[Samba] Pam_mount not working with "sec=krb5"

Ole Traupe ole.traupe at tu-berlin.de
Mon Nov 2 14:51:52 UTC 2015

Am 02.11.2015 um 15:10 schrieb buhorojo:
> On 02/11/15 14:42, Ole Traupe wrote:
>> Am 02.11.2015 um 13:12 schrieb buhorojo:
>>> On 02/11/15 12:54, Ole Traupe wrote:
>>> Why can't the user do it with his own key file?
> Only root can perform mounts and anyway, 
Right, sorry.

> cifs upcall looks for a key, not a cache.
So you just _have_ to use the keytab. Has this changed? Here it seems 
that cache was ok in the past (see the end of the longest cited log part 
in the middle; but there was a different problem, obviously, with 

>/Jan 25 17:55:12 goto cifs.upcall: find_krb5_cc: considering 
>/Jan 25 17:55:12 goto cifs.upcall: find_krb5_cc: /tmp/krb5cc_101125 is 
owned by 101125, not 0/

I mean, putting the key in the keytab looks like a security risk to me. 
Would be nice if you could use kerberos on the fly.

Unfortunately, I don't find such a detailed log in /var/log/messages.

>> Also, if the user is not mounting his home share, but somebody else, 
>> this _other_ user will be the owner of newly created files and 
>> folders, right
> No. With multiuser, acl and permissions are respected. If the user 
> would normally be the owner of newly created files, then he will be 
> also over cifs.
Great, that sounds exactly as I would like it to be.

> One other thing, you need a recent version of cifs utils (we don't 
> think Centos has) 
Mine is cifs-utils.x86_64    4.8.1-20.el6

> and to make sure that you lose the -c at /etc/request-key.conf:
> create  cifs.spnego     *       * /usr/sbin/cifs.upcall -c %k

More information about the samba mailing list