similar to: Pam_mount not working with "sec=krb5"

Am 02.11.2015 um 13:12 schrieb buhorojo: > On 02/11/15 12:54, Ole Traupe wrote: >> Hi all, this is not really a Samba question, but related, and I hope >> that some of you are using this and can tell me what I am doing wrong. >> >> On a member server, I can mount my shares by hand specifying "-o >> username=xxx,domain=yyy,password=zzz". But as soon as I

On 02/11/15 12:54, Ole Traupe wrote: > Hi all, this is not really a Samba question, but related, and I hope > that some of you are using this and can tell me what I am doing wrong. > > On a member server, I can mount my shares by hand specifying "-o > username=xxx,domain=yyy,password=zzz". But as soon as I put "sec=krb5" > in the mount options (and leaving

> > If by "key" you meant keytab then you were right. A keytab is a file > dedicated to contains credentials (https://kb.iu.edu/d/aumh or > http://web.mit.edu/Kerberos/krb5-1.12/doc/basic/keytab_def.html). > > Keytab are used when you want to automate actions which need > authentication. When some automated action requires credentials you > have to provide

Am 04.11.2015 um 14:49 schrieb mathias dufresne: > 2015-11-04 13:58 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > >> Mathias, thanks again! This sounds like a very reasonable approach. I know >> that with remote ssh and public key authentication you can set the limit to >> a single possible command. is this also possible with AD users? >> > I'm

>> I mean, putting the key in the keytab looks like a security risk to me. > In what way does it appear any more of a risk than having the keys > which you have there already? Even if someone steals the keytab, > they're gonna be hard pressed to crack the key in the few hours before > the tgt expires. Do you have very sensitive data maybe? Ok. And maybe I misunderstood

Mathias, thanks again! This sounds like a very reasonable approach. I know that with remote ssh and public key authentication you can set the limit to a single possible command. is this also possible with AD users? Unfortunately, I don't have 'multiuser' support in my current cifs-utils version 4.8. So I would end up with your designated user being the owner of all the files and

So finally here is the solution that works for me. If you have any questions, just ask. I use pam_mount with the following volume definition in the "/etc/security/pam_mount.conf.xml": <volume fstype="cifs" server="server" path="home/%(USER)" mountpoint="/home/%(USER)" sgrp="domain users"

> However, I have two objections at first glance: > a) if you remove AD access for an AD user, this user can't mount samba > shares, because he won't get authenticated correctly (on the Samba file > server sharing the homes), no? Looks correct to me what your saying, But how are you removing ad access from an AD user? > b) if you use NFS, and I tried that, and a user

2015-11-04 13:58 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > Mathias, thanks again! This sounds like a very reasonable approach. I know > that with remote ssh and public key authentication you can set the limit to > a single possible command. is this also possible with AD users? > I'm interested by the restriction to only one command for users. The only I see that

First please note the following is not really linked to your NFS question, it's more related to automation, credentials everywhere and how to secure them a little bit. The point dealing with keytab or credentials in general when used for automation, as these credentials can potentially used by some attacker, is to create dedicated user which can perform only what it is supposed to perform.

Very interesting thread! Thank you all for sharing your thoughts and knowledge. Regards Davor -- Skickat från mobilusken! -- ----- Ursprungligt meddelande ----- Från: "Ole Traupe" <ole.traupe at tu-berlin.de> Skickat: ‎2015-‎11-‎04 15:29 Till: "samba at lists.samba.org" <samba at lists.samba.org> Ämne: Re: [Samba] Pam_mount not working with "sec=krb5"

I have some (for testing) Debian based client/workstation connected to my AD. Signing to the AD works as a domain/user should. These clients can, via Nautilus file manager, access shares on the file server manually that the *signed in domain user* is permitted to "see". I would prefer to connect these files and the domain user home directory automatically at sign in without manual

Am 02.11.2015 um 15:10 schrieb buhorojo: > On 02/11/15 14:42, Ole Traupe wrote: >> >> Am 02.11.2015 um 13:12 schrieb buhorojo: >>> On 02/11/15 12:54, Ole Traupe wrote: > >>> Why can't the user do it with his own key file? > Only root can perform mounts and anyway, Right, sorry. > cifs upcall looks for a key, not a cache. So you just _have_ to use the

Am 03.11.2015 um 16:44 schrieb buhorojo: > On 03/11/15 10:56, Ole Traupe wrote: >> >>>> I mean, putting the key in the keytab looks like a security risk to >>>> me. >>> In what way does it appear any more of a risk than having the keys >>> which you have there already? Even if someone steals the keytab, >>> they're gonna be hard

Sorry for a rather 'unifornative' subject, but i've little o no clue on this. I'm using at work 'pam_mount' with a rather standard configuration to mount via CIFS/SMB user's home directory, from a samba AD member server. This configuration is a bit 'old' (mint sonya, AKA Ubuntu 16.04 as a client, so samba 4.3; debian and samba 4.8 as a server), but work

On 04/11/15 18:30, Ole Traupe wrote: > So finally here is the solution that works for me. If you have any > questions, just ask. > > I use pam_mount with the following volume definition in the > "/etc/security/pam_mount.conf.xml": > <volume fstype="cifs" server="server" path="home/%(USER)" > mountpoint="/home/%(USER)"

Op 07-02-2024 om 12:27 schreef Rowland Penny via samba: > On Wed, 7 Feb 2024 11:57:28 +0100 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Op 07-02-2024 om 11:34 schreef Rowland Penny via samba: >>> On Wed, 7 Feb 2024 10:34:15 +0100 >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: >>> >>>> Op

On Mon, 29 Jan 2024 16:42:20 -0800 Peter Carlson via samba <samba at lists.samba.org> wrote: > > On 1/29/24 13:08, Rowland Penny via samba wrote: > > On Mon, 29 Jan 2024 12:51:37 -0800 > > Peter Carlson via samba<samba at lists.samba.org> wrote: > > > > > >> Just did a quick test, the big T comes after setting permissions in > >>

Hi, I am trying to mount fileserver (samba, 10.20.30.16) shares on a linux domain member server, where I logged on via ssh using AD my credentials. I am unable to get past the "mount error(126): Required key not available" error message. I have read and googled a lot, and could use some help. See this: > domainuser at memberserver-45:~$ sudo tail -f /var/log/debug & >

On 03/11/15 10:56, Ole Traupe wrote: > >>> I mean, putting the key in the keytab looks like a security risk to me. >> In what way does it appear any more of a risk than having the keys >> which you have there already? Even if someone steals the keytab, >> they're gonna be hard pressed to crack the key in the few hours >> before the tgt expires. Do you