[Samba] krb5cc cache upon login. Possible?
Rowland Penny
rpenny at f2s.com
Sat Apr 13 03:26:18 MDT 2013
On 12/04/13 22:31, steve wrote:
> On 04/12/2013 06:15 PM, Rowland Penny wrote:
>> On 12/04/13 17:01, steve wrote:
>>> openSUSE 12.3 clients joined to a Samba4 Domain
>>>
>>> Hi everyone
>>>
>>> We are using the cifs multiuser option with sec=krb5. This requires
>>> the user to have a ticket cache under /tmp
>>> I know we can get that by using kinit, but I hear rumours that pam
>>> can do it upon successful authentication.
>>>
>>> Can anyone point me in the right direction?
>>> Cheers,
>>> Steve
>> Hi Steve, libpam-script, you need three scripts an auth script to get
>> the ticket cache, then a script to do something with it when the user
>> logs in and another to do something when they log out, I seem to have
>> this working. I tried libpam-mount, but it had a nasty habit of not
>> removing the mount on log off.
>>
>> Rowland
>>
> Hi Rowland
> I may have some good news: with recent versions of pam_krb5 and cifs
> it shouldn't be necessary to do anything. You just get the cache when
> you go to the share. If you can get that far of course. The reason for
> our failure was:
> <feel thick>
> common-auth has: auth [success=2 default=ignore] pam_krb5.so
> minimum_uid=1000000
> Our test user was 20000
> </feel thick>
>
> So, users in the normal 3000000+ AD range get there fine:)
> Cheers,
> Steve
>
Hi Steve, ok I tried libpam-krb5 and whilst it gets the user logged in,
in my instance it did not mount any shares.
You are also using nss-ldapd but I am using sssd instead, this also gets
the cache but I was putting it somewhere else, so I have changed sssd to
put the cache back into its default location /tmp , turned off pam_krb5
and the shares now get mounted again.
There is possibly another difference between our setups, I mount the
shares at login and I think that you mount them after login, is this
correct? also how do you unmount the shares after the user has logged of?
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list