[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Pluess, Tobias
tpluess at ieee.org
Mon Feb 12 12:12:41 UTC 2024
Dear Rowland
of course, if the network is unreachable, this is also a problem for
autofs. However, when a CIFS share is in the fstab and the network is
unreachable, you cannot boot, as it waits forever to mount all your fstab
entries, whereas with autofs, you can still boot, as there is nothing
really mounted yet.
I show you below my configurations of the server and client machines.
On the server:
# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
deadtime = 15
disable spoolss = Yes
load printers = No
log file = /var/log/samba/log.%I
logging = file
max log size = 1000
max xmit = 65535
netbios name = TANK
panic action = /usr/share/samba/panic-action %d
printcap name = /dev/null
realm = <redacted>
security = ADS
template homedir = /home/%U
template shell = /bin/bash
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = CAMPUS
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:zero_file_id = yes
fruit:posix_rename = yes
fruit:veto_appledouble = no
fruit:model = MacSamba
fruit:metadata = stream
shadow:delimiter = -20
shadow:snapprefix =
^zfs-auto-snap_\(frequent\)\{0,1\}\(hourly\)\{0,1\}\(daily\)\{0,1\}\(monthly\)\{0,1\}
shadow:sort = desc
shadow:format = -%Y-%m-%d-%H%M
shadow:snapdir = .zfs/snapshot
idmap config campus : unix_primary_group = yes
idmap config campus : range = 500-9999999
idmap config campus : schema_mode = rfc2307
idmap config campus : backend = ad
idmap config * : range = 10000000-20000000
idmap config * : backend = tdb
delete veto files = Yes
include = /etc/samba/shares.conf
printing = bsd
valid users = @IAP_MW
veto files = /Thumbs.db/._*/.DS_Store/.Trash-*/.~lock*/
vfs objects = fruit acl_xattr shadow_copy2
[work]
comment = IAP MW Work folder
path = /storage/work
read only = No
and on the server, the krb5.conf:
# cat /etc/krb5.conf
[libdefaults]
default_realm = <redacted>
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
<redacted> = {
kdc = <redacted>
admin_server =<redacted>
}
and on one client machine, i.e. workstation:
# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
log file = /var/log/samba/log.%I
logging = file
max log size = 1000
netbios name = TEST
panic action = /usr/share/samba/panic-action %d
realm = <redacted>
security = ADS
template homedir = /home/%U
template shell = /bin/bash
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = <redacted>
idmap config campus : unix_primary_group = yes
idmap config campus : range = 500-9999999
idmap config campus : schema_mode = rfc2307
idmap config campus : backend = ad
idmap config * : range = 10000000-20000000
idmap config * : backend = tdb
# cat /etc/krb5.conf
[libdefaults]
default_realm = <redacted>
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
<redacted> = {
kdc = <redacted>
admin_server = <redacted>
}
Kerberos seems to work, as I can successfully kinit, klist and kdestroy as
well as kinit -R.
Thanks,
best
Tobias
On Mon, Feb 12, 2024 at 10:20 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 12 Feb 2024 09:38:01 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>
> > Good day
> >
> > please excuse my delayed response.
> > Thanks for the hint with the machine account. I will try this.
> > I realised I can also manually refresh Kerberos tickets.
> >
> > I have the following:
> >
> > $ klist
> > Valid starting Expires Service principal
> > 02/12/2024 08:39:44 02/12/2024 18:39:44 krbtgt/CAMPUS
> > renew until 02/13/2024 08:39:40
> >
> > so this ticket is valid until 12. February 18:39. Fine.
>
> Not really, my tickets have a renewal time of one week i.e.
>
> klist -c /tmp/krb5cc_11104
> Ticket cache: FILE:/tmp/krb5cc_11104
> Default principal: rowland at SAMDOM.EXAMPLE.COM
>
> Valid starting Expires Service principal
> 12/02/24 07:56:02 12/02/24 17:56:02 krbtgt/
> SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> renew until 19/02/24 07:56:02
>
>
> >And I can
> > refresh it using kinit -R. This also works.
>
> You shouldn't have to manually refresh the ticket, winbind can do it
> for you.
>
> >However, there is the
> > line "renew until". I read that this means this very ticket can only
> > be refreshed until 13. February 8:39. After that date, it is no
> > longer possible to refresh this ticket. So I am still wondering how
> > it could be possible to have a mountpoint that uses Kerberos and
> > stays connected for longer than a couple days, without disconnecting
> > and reconnecting again? is that even possible?
>
> I Think we need to see your /etc/krb5.conf and the output of 'testparm
> -s'
>
> >
> > Will try now the machine account as well, hopefully with better
> > results.
>
> The machine ticket can mount a share, but you will also need
> 'multiuser' and your users will also require a valid ticket.
>
> >
> > Concerning the questions for autofs:
> > This is a service that automatically mounts any file systems as soon
> > as they are accessed. I didn't want to put my network shares into the
> > fstab, as this may cause trouble when the network is not reachable
> > for some reason. With autofs, the shares are mounted as soon as they
> > are accessed, and unmounted if no process is accessing them anymore.
> >
>
> Surely the network not being reachable is also a problem for autofs and
> what if the connection goes idle (for whatever reason), does autofs
> drop the connection ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list