[Samba] Pam_mount not working with "sec=krb5"
Ole Traupe
ole.traupe at tu-berlin.de
Tue Nov 3 09:56:46 UTC 2015
>> I mean, putting the key in the keytab looks like a security risk to me.
> In what way does it appear any more of a risk than having the keys
> which you have there already? Even if someone steals the keytab,
> they're gonna be hard pressed to crack the key in the few hours before
> the tgt expires. Do you have very sensitive data maybe?
Ok. And maybe I misunderstood something: I thought the key would be
valid indefinitely, while the ticket expires. But then there is the
Ticket-Granting-Ticket (TGT). And if also the TGT expires after a few
hours, for how long will a share mounted with "sec=krb5,multiuser" be
accessible to the user?
I am sorry for all these dummy questions, but I really find this matter
hard to understand.
Thank you very much for your help!
>> Would be nice if you could use kerberos on the fly.
>
> You _are_ using it on the fly.The tgt is obtained without any
> interaction on the part of the user.
>>
>> Unfortunately, I don't find such a detailed log in /var/log/messages.
>>
>>>>
>>>> Also, if the user is not mounting his home share, but somebody
>>>> else, this _other_ user will be the owner of newly created files
>>>> and folders, right
>>> No. With multiuser, acl and permissions are respected. If the user
>>> would normally be the owner of newly created files, then he will be
>>> also over cifs.
>> Great, that sounds exactly as I would like it to be.
>>
>>>
>>> One other thing, you need a recent version of cifs utils (we don't
>>> think Centos has)
>> Mine is cifs-utils.x86_64 4.8.1-20.el6
> We can confirm it works with 6.2.
> HTH
Thanks. So migrating the server to CentOS 7 would be advised here if one
is afraid of bad interactions of Samba 3.1 with later (and potentially
buggy) experimental cifs-utils versions for CentOS 6.
More information about the samba
mailing list