[Samba] Samba4 Does cifs need a keytab for the multiuser option?

Rowland Penny rpenny at f2s.com
Thu Apr 11 14:05:38 MDT 2013


On 11/04/13 20:42, steve wrote:
> On 11/04/13 20:39, Rowland Penny wrote:
>> On 11/04/13 17:27, steve wrote:
>>> Hi
>>> samba --version
>>> Version 4.0.6-GIT-4bebda4
>>>
>>> smb.conf:
>>> [users]
>>> path = /home/users
>>> read only = No
>>>
>>> Working on the DC which is also the fileserver
>>> user steve2 can write to his folder at /home/users/steve2
>>>
>>> But if we now mount the share:
>>> sudo mount -t cifs //doloresdc/users /mnt -osec=krb5,multiuser
>>>
>>> he can't write to the mounted share at /mnt/users/steve2 He gets 
>>> 'Permission denied'. His id is the same, all that's changed is that 
>>> now it's mounted via cifs.
>>>
>>> The mount:
>>>
>>> Apr 11 18:18:16 doloresdc cifs.upcall: key description: 
>>> cifs.spnego;0;0;3f000000;ver=0x2;host=doloresdc;ip4=192.168.1.100;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x116b
>>> Apr 11 18:18:16 doloresdc cifs.upcall: ver=2
>>> Apr 11 18:18:16 doloresdc cifs.upcall: host=doloresdc
>>> Apr 11 18:18:16 doloresdc cifs.upcall: ip=192.168.1.100
>>> Apr 11 18:18:16 doloresdc cifs.upcall: sec=1
>>> Apr 11 18:18:16 doloresdc cifs.upcall: uid=0
>>> Apr 11 18:18:16 doloresdc cifs.upcall: creduid=0
>>> Apr 11 18:18:16 doloresdc cifs.upcall: user=root
>>> Apr 11 18:18:16 doloresdc cifs.upcall: pid=4459
>>> Apr 11 18:18:16 doloresdc cifs.upcall: find_krb5_cc: considering 
>>> /tmp/krb5cc_0
>>> Apr 11 18:18:16 doloresdc cifs.upcall: find_krb5_cc: 
>>> FILE:/tmp/krb5cc_0 is valid ccache
>>> Apr 11 18:18:16 doloresdc cifs.upcall: handle_krb5_mech: getting 
>>> service ticket for doloresdc
>>> Apr 11 18:18:16 doloresdc cifs.upcall: handle_krb5_mech: obtained 
>>> service ticket
>>>
>>> user steve2, (uid=3000032) goes to his cifs mounted share:
>>>
>>> Apr 11 18:19:50 doloresdc cifs.upcall: key description: 
>>> cifs.spnego;3000032;20513;3f000000;ver=0x2;host=doloresdc;ip4=192.168.1.100;sec=krb5;uid=0x2dc6e0;creduid=0x2dc6e0;pid=0x1193
>>> Apr 11 18:19:50 doloresdc cifs.upcall: ver=2
>>> Apr 11 18:19:50 doloresdc cifs.upcall: host=doloresdc
>>> Apr 11 18:19:50 doloresdc cifs.upcall: ip=192.168.1.100
>>> Apr 11 18:19:50 doloresdc cifs.upcall: sec=1
>>> Apr 11 18:19:50 doloresdc cifs.upcall: uid=3000032
>>> Apr 11 18:19:50 doloresdc cifs.upcall: creduid=3000032
>>> Apr 11 18:19:50 doloresdc cifs.upcall: pid=4499
>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: considering 
>>> /tmp/krb5cc_3000032_NI8WDi
>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: 
>>> FILE:/tmp/krb5cc_3000032_NI8WDi is valid ccache
>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: considering 
>>> /tmp/krb5cc_0
>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: /tmp/krb5cc_0 
>>> is owned by 0, not 3000032
>>> Apr 11 18:19:50 doloresdc cifs.upcall: handle_krb5_mech: getting 
>>> service ticket for doloresdc
>>> Apr 11 18:19:50 doloresdc cifs.upcall: handle_krb5_mech: obtained 
>>> service ticket
>>>
>>> but cannot write to it:(
>>>
>>> This works OK if I drop the multiuser option but that's no good for 
>>> us as we're trying to migrate erm, multiple users from nfs to cifs 
>>> on our Linux boxes.
>>> Question: Am I missing a keytab? Does cifs need any keys for the 
>>> multiuser option?
>>>
>>> Cheers,
>>> Steve
>>>
>> Hi Steve, in a word YES!
>> If you are mounting the users home directory from the S4 server via 
>> cifs, I do not think that you need the multiuser option. I think you 
>> only need it if you want multiple users to use the the same mount.
>>
>> Rowland
>>
>>
>>
>>
> Hi Rowland, hi everyone
> I think I do need multiuser because I am mounting the users home 
> directories and many users will need to access their own folders with 
> their own uid:gid. That can't happen if the mount is owned by just one 
> user since all files are created by that uid:gid combination,no good 
> for hundreds of different users. In fact we have just that with nfs at 
> the mement but want to replace it with cifs because of locking 
> problems between nfs and windows.
>
> Anyway, I just put the host and machine clients in /etc/krb5.keytab 
> and nada. Still  the same. Permission denied when a user tries to 
> write to his cifs mounted home folder.
>
> I think this has something to do with changes in cifs-utils but. . .
>
> Cheers,
> Steve
>
Hi Steve, each user needs to have their own kerberos cache, I seem to 
have this working on my small test network but I am using sssd as I have 
come to the conclusion that winbind sucks ;-)

Rowland


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the samba mailing list