[Samba] Samba, Kerberos, Autofs: Shares get disconnected

Wed Feb 28 08:02:20 UTC 2024

Hallo again,

I would like to ask if there exists any possibility to have a Samba mount
point with multiuser and with a credentials file or something similar.
After a couple weeks testing I just find that my shares get disconnected
after one week, which is not acceptable: I have stored some large project
files on the Samba share which is opened in some calculation software, and
simulations take up to one month; during this time, the computer needs
access to the Samba share.
I am considering a plain old credentials file now, with a service account,
but two things I dislike about this approach:

a) credentials file contains clear text password;
b) as the permissions of the service account will be used, all users will
be able to access the share, i.e. access permissions of the service account
are considered, and not of the currently logged in user.

So I am really sorry for asking again, but is it even possible with Linux
or probably not?

Thanks!
best
Tobias

On Mon, Feb 12, 2024 at 10:20 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 12 Feb 2024 09:38:01 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>
> > Good day
> >
> > please excuse my delayed response.
> > Thanks for the hint with the machine account. I will try this.
> > I realised I can also manually refresh Kerberos tickets.
> >
> > I have the following:
> >
> > $ klist
> > Valid starting       Expires              Service principal
> > 02/12/2024 08:39:44  02/12/2024 18:39:44  krbtgt/CAMPUS
> > renew until 02/13/2024 08:39:40
> >
> > so this ticket is valid until 12. February 18:39. Fine.
>
> Not really, my tickets have a renewal time of one week i.e.
>
> klist -c /tmp/krb5cc_11104
> Ticket cache: FILE:/tmp/krb5cc_11104
> Default principal: rowland at SAMDOM.EXAMPLE.COM
>
> Valid starting     Expires            Service principal
> 12/02/24 07:56:02  12/02/24 17:56:02  krbtgt/
> SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>         renew until 19/02/24 07:56:02
>
>
> >And I can
> > refresh it using kinit -R. This also works.
>
> You shouldn't have to manually refresh the ticket, winbind can do it
> for you.
>
> >However, there is the
> > line "renew until". I read that this means this very ticket can only
> > be refreshed until 13. February 8:39. After that date, it is no
> > longer possible to refresh this ticket. So I am still wondering how
> > it could be possible to have a mountpoint that uses Kerberos and
> > stays connected for longer than a couple days, without disconnecting
> > and reconnecting again? is that even possible?
>
> I Think we need to see your /etc/krb5.conf and the output of 'testparm
> -s'
>
> >
> > Will try now the machine account as well, hopefully with better
> > results.
>
> The machine ticket can mount a share, but you will also need
> 'multiuser' and your users will also require a valid ticket.
>
> >
> > Concerning the questions for autofs:
> > This is a service that automatically mounts any file systems as soon
> > as they are accessed. I didn't want to put my network shares into the
> > fstab, as this may cause trouble when the network is not reachable
> > for some reason. With autofs, the shares are mounted as soon as they
> > are accessed, and unmounted if no process is accessing them anymore.
> >
>
> Surely the network not being reachable is also a problem for autofs and
> what if the connection goes idle (for whatever reason), does autofs
> drop the connection ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>