similar to: Pam_mount not working with "sec=krb5"

Displaying 20 results from an estimated 2000 matches similar to: "Pam_mount not working with "sec=krb5""

2015 Nov 02
3
Pam_mount not working with "sec=krb5"
Am 02.11.2015 um 13:12 schrieb buhorojo: > On 02/11/15 12:54, Ole Traupe wrote: >> Hi all, this is not really a Samba question, but related, and I hope >> that some of you are using this and can tell me what I am doing wrong. >> >> On a member server, I can mount my shares by hand specifying "-o >> username=xxx,domain=yyy,password=zzz". But as soon as I
2015 Nov 02
0
Pam_mount not working with "sec=krb5"
On 02/11/15 12:54, Ole Traupe wrote: > Hi all, this is not really a Samba question, but related, and I hope > that some of you are using this and can tell me what I am doing wrong. > > On a member server, I can mount my shares by hand specifying "-o > username=xxx,domain=yyy,password=zzz". But as soon as I put "sec=krb5" > in the mount options (and leaving
2015 Nov 04
3
Pam_mount not working with "sec=krb5"
> > If by "key" you meant keytab then you were right. A keytab is a file > dedicated to contains credentials (https://kb.iu.edu/d/aumh or > http://web.mit.edu/Kerberos/krb5-1.12/doc/basic/keytab_def.html). > > Keytab are used when you want to automate actions which need > authentication. When some automated action requires credentials you > have to provide
2015 Nov 04
2
Pam_mount not working with "sec=krb5"
Am 04.11.2015 um 14:49 schrieb mathias dufresne: > 2015-11-04 13:58 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > >> Mathias, thanks again! This sounds like a very reasonable approach. I know >> that with remote ssh and public key authentication you can set the limit to >> a single possible command. is this also possible with AD users? >> > I'm
2015 Nov 03
4
Pam_mount not working with "sec=krb5"
>> I mean, putting the key in the keytab looks like a security risk to me. > In what way does it appear any more of a risk than having the keys > which you have there already? Even if someone steals the keytab, > they're gonna be hard pressed to crack the key in the few hours before > the tgt expires. Do you have very sensitive data maybe? Ok. And maybe I misunderstood
2015 Nov 04
3
Pam_mount not working with "sec=krb5"
Mathias, thanks again! This sounds like a very reasonable approach. I know that with remote ssh and public key authentication you can set the limit to a single possible command. is this also possible with AD users? Unfortunately, I don't have 'multiuser' support in my current cifs-utils version 4.8. So I would end up with your designated user being the owner of all the files and
2015 Nov 04
2
Pam_mount not working with "sec=krb5"
So finally here is the solution that works for me. If you have any questions, just ask. I use pam_mount with the following volume definition in the "/etc/security/pam_mount.conf.xml": <volume fstype="cifs" server="server" path="home/%(USER)" mountpoint="/home/%(USER)" sgrp="domain users"
2015 Nov 04
4
Pam_mount not working with "sec=krb5"
> However, I have two objections at first glance: > a) if you remove AD access for an AD user, this user can't mount samba > shares, because he won't get authenticated correctly (on the Samba file > server sharing the homes), no? Looks correct to me what your saying, But how are you removing ad access from an AD user? > b) if you use NFS, and I tried that, and a user
2015 Nov 04
0
Pam_mount not working with "sec=krb5"
2015-11-04 13:58 GMT+01:00 Ole Traupe <ole.traupe at tu-berlin.de>: > Mathias, thanks again! This sounds like a very reasonable approach. I know > that with remote ssh and public key authentication you can set the limit to > a single possible command. is this also possible with AD users? > I'm interested by the restriction to only one command for users. The only I see that
2015 Nov 04
0
Pam_mount not working with "sec=krb5"
First please note the following is not really linked to your NFS question, it's more related to automation, credentials everywhere and how to secure them a little bit. The point dealing with keytab or credentials in general when used for automation, as these credentials can potentially used by some attacker, is to create dedicated user which can perform only what it is supposed to perform.
