[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Kees van Vloten
keesvanvloten at gmail.com
Wed Feb 7 09:34:15 UTC 2024
Op 07-02-2024 om 10:11 schreef Pluess, Tobias:
> Hi Kees,
>
> I do not think the share keeps being mounted while nobody is logged
> in, as I try to use autofs which only mounts shares when they are
> actually accessed.
> So the scenario is
>
> a) some user logs into his workstation, Kerberos ticket is created
> b) the user accesses the share, works fine
> c) user does not switch off PC, e.g. because some programs need to
> continue running during the weekend
> d) when user returns after more than 10 hours have passed, he is still
> logged into his workstation, but the ticket is expired and he cannot
> any more access the share, and autofs cannot remount it, as the ticket
> has expired.
>
> How do I use the machine account for mounting?
For me there are 2 questions here:
1. Why does the user ticket expire while he is logged in?
2. How to mount the share with the machine account?
ad. 1. I had a similar issue in 03-2022, read the details and solution
here: https://lists.samba.org/archive/samba/2022-March/239876.html
ad. 2. @Rowland, do you have the details at hand for this? I will look
into it when unix-extensions for smb3.11 are implemented. The idea is to
use the machine account's user and ticket, then the ticket is managed by
winbind.
- Kees.
>
>
> On Wed, Feb 7, 2024 at 9:56 AM Kees van Vloten
> <keesvanvloten at gmail.com> wrote:
>
>
> Op 06-02-2024 om 16:02 schreef Pluess, Tobias:
>> Good day Kees,
>>
>> I have no special user to connect the share. Instead, I tried to
>> use the user's own Kerberos ticket, which seems to work fine.
>> I use the options
>>
>> sec=krb5,multiuser,cruid=$USER
>>
>> to mount the share. That seems to accept the user's Kerberos
>> ticket which is created when he logs in.
>>
>> best
>> Tobias
>
> It looks like the share remains mounted while the user logs out,
> is that correct?
>
> In any case the user's kerberos ticket is not valid at some point
> in time (likely after it expires after 10h) and hence the error
> "required key not available".
>
> When the user is logged in, it will refresh the ticket on time, so
> this does not (or at least, should not) happen.
>
> Why not unmount the share when the user logs out?
>
> Or if you want it to remain mounted, I would suggest to use the
> machine account to mount it with a multi-user mount. The
> machine-account ticket gets refreshed by winbind with the option
> Rowland suggested.
>
> - Kees.
>
>>
>>
>> On Tue, Feb 6, 2024 at 1:37 PM Kees van Vloten via samba
>> <samba at lists.samba.org> wrote:
>>
>>
>> Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba:
>> > Hi,
>> > I am still trying to figure out the best settings for Samba
>> and Kerberos
>> > with autofs.
>> > My setup so far works good, users can log in on their
>> computers using AD
>> > credentials, and they can access network shares with AD
>> credentials as
>> > well. This works perfect.
>> > Also I notice that some Kerberos ticket is created upon
>> user login, which
>> > allows the users to access a Samba share without entering
>> the password,
>> > which is very convenient.
>> > For this to work, I had to create the SPNs in AD. However,
>> that worked. So
>> > currently, it works all quite convenient.
>> > Further, I have configured autofs to automatically mount
>> for each user the
>> > network shares they need.
>> > For this, I used the "multiuser" and "sec=krb5" options.
>> This also works as
>> > I expected. However, I notice the following problem.
>> >
>> > Assume I log in on my workstation and I have a Samba share
>> automounted (via
>> > autofs) under /storage/work. Just after logging in into my
>> workstation, I
>> > can easily access the share without troubles. However, when
>> I leave my
>> > workstation running during the night and return the next
>> morning, I notice
>> > the /storage/work has been disconnected, even if I had some
>> program running
>> > there that accesses these data. Furthermore, autofs cannot
>> anymore
>> > automatically reconnect the network share, it claims
>> "required key not
>> > available". The only way to reconnect the share seems to be
>> >
>> > a) stop autofs
>> > b) kdestroy
>> > c) kinit, and enter the password
>> > d) restart autofs
>> >
>> > then the share works again as normal.
>> > I wonder, is this behaviour intentional or is this a bug or
>> just
>> > misconfiguration? I thought as long as I stay logged in on
>> my workstation,
>> > the Kerberos ticket does not expire. However according to
>> above error
>> > message from autofs this seems not to be the case. Can I
>> somehow fix this?
>> > It happens often that I leave my computer running over
>> night, with some
>> > program left open to access some network shares. Previously
>> I did that with
>> > a credentials file, but I still dislike this concept and
>> would favour
>> > autofs + Kerberos if possible.
>> >
>> > Thanks
>> > best
>> > Tobias
>>
>> A ticket expires after 10 hours (this is the default
>> setting), I guess
>> you need to do something to refresh it. Are you using the
>> user's ticket
>> to mount the share or do you have a special user that performs a
>> multi-user mount?
>>
>> - Kees.
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and
>> read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
More information about the samba
mailing list