[Samba] Samba, Kerberos, Autofs: Shares get disconnected

Rowland Penny rpenny at samba.org
Wed Feb 7 11:27:17 UTC 2024 

On Wed, 7 Feb 2024 11:57:28 +0100
Kees van Vloten via samba <samba at lists.samba.org> wrote:

> 
> Op 07-02-2024 om 11:34 schreef Rowland Penny via samba:
> > On Wed, 7 Feb 2024 10:34:15 +0100
> > Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >
> >> Op 07-02-2024 om 10:11 schreef Pluess, Tobias:
> >>> Hi Kees,
> >>>
> >>> I do not think the share keeps being mounted while nobody is
> >>> logged in, as I try to use autofs which only mounts shares when
> >>> they are actually accessed.
> >>> So the scenario is
> >>>
> >>> a) some user logs into his workstation, Kerberos ticket is created
> >>> b) the user accesses the share, works fine
> >>> c) user does not switch off PC, e.g. because some programs need to
> >>> continue running during the weekend
> >>> d) when user returns after more than 10 hours have passed, he is
> >>> still logged into his workstation, but the ticket is expired and
> >>> he cannot any more access the share, and autofs cannot remount
> >>> it, as the ticket has expired.
> >>>
> >>> How do I use the machine account for mounting?
> >> For me there are 2 questions here:
> >>
> >> 1. Why does the user ticket expire while he is logged in?
> >>
> >> 2. How to mount the share with the machine account?
> >>
> >> ad. 1. I had a similar issue in 03-2022, read the details and
> >> solution here:
> >> https://lists.samba.org/archive/samba/2022-March/239876.html
> >>
> >> ad. 2. @Rowland, do you have the details at hand for this? I will
> >> look into it when unix-extensions for smb3.11 are implemented. The
> >> idea is to use the machine account's user and ticket, then the
> >> ticket is managed by winbind.
> >>
> > I think the problem here is the word 'autofs', which I presume was
> > originally short for 'automatic filesystem' or mount when required.
> >
> > Now if you want the share to be permanent (or as permanent as
> > possible), how to mount it ?
> > How are your HDD's mounted ?
> > In fstab, need I say more ?
> >
> > Rowland
> 
> Indeed /etc/fstab is probably the most logical place. The question 
> remains what mount options are required to make this work with the 
> machine account and would such a mount allow multi-user access given 
> that each user has sufficient permissions?

mount -t cifs //yourserver/share /share -osec=krb5,
username=MACHINE$,multiuser
> 
> Now that I am writing that: "sufficient permissions" implies that the 
> user has a valid ticket. In other words question 1 needs  to be 
> addressed for this to work as well.

If the user is an AD user logged into a domain joined Unix machine,
then they have a valid ticket.

Rowland

More information about the samba mailing list