[linux-cifs-client] Question on current state of sec=krb5* integration in cifs.ko
Jeff Layton
jlayton at poochiereds.net
Fri Oct 23 05:17:31 MDT 2009
On Fri, 23 Oct 2009 13:12:14 +0200
Holger Rauch <holger.rauch at empic.de> wrote:
> Hi Robert,
>
> Robert Euhus schrieb am Friday, den 23. October 2009:
>
> > [...]
> > It works here on Lenny, although you might have to install the keyutils
> > Package and add the following lines to /etc/request-key.conf :
> >
> > create cifs.spnego * * /usr/sbin/cifs.upcall %k %d
> > create dns_resolver * * /usr/sbin/cifs.upcall %k
>
> I just tried that. Mount options in /etc/fstab are
>
> noauto,sec=krb5i,iocharset=iso8859-15
>
> When I issue the mount cmd, it asks me for a password.
That probably means that you have a fairly old mount.cifs program. The
more recent ones don't prompt for a password when sec=krb5* is
specified. Try adding the "guest" option which will disable password
prompting.
> Is there any
> way to get more debugging info from the mount.cifs cmd and the CIFS
> VFS kernel module? (I was checking /var/log/syslog, /var/log/messages,
> /var/log/daemon.log, but found nothing that could be helpful).
>
Yes, see:
http://wiki.samba.org/index.php/LinuxCIFS_troubleshooting
> Like I mentioned, kerberized smbclient sessions work as expected (i.e.
> I'm *not* asked for a password; just as it's supposed to be). I do get
> a valid Kerberos ticket for cifs, as shown in this output from "klist
> -5f":
>
> ==========
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: user at MYREALM
>
> Valid starting Expires Service principal
> 10/23/09 12:31:13 10/24/09 04:31:13 krbtgt/MYREALM at MYREALM
> renew until 10/24/09 12:30:51, Flags: FRIAT
> 10/23/09 12:40:42 10/24/09 04:31:13
> cifs/sambaserver.mydomain at MYREALM
> renew until 10/24/09
> 12:30:51, Flags: FRAT
>
> ==========
>
> I should perhaps also mention that my LDAP accounts were created using
> Debian Lenny's ldapscripts package before I installed Samba and used
> ldapsam:editposix. Samba's LDAP stuff was initialized using "net sam
> provision"; as described in
>
> http://wiki.samba.org/index.php/Ldapsam_Editposix
>
> So, the Kerberos user named "user" doesn't have the
> samba* attributes set in the LDAP database yet. But since that didn't
> seem to matter for smbclient sessions, it also shouldn't matter for
> mount.cifs, should it?
>
> In addition, my Kerberos database is stored in the
> same OpenLDAP database as the user accounts are, just below a
> different ou. (But that shouldn't matter since smbclient works, so the
> LDAP lookup itself shouldn't be the problem).
>
> > You might also want to have a look at a small (and not quite finished
> > yet) German HOWTO I wrote:
> >
> > http://www.rrzn.uni-hannover.de/anl-linclient-ads.html
>
> Thanks for mentioning this, but I have MIT Kerberos installed on a
> Debian Lenny machine acting as KDC. Nevertheless, still helpful for AD
> integration.
>
> The main difference compared to your setup is that my server is
> actually a Samba server running on a Debian Lenny system and I'm
> trying to mount a cifs fs on a Linux client (i.e. a Linux machine
> pretending to be a Windows client). Do I need the winbindd also on the
> client machine in such a scenario (your HOWTO suggests running in on the
> client, but you are authenticating against a "real" AD on a Windows
> server; I'm authenticating against OpenLDAP+MIT Kerberos+Samba on a Debian
> Lenny system)?
>
> (In case you need more info, I will of course try provide it).
>
> Thanks in advance for any hints & kind regards,
>
> Holger
>
--
Jeff Layton <jlayton at poochiereds.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/linux-cifs-client/attachments/20091023/67cba824/attachment.pgp>
More information about the linux-cifs-client
mailing list