[Samba] Samba, Kerberos, Autofs: Shares get disconnected

Pluess, Tobias tpluess at ieee.org
Tue Feb 6 15:02:27 UTC 2024 

Good day Kees,

I have no special user to connect the share. Instead, I tried to use the
user's own Kerberos ticket, which seems to work fine.
I use the options

sec=krb5,multiuser,cruid=$USER

to mount the share. That seems to accept the user's Kerberos ticket which
is created when he logs in.

best
Tobias


On Tue, Feb 6, 2024 at 1:37 PM Kees van Vloten via samba <
samba at lists.samba.org> wrote:

>
> Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba:
> > Hi,
> > I am still trying to figure out the best settings for Samba and Kerberos
> > with autofs.
> > My setup so far works good, users can log in on their computers using AD
> > credentials, and they can access network shares with AD credentials as
> > well. This works perfect.
> > Also I notice that some Kerberos ticket is created upon user login, which
> > allows the users to access a Samba share without entering the password,
> > which is very convenient.
> > For this to work, I had to create the SPNs in AD. However, that worked.
> So
> > currently, it works all quite convenient.
> > Further, I have configured autofs to automatically mount for each user
> the
> > network shares they need.
> > For this, I used the "multiuser" and "sec=krb5" options. This also works
> as
> > I expected. However, I notice the following problem.
> >
> > Assume I log in on my workstation and I have a Samba share automounted
> (via
> > autofs) under /storage/work. Just after logging in into my workstation, I
> > can easily access the share without troubles. However, when I leave my
> > workstation running during the night and return the next morning, I
> notice
> > the /storage/work has been disconnected, even if I had some program
> running
> > there that accesses these data. Furthermore, autofs cannot anymore
> > automatically reconnect the network share, it claims "required key not
> > available". The only way to reconnect the share seems to be
> >
> > a) stop autofs
> > b) kdestroy
> > c) kinit, and enter the password
> > d) restart autofs
> >
> > then the share works again as normal.
> > I wonder, is this behaviour intentional or is this a bug or just
> > misconfiguration? I thought as long as I stay logged in on my
> workstation,
> > the Kerberos ticket does not expire. However according to above error
> > message from autofs this seems not to be the case. Can I somehow fix
> this?
> > It happens often that I leave my computer running over night, with some
> > program left open to access some network shares. Previously I did that
> with
> > a credentials file, but I still dislike this concept and would favour
> > autofs + Kerberos if possible.
> >
> > Thanks
> > best
> > Tobias
>
> A ticket expires after 10 hours (this is the default setting), I guess
> you need to do something to refresh it. Are you using the user's ticket
> to mount the share or do you have a special user that performs a
> multi-user mount?
>
> - Kees.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list