samba - Feb 2024 - Samba, Kerberos, Autofs: Shares get disconnected

Hi Rowland

yes sure I know who user '0' is ;-)
so where should the ticket be then?
I just rebooted the PC and logged in via SSH as root. There is no ticket
for the machine :-(

even though, the Active Directory join seems to be OK, as "net ads
testjoin" says so.

I am  still a bit lost on how I should proceed.
To have this all working more or less, I just mounted the shares with the
credentials file, this is fine as it works reliably but has the drawback
that the access permissions are not per-user.
But maybe I will stick to that anyways as it seems I am not able to get the
other option to work, obviously something is missing but I have absolutely
no idea which part I missed.



On Wed, Feb 28, 2024 at 12:19?PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 28 Feb 2024 11:56:13 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org>
wrote:
>
> > Hi Rowland,
> >
> > I tried that. As follows:
> >
> >
> >
> > [root at machinename mnt]# kinit -k MACHINENAME$
>
> Fairly sure I have said this already, but if I haven't, I will say it
> now:
>
> Do not use kinit to get the machines kerberos ticket, winbind has
> already acquired one for you.
>
> > [root at machinename mnt]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: MACHINENAME$@CAMPUS
> >
> > Valid starting       Expires              Service principal
> > 02/28/2024 11:50:55  02/28/2024 21:50:55  krbtgt/CAMPUS at CAMPUS
> > renew until 02/29/2024 11:50:55
> > [root at machinename mnt]# mount -t cifs //server/share /mnt/test
> > -osec=krb5,multiuser,username=MACHINENAME$
> > mount error(13): Permission denied
> > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> >
> >
> > I don't understand this
>
> I do.
>
> Lets look at this line from your klist output:
>
> Ticket cache: FILE:/tmp/krb5cc_0
>
> The number(s) after the '_' is the Unix ID of the owner.
>
> Now we all know who '0' is (at least I hope we do) ;-)
>
> I do not have a kerberos ticket for the machine in /tmp , but the
> share is still mounted.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 28 Feb 2024 14:22:49 +0100
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> Hi Rowland
> 
> yes sure I know who user '0' is ;-)
> so where should the ticket be then?
> I just rebooted the PC and logged in via SSH as root. There is no
> ticket for the machine :-(
There is, you just cannot see it, mainly because it is in memory.
> 
> even though, the Active Directory join seems to be OK, as "net ads
> testjoin" says so.
If you start a computer that is joined to AD, then you get a kerberos
ticket for the computer in memory, you do not get a physical ticket.
> 
> I am  still a bit lost on how I should proceed.
> To have this all working more or less, I just mounted the shares with
> the credentials file, this is fine as it works reliably but has the
> drawback that the access permissions are not per-user.
> But maybe I will stick to that anyways as it seems I am not able to
> get the other option to work, obviously something is missing but I
> have absolutely no idea which part I missed.
Try running this on one of your Samba AD DCs, it should dump your
entire AD:

sudo ldbsearch -H "ldap://$(hostname -f)" -P

Make sure that you do not have a ticket for root or the user running
the command in /tmp

I hope this shows that you do not need a physical kerberos ticket in
/tmp to use the machines ticket.

If you want, I could post how I set up the two machines for testing.

Rowland