get disconnected

Hallo again,

I would like to ask if there exists any possibility to have a Samba mount
point with multiuser and with a credentials file or something similar.
After a couple weeks testing I just find that my shares get disconnected
after one week, which is not acceptable: I have stored some large project
files on the Samba share which is opened in some calculation software, and
simulations take up to one month; during this time, the computer needs
access to the Samba share.
I am considering a plain old credentials file now, with a service account,
but two things I dislike about this approach:

a) credentials file contains clear text password;
b) as the permissions of the service account will be used, all users will
be able to access the share, i.e. access permissions of the service account
are considered, and not of the currently logged in user.

So I am really sorry for asking again, but is it even possible with Linux
or probably not?

Thanks!
best
Tobias




On Mon, Feb 12, 2024 at 10:20?AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 12 Feb 2024 09:38:01 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org>
wrote:
>
> > Good day
> >
> > please excuse my delayed response.
> > Thanks for the hint with the machine account. I will try this.
> > I realised I can also manually refresh Kerberos tickets.
> >
> > I have the following:
> >
> > $ klist
> > Valid starting       Expires              Service principal
> > 02/12/2024 08:39:44  02/12/2024 18:39:44  krbtgt/CAMPUS
> > renew until 02/13/2024 08:39:40
> >
> > so this ticket is valid until 12. February 18:39. Fine.
>
> Not really, my tickets have a renewal time of one week i.e.
>
> klist -c /tmp/krb5cc_11104
> Ticket cache: FILE:/tmp/krb5cc_11104
> Default principal: rowland at SAMDOM.EXAMPLE.COM
>
> Valid starting     Expires            Service principal
> 12/02/24 07:56:02  12/02/24 17:56:02  krbtgt/
> SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>         renew until 19/02/24 07:56:02
>
>
> >And I can
> > refresh it using kinit -R. This also works.
>
> You shouldn't have to manually refresh the ticket, winbind can do it
> for you.
>
> >However, there is the
> > line "renew until". I read that this means this very ticket
can only
> > be refreshed until 13. February 8:39. After that date, it is no
> > longer possible to refresh this ticket. So I am still wondering how
> > it could be possible to have a mountpoint that uses Kerberos and
> > stays connected for longer than a couple days, without disconnecting
> > and reconnecting again? is that even possible?
>
> I Think we need to see your /etc/krb5.conf and the output of 'testparm
> -s'
>
> >
> > Will try now the machine account as well, hopefully with better
> > results.
>
> The machine ticket can mount a share, but you will also need
> 'multiuser' and your users will also require a valid ticket.
>
> >
> > Concerning the questions for autofs:
> > This is a service that automatically mounts any file systems as soon
> > as they are accessed. I didn't want to put my network shares into
the
> > fstab, as this may cause trouble when the network is not reachable
> > for some reason. With autofs, the shares are mounted as soon as they
> > are accessed, and unmounted if no process is accessing them anymore.
> >
>
> Surely the network not being reachable is also a problem for autofs and
> what if the connection goes idle (for whatever reason), does autofs
> drop the connection ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Op 28-02-2024 om 09:02 schreef Pluess, Tobias via samba:
> Hallo again,
>
> I would like to ask if there exists any possibility to have a Samba mount
> point with multiuser and with a credentials file or something similar.
> After a couple weeks testing I just find that my shares get disconnected
> after one week, which is not acceptable: I have stored some large project
> files on the Samba share which is opened in some calculation software, and
> simulations take up to one month; during this time, the computer needs
> access to the Samba share.
Did you try a multiuser mount with the computer's machine
account?
> I am considering a plain old credentials file now, with a service account,
> but two things I dislike about this approach:
>
> a) credentials file contains clear text password;
> b) as the permissions of the service account will be used, all users will
> be able to access the share, i.e. access permissions of the service account
> are considered, and not of the currently logged in user.
>
> So I am really sorry for asking again, but is it even possible with Linux
> or probably not?
>
> Thanks!
> best
> Tobias
>
>
>
>
> On Mon, Feb 12, 2024 at 10:20?AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Mon, 12 Feb 2024 09:38:01 +0100
>> "Pluess, Tobias via samba" <samba at lists.samba.org>
wrote:
>>
>>> Good day
>>>
>>> please excuse my delayed response.
>>> Thanks for the hint with the machine account. I will try this.
>>> I realised I can also manually refresh Kerberos tickets.
>>>
>>> I have the following:
>>>
>>> $ klist
>>> Valid starting       Expires              Service principal
>>> 02/12/2024 08:39:44  02/12/2024 18:39:44  krbtgt/CAMPUS
>>> renew until 02/13/2024 08:39:40
>>>
>>> so this ticket is valid until 12. February 18:39. Fine.
>> Not really, my tickets have a renewal time of one week i.e.
>>
>> klist -c /tmp/krb5cc_11104
>> Ticket cache: FILE:/tmp/krb5cc_11104
>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 12/02/24 07:56:02  12/02/24 17:56:02  krbtgt/
>> SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>          renew until 19/02/24 07:56:02
>>
>>
>>> And I can
>>> refresh it using kinit -R. This also works.
>> You shouldn't have to manually refresh the ticket, winbind can do
it
>> for you.
>>
>>> However, there is the
>>> line "renew until". I read that this means this very
ticket can only
>>> be refreshed until 13. February 8:39. After that date, it is no
>>> longer possible to refresh this ticket. So I am still wondering how
>>> it could be possible to have a mountpoint that uses Kerberos and
>>> stays connected for longer than a couple days, without
disconnecting
>>> and reconnecting again? is that even possible?
>> I Think we need to see your /etc/krb5.conf and the output of
'testparm
>> -s'
>>
>>> Will try now the machine account as well, hopefully with better
>>> results.
>> The machine ticket can mount a share, but you will also need
>> 'multiuser' and your users will also require a valid ticket.
>>
>>> Concerning the questions for autofs:
>>> This is a service that automatically mounts any file systems as
soon
>>> as they are accessed. I didn't want to put my network shares
into the
>>> fstab, as this may cause trouble when the network is not reachable
>>> for some reason. With autofs, the shares are mounted as soon as
they
>>> are accessed, and unmounted if no process is accessing them
anymore.
>>>
>> Surely the network not being reachable is also a problem for autofs and
>> what if the connection goes idle (for whatever reason), does autofs
>> drop the connection ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

Hi Tobias.

Am 28.02.24 um 09:02 schrieb Pluess, Tobias via samba:
> After a couple weeks testing I just find that my shares get disconnected
> after one week, which is not acceptable:
I usually never log in that long so I have never seen this. If you do 
not need file sharing, on the client you are using, you might want to 
try sssd instead of winbind and see if this works.

If it is a Samba DC you could also try this:

https://wiki.samba.org/index.php/Samba_KDC_Settings


Or export a keytab for the user and use this to get e new ticket before 
it expires. It is almost like a "credential" file.

Regards

Christian

On Wed, 28 Feb 2024 09:02:20 +0100
"Pluess, Tobias" <tpluess at ieee.org> wrote:
> Hallo again,
> 
> I would like to ask if there exists any possibility to have a Samba
> mount point with multiuser and with a credentials file or something
> similar. 
Yes, mount them from fstab with the machine ticket.

After your last post, I set up a share on one of my DCs, then mounted
it with the machines ticket via fstab on another DC (they are the only
computers that run 24/7) and 16 days later, the share is still up!

Rowland