[Samba] Samba, Kerberos, Autofs: Shares get disconnected

Rowland Penny rpenny at samba.org
Tue Feb 6 12:41:21 UTC 2024 

On Tue, 6 Feb 2024 13:27:29 +0100
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:

> Hi,
> I am still trying to figure out the best settings for Samba and
> Kerberos with autofs.
> My setup so far works good, users can log in on their computers using
> AD credentials, and they can access network shares with AD
> credentials as well. This works perfect.
> Also I notice that some Kerberos ticket is created upon user login,
> which allows the users to access a Samba share without entering the
> password, which is very convenient.
> For this to work, I had to create the SPNs in AD. However, that
> worked. So currently, it works all quite convenient.
> Further, I have configured autofs to automatically mount for each
> user the network shares they need.
> For this, I used the "multiuser" and "sec=krb5" options. This also
> works as I expected. However, I notice the following problem.
> 
> Assume I log in on my workstation and I have a Samba share
> automounted (via autofs) under /storage/work. Just after logging in
> into my workstation, I can easily access the share without troubles.
> However, when I leave my workstation running during the night and
> return the next morning, I notice the /storage/work has been
> disconnected, even if I had some program running there that accesses
> these data. Furthermore, autofs cannot anymore automatically
> reconnect the network share, it claims "required key not available".
> The only way to reconnect the share seems to be
> 
> a) stop autofs
> b) kdestroy
> c) kinit, and enter the password
> d) restart autofs
> 
> then the share works again as normal.
> I wonder, is this behaviour intentional or is this a bug or just
> misconfiguration? I thought as long as I stay logged in on my
> workstation, the Kerberos ticket does not expire. However according
> to above error message from autofs this seems not to be the case. Can
> I somehow fix this? It happens often that I leave my computer running
> over night, with some program left open to access some network
> shares. Previously I did that with a credentials file, but I still
> dislike this concept and would favour autofs + Kerberos if possible.
> 
> Thanks
> best
> Tobias

Do you have 'winbind refresh tickets = yes' set in your smb.conf file ?
It defaults to 'no'

Rowland

More information about the samba mailing list