[Samba] User home directory UID:GID incorrect on VM Samba 4 AD client

steve steve at steve-ss.com
Tue Oct 29 15:55:08 MDT 2013 

On Tue, 2013-10-29 at 15:39 -0600, Paul R. Ganci wrote:
> On 10/24/2013 10:05 PM, Paul R. Ganci wrote:
> > Hmmmm ... it appears I was mistaken about the cifs automount working. 
> > Not sure what I did wrong. Unfortunately my real job is getting in the 
> > way of my looking into the problem at the moment. For now I will just 
> > live with the nfs mount and will go back to sorting this problem over 
> > the weekend. I really want to set up the AD backend first then can 
> > deal with cifs automount issue. I will be happy to do some speed 
> > analysis then.
> >
> I successfully switched all my clients over to using the samba 4 AD 
> back-end with sssd. Other than getting PAM to cooperate the changeover 
> was pretty smooth actually. The only issue that I seem to have now is 
> with the automount of the user home directory. If I use:
> 
>  > cat /etc/auto.home
> #
> # File: /etc/auto.home
> #
> # nfs automount
> *    -acl nikita.myhome.nurdog.com:/home/&
> 
> Everything is fine. However if I use:
> 
>  > cat /etc/auto.home
> #
> # File: /etc/auto.home
> #
> # cifs automount
> * -fstype=cifs,sec=krb5,multiuser,username=NAS$ 
> ://nikita.myhome.nurdog.com/home/&
> 
> the automount fails. I find this entry in the logs on nas
> 
> Oct 29 15:12:33 nas kernel: CIFS VFS: cifs_mount failed w/return code = -22
> 
> but nothing on the AD nikita. Not really a big deal as I am quite happy 
> to use a nfs mount but on the other hand I can't find anything on the 
> internet that seemed pertinent to my situation. I really hate it when I 
> don't understand behavior. Does anyone have a suggestion?

OK. Common problem. It doesn't like the machine key.
-What does klist -ke look like on nas?
-What do you have for cifs.upcall in /etc/requestkey.conf?

Now,
Try extracting the key for a real domain user (in this example,
cifsuser) and add that to the keytab on nas:

cd /etc
 ktutil:  addent -password -p cifsuser at HH3.SITE -k 1 -e arcfour-hmac
  Password for cifsuser at HH3.SITE
  ktutil:  wkt krb5.keytab
  ktutil:  quit

replace NAS$ with cifsuser in the map.

If that works, now give cifsuser minimal privileges such as a loginShell
of /bin/false
HTH
Steve

More information about the samba mailing list