[Samba] autofs + cifs + kerberos

[steve]

On Fri, 2014-09-05 at 20:56 +0800, Sketch wrote:
> I'm having an issue with autofs mounting cifs using kerberos, on machines 
> joined to an S4 domain controller.  Both hosts and S4 server are CentOS 6, 
> and the DC is running samba-4.1.11 from sernet.
> 
> Autofs is getting it's maps from LDAP from the DC.  This part works 
> fine, automount -m shows:
> 
> Mount point: /share
> 
> source(s):
> 
>    instance type(s): sss
>    map: auto.share
> 
>    public | -fstype=cifs,sec=krb5,user=$USER,cruid=$UID ://fileserver/public
> 
> If a user attempts to access /share/public, it is mounted with their 
> kerberos credentials...for a while.  But eventually it stops working, and 
> I get errors like this in the log:
> 
> Sep  5 07:43:00 test kernel: CIFS VFS: Send error in SessSetup = -128
> Sep  5 07:43:00 test kernel: CIFS VFS: cifs_mount failed w/return code = -128
> 
> A "service autofs restart" fixes it...for a while.  The funny thing is, 
> it's not consistant.  Sometimes, the share will mount once, then if I 
> manually unmount it and try to mount it again it fails.  Other times, I 
> can successfully remount it repeatedly, and it will work for hours.
> 
> Any suggestions where to start looking?

The problem is that $USER needs to be in the keytab so either add keys
of anyone you think may need to share, or work around it. Create a
minimalist domain user (uidNumber, gidNumber but no loginShell) to make
the mount on behalf of anyone who needs it. Add the user to the client
keytab and then use the multiuser option, which on a shared folder you
probably need anyway:

public -fstype=cifs,sec=krb5,username=cifsuser,multiuser ://fs/public

where cifsuser is the minmalist user. The cifs upcall takes care of the
rest. Make sure you have a recent cifs-utils and that keyutils is
populated correctly.
HTH,
Steve