[Samba] Pam_mount not working with "sec=krb5"

Ole Traupe ole.traupe at tu-berlin.de
Tue Nov 3 09:56:46 UTC 2015

>> I mean, putting the key in the keytab looks like a security risk to me.
> In what way does it appear any more of a risk than having the keys 
> which you have there already? Even if someone steals the keytab, 
> they're gonna be hard pressed to crack the key in the few hours before 
> the tgt expires. Do you have very sensitive data maybe?

Ok. And maybe I misunderstood something: I thought the key would be 
valid indefinitely, while the ticket expires. But then there is the 
Ticket-Granting-Ticket (TGT). And if also the TGT expires after a few 
hours, for how long will a share mounted with "sec=krb5,multiuser" be 
accessible to the user?

I am sorry for all these dummy questions, but I really find this matter 
hard to understand.

Thank you very much for your help!

>> Would be nice if you could use kerberos on the fly.
> You _are_ using it on the fly.The tgt is obtained without any 
> interaction on the part of the user.
>> Unfortunately, I don't find such a detailed log in /var/log/messages.
>>>> Also, if the user is not mounting his home share, but somebody 
>>>> else, this _other_ user will be the owner of newly created files 
>>>> and folders, right
>>> No. With multiuser, acl and permissions are respected. If the user 
>>> would normally be the owner of newly created files, then he will be 
>>> also over cifs.
>> Great, that sounds exactly as I would like it to be.
>>> One other thing, you need a recent version of cifs utils (we don't 
>>> think Centos has) 
>> Mine is cifs-utils.x86_64    4.8.1-20.el6
> We can confirm it works with 6.2.

Thanks. So migrating the server to CentOS 7 would be advised here if one 
is afraid of bad interactions of Samba 3.1 with later (and potentially 
buggy) experimental cifs-utils versions for CentOS 6.

More information about the samba mailing list