[Samba] Pam_mount not working with "sec=krb5"

[Ole Traupe]

Am 04.11.2015 um 17:33 schrieb buhorojo:
> On 04/11/15 16:50, L.P.H. van Belle wrote:
>>> However, I have two objections at first glance:
>>> a) if you remove AD access for an AD user, this user can't mount samba
>>> shares, because he won't get authenticated correctly (on the Samba file
>>> server sharing the homes), no?
>> Looks correct to me what your saying,
>> But how are you removing ad access from an AD user?
> Only users in the realm or with trust will be able:
> 1. authenticate
> 2. use the resultant ticket to request access to the file server
> Also remember that root is not in the realm;)
>>
>>> b) if you use NFS, and I tried that, and a user creates subfolders and
>>> files in his nfs-mounted home share, these subcontainers won't have the
>>> correctly inherited Windows ACLs (ergo problems with these shares when
>>> accessing them from Windows AD clients)
>>>
>> Strange, this works for me correct in the home folder.
>>
>> Test1 : login on a server with a NFS mounted homedir nsfV4 kerberos 
>> mounted.
>> If i create a folder from a ssh shell access, with a kerberos 
>> authenticated user. ( for me a user who does not type its password on 
>> ssh access )
> Are you sure you are accessing the nfs mounted share on the server and 
> not the share itself?
Yes.

> If you are setting the acl from windows on the parent directory, it 
> will not translate correctly across nfs4 unless you have set the acl 
> yourself using the (highly intuitive) nfs4_setfacl. 
I will not start and try out the third permission system after Windows 
ACLs and Unix permissions. Unless there would be a way to automate this. 
But nevermind, I got my Samba pam_mount working. Will report in the next 
mail.

> At least several hours of trying later and failing before we went cifs 
> where the acls just work.
> HTH
>
Thanks for your effort. Yes, cifs works.