samba - Feb 2024 - Samba, Kerberos, Autofs: Shares get disconnected

Hi Rowland,

I tried that. As follows:



[root at machinename mnt]# kinit -k MACHINENAME$
[root at machinename mnt]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: MACHINENAME$@CAMPUS

Valid starting       Expires              Service principal
02/28/2024 11:50:55  02/28/2024 21:50:55  krbtgt/CAMPUS at CAMPUS
renew until 02/29/2024 11:50:55
[root at machinename mnt]# mount -t cifs //server/share /mnt/test
-osec=krb5,multiuser,username=MACHINENAME$
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)


I don't understand this, as with a personal user account it works. Also the
machine itself is member of the group which has access to that particular
share. Do I need to configure something else?

the server is also a SAMBA server. The fun thing is, with Windows it just
works absolutely perfectly.
With Linux, I can either not mount (as shown above) or, if I can mount
(using a Kerberos ticket from a existing user), I get the funny
disconnects. (I recently did a test where I logged in, and let in a
terminal run "watch -n1 kinit -R" and then this keeps the ticket much
longer than just 10 hours, but after one week disconnects nevertheless.)



On Wed, Feb 28, 2024 at 11:02?AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 28 Feb 2024 09:02:20 +0100
> "Pluess, Tobias" <tpluess at ieee.org> wrote:
>
> > Hallo again,
> >
> > I would like to ask if there exists any possibility to have a Samba
> > mount point with multiuser and with a credentials file or something
> > similar.
>
> Yes, mount them from fstab with the machine ticket.
>
> After your last post, I set up a share on one of my DCs, then mounted
> it with the machines ticket via fstab on another DC (they are the only
> computers that run 24/7) and 16 days later, the share is still up!
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 28 Feb 2024 11:56:13 +0100
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> I tried that. As follows:
> 
> 
> 
> [root at machinename mnt]# kinit -k MACHINENAME$
Fairly sure I have said this already, but if I haven't, I will say it
now:

Do not use kinit to get the machines kerberos ticket, winbind has
already acquired one for you.
> [root at machinename mnt]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: MACHINENAME$@CAMPUS
> 
> Valid starting       Expires              Service principal
> 02/28/2024 11:50:55  02/28/2024 21:50:55  krbtgt/CAMPUS at CAMPUS
> renew until 02/29/2024 11:50:55
> [root at machinename mnt]# mount -t cifs //server/share /mnt/test
> -osec=krb5,multiuser,username=MACHINENAME$
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> 
> 
> I don't understand this
I do.

Lets look at this line from your klist output:

Ticket cache: FILE:/tmp/krb5cc_0

The number(s) after the '_' is the Unix ID of the owner.

Now we all know who '0' is (at least I hope we do) ;-)

I do not have a kerberos ticket for the machine in /tmp , but the
share is still mounted.

Rowland