[Samba] Pam_mount not working with "sec=krb5"
ole.traupe at tu-berlin.de
Mon Nov 2 14:51:52 UTC 2015
Am 02.11.2015 um 15:10 schrieb buhorojo:
> On 02/11/15 14:42, Ole Traupe wrote:
>> Am 02.11.2015 um 13:12 schrieb buhorojo:
>>> On 02/11/15 12:54, Ole Traupe wrote:
>>> Why can't the user do it with his own key file?
> Only root can perform mounts and anyway,
> cifs upcall looks for a key, not a cache.
So you just _have_ to use the keytab. Has this changed? Here it seems
that cache was ok in the past (see the end of the longest cited log part
in the middle; but there was a different problem, obviously, with
>/Jan 25 17:55:12 goto cifs.upcall: find_krb5_cc: considering
>/Jan 25 17:55:12 goto cifs.upcall: find_krb5_cc: /tmp/krb5cc_101125 is
owned by 101125, not 0/
I mean, putting the key in the keytab looks like a security risk to me.
Would be nice if you could use kerberos on the fly.
Unfortunately, I don't find such a detailed log in /var/log/messages.
>> Also, if the user is not mounting his home share, but somebody else,
>> this _other_ user will be the owner of newly created files and
>> folders, right
> No. With multiuser, acl and permissions are respected. If the user
> would normally be the owner of newly created files, then he will be
> also over cifs.
Great, that sounds exactly as I would like it to be.
> One other thing, you need a recent version of cifs utils (we don't
> think Centos has)
Mine is cifs-utils.x86_64 4.8.1-20.el6
> and to make sure that you lose the -c at /etc/request-key.conf:
> create cifs.spnego * * /usr/sbin/cifs.upcall -c %k
More information about the samba