[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Kees van Vloten
keesvanvloten at gmail.com
Wed Feb 7 11:31:20 UTC 2024
Op 07-02-2024 om 12:27 schreef Rowland Penny via samba:
> On Wed, 7 Feb 2024 11:57:28 +0100
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Op 07-02-2024 om 11:34 schreef Rowland Penny via samba:
>>> On Wed, 7 Feb 2024 10:34:15 +0100
>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>
>>>> Op 07-02-2024 om 10:11 schreef Pluess, Tobias:
>>>>> Hi Kees,
>>>>>
>>>>> I do not think the share keeps being mounted while nobody is
>>>>> logged in, as I try to use autofs which only mounts shares when
>>>>> they are actually accessed.
>>>>> So the scenario is
>>>>>
>>>>> a) some user logs into his workstation, Kerberos ticket is created
>>>>> b) the user accesses the share, works fine
>>>>> c) user does not switch off PC, e.g. because some programs need to
>>>>> continue running during the weekend
>>>>> d) when user returns after more than 10 hours have passed, he is
>>>>> still logged into his workstation, but the ticket is expired and
>>>>> he cannot any more access the share, and autofs cannot remount
>>>>> it, as the ticket has expired.
>>>>>
>>>>> How do I use the machine account for mounting?
>>>> For me there are 2 questions here:
>>>>
>>>> 1. Why does the user ticket expire while he is logged in?
>>>>
>>>> 2. How to mount the share with the machine account?
>>>>
>>>> ad. 1. I had a similar issue in 03-2022, read the details and
>>>> solution here:
>>>> https://lists.samba.org/archive/samba/2022-March/239876.html
>>>>
>>>> ad. 2. @Rowland, do you have the details at hand for this? I will
>>>> look into it when unix-extensions for smb3.11 are implemented. The
>>>> idea is to use the machine account's user and ticket, then the
>>>> ticket is managed by winbind.
>>>>
>>> I think the problem here is the word 'autofs', which I presume was
>>> originally short for 'automatic filesystem' or mount when required.
>>>
>>> Now if you want the share to be permanent (or as permanent as
>>> possible), how to mount it ?
>>> How are your HDD's mounted ?
>>> In fstab, need I say more ?
>>>
>>> Rowland
>> Indeed /etc/fstab is probably the most logical place. The question
>> remains what mount options are required to make this work with the
>> machine account and would such a mount allow multi-user access given
>> that each user has sufficient permissions?
> mount -t cifs //yourserver/share /share -osec=krb5,
> username=MACHINE$,multiuser
>> Now that I am writing that: "sufficient permissions" implies that the
>> user has a valid ticket. In other words question 1 needs to be
>> addressed for this to work as well.
> If the user is an AD user logged into a domain joined Unix machine,
> then they have a valid ticket.
The original issue was that the user's ticket did not get refreshed and
then lost access to the share mounted with autofs.
- Kees.
>
> Rowland
>
>
More information about the samba
mailing list