[Samba] Samba, Kerberos, Autofs: Shares get disconnected

[Pluess, Tobias]

Hi Christian

I could not get auto.cifs to work. Instead, I made my own auto.storage
file, which mounts various shares under /storage.
Besides that, I use the same options as you, like multiuser and so on.
However, I do not have the --ghost option, will try that as well.

Concerning the SPNs I did create:

I join my machines to a very large, partially historically grown university
AD. The AD itself has NOT the same domain as my machines.
Therefore, when I join a machine to the AD, it gets the following SPNs
automatically created:

HOST/<machine name>.CAMPUS.somedomain.ch
RestrictedKrbHost/<machine name>.CAMPUS.somedomain.ch

however, the machine's actual DNS name is different, namely

<machine name>.<institute>.<domain>.ch

and therefore, I had to delete the automatically created SPNs and create
new ones that match the DNS domain. I don't remember how I figured this
out, but it took me quite a while, and I realised that, when I do this, I
can access my SAMBA Shares with the aid of my Kerberos ticket the exact
same way as it works under Windows, without entering any credentials.
Before, due to the wrong SPNs, it did not work, because the Kerberos
tickets were granted to the "wrong" name.
Does that make sense?

thanks
best
Tobias


On Tue, Feb 6, 2024 at 3:54 PM Christian Naumer via samba <
samba at lists.samba.org> wrote:

> Hi.
>
> Am 06.02.24 um 13:27 schrieb Pluess, Tobias via samba:
> > Hi,
> > I am still trying to figure out the best settings for Samba and Kerberos
> > with autofs.
> > My setup so far works good, users can log in on their computers using AD
> > credentials, and they can access network shares with AD credentials as
> > well. This works perfect.
> > Also I notice that some Kerberos ticket is created upon user login, which
> > allows the users to access a Samba share without entering the password,
> > which is very convenient.
> > For this to work, I had to create the SPNs in AD. However, that worked.
> So
> > currently, it works all quite convenient.
> > Further, I have configured autofs to automatically mount for each user
> the
> > network shares they need.
> > For this, I used the "multiuser" and "sec=krb5" options. This also works
> as
> > I expected. However, I notice the following problem.
>
> This works for me.
>
> I have this in "/etc/auto.cifs"
>
> Share -fstype=cifs,multiuser,cruid=${UID},sec=krb5 ://server/Share
>
>
> and this in "/etc/auto.master"
>
> /cifs /etc/auto.cifs --timeout=300 --ghost
>
>
> This ways if the share is not used it is unmounted and mounted again
> when the folder is opened.
>
> But my Kerberos ticket is renewed automatically.
>
> By the was which SPNs did you create? I did not have to do this.
>
>
> Regards
>
> Christian
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>