[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Kees van Vloten
keesvanvloten at gmail.com
Wed Feb 7 08:56:54 UTC 2024
Op 06-02-2024 om 16:02 schreef Pluess, Tobias:
> Good day Kees,
>
> I have no special user to connect the share. Instead, I tried to use
> the user's own Kerberos ticket, which seems to work fine.
> I use the options
>
> sec=krb5,multiuser,cruid=$USER
>
> to mount the share. That seems to accept the user's Kerberos ticket
> which is created when he logs in.
>
> best
> Tobias
It looks like the share remains mounted while the user logs out, is that
correct?
In any case the user's kerberos ticket is not valid at some point in
time (likely after it expires after 10h) and hence the error "required
key not available".
When the user is logged in, it will refresh the ticket on time, so this
does not (or at least, should not) happen.
Why not unmount the share when the user logs out?
Or if you want it to remain mounted, I would suggest to use the machine
account to mount it with a multi-user mount. The machine-account ticket
gets refreshed by winbind with the option Rowland suggested.
- Kees.
>
>
> On Tue, Feb 6, 2024 at 1:37 PM Kees van Vloten via samba
> <samba at lists.samba.org> wrote:
>
>
> Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba:
> > Hi,
> > I am still trying to figure out the best settings for Samba and
> Kerberos
> > with autofs.
> > My setup so far works good, users can log in on their computers
> using AD
> > credentials, and they can access network shares with AD
> credentials as
> > well. This works perfect.
> > Also I notice that some Kerberos ticket is created upon user
> login, which
> > allows the users to access a Samba share without entering the
> password,
> > which is very convenient.
> > For this to work, I had to create the SPNs in AD. However, that
> worked. So
> > currently, it works all quite convenient.
> > Further, I have configured autofs to automatically mount for
> each user the
> > network shares they need.
> > For this, I used the "multiuser" and "sec=krb5" options. This
> also works as
> > I expected. However, I notice the following problem.
> >
> > Assume I log in on my workstation and I have a Samba share
> automounted (via
> > autofs) under /storage/work. Just after logging in into my
> workstation, I
> > can easily access the share without troubles. However, when I
> leave my
> > workstation running during the night and return the next
> morning, I notice
> > the /storage/work has been disconnected, even if I had some
> program running
> > there that accesses these data. Furthermore, autofs cannot anymore
> > automatically reconnect the network share, it claims "required
> key not
> > available". The only way to reconnect the share seems to be
> >
> > a) stop autofs
> > b) kdestroy
> > c) kinit, and enter the password
> > d) restart autofs
> >
> > then the share works again as normal.
> > I wonder, is this behaviour intentional or is this a bug or just
> > misconfiguration? I thought as long as I stay logged in on my
> workstation,
> > the Kerberos ticket does not expire. However according to above
> error
> > message from autofs this seems not to be the case. Can I somehow
> fix this?
> > It happens often that I leave my computer running over night,
> with some
> > program left open to access some network shares. Previously I
> did that with
> > a credentials file, but I still dislike this concept and would
> favour
> > autofs + Kerberos if possible.
> >
> > Thanks
> > best
> > Tobias
>
> A ticket expires after 10 hours (this is the default setting), I
> guess
> you need to do something to refresh it. Are you using the user's
> ticket
> to mount the share or do you have a special user that performs a
> multi-user mount?
>
> - Kees.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list