[Samba] Pam_mount not working with "sec=krb5"

[buhorojo]

On 04/11/15 16:50, L.P.H. van Belle wrote:
>> However, I have two objections at first glance:
>> a) if you remove AD access for an AD user, this user can't mount samba
>> shares, because he won't get authenticated correctly (on the Samba file
>> server sharing the homes), no?
> Looks correct to me what your saying,
> But how are you removing ad access from an AD user?
Only users in the realm or with trust will be able:
1. authenticate
2. use the resultant ticket to request access to the file server
Also remember that root is not in the realm;)
>
>> b) if you use NFS, and I tried that, and a user creates subfolders and
>> files in his nfs-mounted home share, these subcontainers won't have the
>> correctly inherited Windows ACLs (ergo problems with these shares when
>> accessing them from Windows AD clients)
>>
> Strange, this works for me correct in the home folder.
>
> Test1 : login on a server with a NFS mounted homedir nsfV4 kerberos mounted.
> If i create a folder from a ssh shell access, with a kerberos authenticated user. ( for me a user who does not type its password on ssh access )
Are you sure you are accessing the nfs mounted share on the server and 
not the share itself? If you are setting the acl from windows on the 
parent directory, it will not translate correctly across nfs4 unless you 
have set the acl yourself using the (highly intuitive) nfs4_setfacl. At 
least several hours of trying later and failing before we went cifs 
where the acls just work.
HTH