[Samba] krb5cc cache upon login. Possible?

Rowland Penny rpenny at f2s.com
Sat Apr 13 03:26:18 MDT 2013

On 12/04/13 22:31, steve wrote:
> On 04/12/2013 06:15 PM, Rowland Penny wrote:
>> On 12/04/13 17:01, steve wrote:
>>> openSUSE 12.3 clients joined to a Samba4 Domain
>>> Hi everyone
>>> We are using the cifs multiuser option with sec=krb5. This requires 
>>> the user to have a ticket cache under /tmp
>>> I know we can get that by using kinit, but I hear rumours that pam 
>>> can do it upon successful authentication.
>>> Can anyone point me in the right direction?
>>> Cheers,
>>> Steve
>> Hi Steve, libpam-script, you need three scripts an auth script to get 
>> the ticket cache, then a script to do something with it when the user 
>> logs in and another to do something when they log out, I seem to have 
>> this working. I tried libpam-mount, but it had a nasty habit of not 
>> removing the mount on log off.
>> Rowland
> Hi Rowland
> I may have some good news: with recent versions of pam_krb5 and cifs 
> it shouldn't be necessary to do anything. You just get the cache when 
> you go to the share. If you can get that far of course. The reason for 
> our failure was:
> <feel thick>
> common-auth has: auth [success=2 default=ignore] pam_krb5.so 
> minimum_uid=1000000
> Our test user was 20000
> </feel thick>
> So, users in the normal 3000000+ AD range get there fine:)
> Cheers,
> Steve

Hi Steve, ok I tried libpam-krb5 and whilst it gets the user logged in, 
in my instance it did not mount any shares.
You are also using nss-ldapd but I am using sssd instead, this also gets 
the cache but I was putting it somewhere else, so I have changed sssd to 
put the cache back into its default location /tmp , turned off pam_krb5 
and the shares now get mounted again.

There is possibly another difference between our setups, I mount the 
shares at login and I think that you mount them after login, is this 
correct? also how do you unmount the shares after the user has logged of?


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list