[Samba] Samba, Kerberos, Autofs: Shares get disconnected

Pluess, Tobias tpluess at ieee.org
Mon Feb 12 08:38:01 UTC 2024 

Good day

please excuse my delayed response.
Thanks for the hint with the machine account. I will try this.
I realised I can also manually refresh Kerberos tickets.

I have the following:

$ klist
Valid starting       Expires              Service principal
02/12/2024 08:39:44  02/12/2024 18:39:44  krbtgt/CAMPUS
renew until 02/13/2024 08:39:40

so this ticket is valid until 12. February 18:39. Fine. And I can refresh
it using kinit -R. This also works. However, there is the line "renew
until". I read that this means this very ticket can only be refreshed until
13. February 8:39. After that date, it is no longer possible to refresh
this ticket. So I am still wondering how it could be possible to have a
mountpoint that uses Kerberos and stays connected for longer than a couple
days, without disconnecting and reconnecting again? is that even possible?

Will try now the machine account as well, hopefully with better results.

Concerning the questions for autofs:
This is a service that automatically mounts any file systems as soon as
they are accessed. I didn't want to put my network shares into the fstab,
as this may cause trouble when the network is not reachable for some
reason. With autofs, the shares are mounted as soon as they are accessed,
and unmounted if no process is accessing them anymore.




On Wed, Feb 7, 2024 at 12:32 PM Kees van Vloten via samba <
samba at lists.samba.org> wrote:

>
> Op 07-02-2024 om 12:27 schreef Rowland Penny via samba:
> > On Wed, 7 Feb 2024 11:57:28 +0100
> > Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >
> >> Op 07-02-2024 om 11:34 schreef Rowland Penny via samba:
> >>> On Wed, 7 Feb 2024 10:34:15 +0100
> >>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Op 07-02-2024 om 10:11 schreef Pluess, Tobias:
> >>>>> Hi Kees,
> >>>>>
> >>>>> I do not think the share keeps being mounted while nobody is
> >>>>> logged in, as I try to use autofs which only mounts shares when
> >>>>> they are actually accessed.
> >>>>> So the scenario is
> >>>>>
> >>>>> a) some user logs into his workstation, Kerberos ticket is created
> >>>>> b) the user accesses the share, works fine
> >>>>> c) user does not switch off PC, e.g. because some programs need to
> >>>>> continue running during the weekend
> >>>>> d) when user returns after more than 10 hours have passed, he is
> >>>>> still logged into his workstation, but the ticket is expired and
> >>>>> he cannot any more access the share, and autofs cannot remount
> >>>>> it, as the ticket has expired.
> >>>>>
> >>>>> How do I use the machine account for mounting?
> >>>> For me there are 2 questions here:
> >>>>
> >>>> 1. Why does the user ticket expire while he is logged in?
> >>>>
> >>>> 2. How to mount the share with the machine account?
> >>>>
> >>>> ad. 1. I had a similar issue in 03-2022, read the details and
> >>>> solution here:
> >>>> https://lists.samba.org/archive/samba/2022-March/239876.html
> >>>>
> >>>> ad. 2. @Rowland, do you have the details at hand for this? I will
> >>>> look into it when unix-extensions for smb3.11 are implemented. The
> >>>> idea is to use the machine account's user and ticket, then the
> >>>> ticket is managed by winbind.
> >>>>
> >>> I think the problem here is the word 'autofs', which I presume was
> >>> originally short for 'automatic filesystem' or mount when required.
> >>>
> >>> Now if you want the share to be permanent (or as permanent as
> >>> possible), how to mount it ?
> >>> How are your HDD's mounted ?
> >>> In fstab, need I say more ?
> >>>
> >>> Rowland
> >> Indeed /etc/fstab is probably the most logical place. The question
> >> remains what mount options are required to make this work with the
> >> machine account and would such a mount allow multi-user access given
> >> that each user has sufficient permissions?
> > mount -t cifs //yourserver/share /share -osec=krb5,
> > username=MACHINE$,multiuser
> >> Now that I am writing that: "sufficient permissions" implies that the
> >> user has a valid ticket. In other words question 1 needs  to be
> >> addressed for this to work as well.
> > If the user is an AD user logged into a domain joined Unix machine,
> > then they have a valid ticket.
>
> The original issue was that the user's ticket did not get refreshed and
> then lost access to the share mounted with autofs.
>
> - Kees.
>
> >
> > Rowland
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list