2015 Nov 04
0
Pam_mount not working with "sec=krb5"
Very interesting thread! Thank you all for sharing your thoughts and knowledge. Regards Davor -- Skickat från mobilusken! -- ----- Ursprungligt meddelande ----- Från: "Ole Traupe" <ole.traupe at tu-berlin.de> Skickat: ‎2015-‎11-‎04 15:29 Till: "samba at lists.samba.org" <samba at lists.samba.org> Ämne: Re: [Samba] Pam_mount not working with "sec=krb5"
2020 Sep 24
3
Debian client/workstation pam_mount
I have some (for testing) Debian based client/workstation connected to my AD. Signing to the AD works as a domain/user should. These clients can, via Nautilus file manager, access shares on the file server manually that the *signed in domain user* is permitted to "see". I would prefer to connect these files and the domain user home directory automatically at sign in without manual
2015 Nov 02
4
Pam_mount not working with "sec=krb5"
Am 02.11.2015 um 15:10 schrieb buhorojo: > On 02/11/15 14:42, Ole Traupe wrote: >> >> Am 02.11.2015 um 13:12 schrieb buhorojo: >>> On 02/11/15 12:54, Ole Traupe wrote: > >>> Why can't the user do it with his own key file? > Only root can perform mounts and anyway, Right, sorry. > cifs upcall looks for a key, not a cache. So you just _have_ to use the
2015 Nov 03
2
Pam_mount not working with "sec=krb5"
Am 03.11.2015 um 16:44 schrieb buhorojo: > On 03/11/15 10:56, Ole Traupe wrote: >> >>>> I mean, putting the key in the keytab looks like a security risk to >>>> me. >>> In what way does it appear any more of a risk than having the keys >>> which you have there already? Even if someone steals the keytab, >>> they're gonna be hard
2020 Sep 06
2
pam_mount in 'newer samba'...
Sorry for a rather 'unifornative' subject, but i've little o no clue on this. I'm using at work 'pam_mount' with a rather standard configuration to mount via CIFS/SMB user's home directory, from a samba AD member server. This configuration is a bit 'old' (mint sonya, AKA Ubuntu 16.04 as a client, so samba 4.3; debian and samba 4.8 as a server), but work
2015 Nov 04
0
Pam_mount not working with "sec=krb5"
On 04/11/15 18:30, Ole Traupe wrote: > So finally here is the solution that works for me. If you have any > questions, just ask. > > I use pam_mount with the following volume definition in the > "/etc/security/pam_mount.conf.xml": > <volume fstype="cifs" server="server" path="home/%(USER)" > mountpoint="/home/%(USER)"
2024 Feb 07
1
Samba, Kerberos, Autofs: Shares get disconnected
Op 07-02-2024 om 12:27 schreef Rowland Penny via samba: > On Wed, 7 Feb 2024 11:57:28 +0100 > Kees van Vloten via samba <samba at lists.samba.org> wrote: > >> Op 07-02-2024 om 11:34 schreef Rowland Penny via samba: >>> On Wed, 7 Feb 2024 10:34:15 +0100 >>> Kees van Vloten via samba <samba at lists.samba.org> wrote: >>> >>>> Op
2024 Jan 30
1
permission denied with windows acls
On Mon, 29 Jan 2024 16:42:20 -0800 Peter Carlson via samba <samba at lists.samba.org> wrote: > > On 1/29/24 13:08, Rowland Penny via samba wrote: > > On Mon, 29 Jan 2024 12:51:37 -0800 > > Peter Carlson via samba<samba at lists.samba.org> wrote: > > > > > >> Just did a quick test, the big T comes after setting permissions in > >>
2019 Jan 07
2
mount cifs with sec=krb5
Hi, I am trying to mount fileserver (samba, 10.20.30.16) shares on a linux domain member server, where I logged on via ssh using AD my credentials. I am unable to get past the "mount error(126): Required key not available" error message. I have read and googled a lot, and could use some help. See this: > domainuser at memberserver-45:~$ sudo tail -f /var/log/debug & >
2015 Nov 03
0
Pam_mount not working with "sec=krb5"
On 03/11/15 10:56, Ole Traupe wrote: > >>> I mean, putting the key in the keytab looks like a security risk to me. >> In what way does it appear any more of a risk than having the keys >> which you have there already? Even if someone steals the keytab, >> they're gonna be hard pressed to crack the key in the few hours >> before the tgt expires. Do you