[Samba] Pam_mount not working with "sec=krb5"
ole.traupe at tu-berlin.de
Wed Nov 4 11:04:57 UTC 2015
Am 04.11.2015 um 09:31 schrieb buhorojo:
> On 03/11/15 17:18, Ole Traupe wrote:
>> Am 03.11.2015 um 16:44 schrieb buhorojo:
>>> On 03/11/15 10:56, Ole Traupe wrote:
>>>>>> I mean, putting the key in the keytab looks like a security risk
>>>>>> to me.
>>>>> In what way does it appear any more of a risk than having the keys
>>>>> which you have there already? Even if someone steals the keytab,
>>>>> they're gonna be hard pressed to crack the key in the few hours
>>>>> before the tgt expires. Do you have very sensitive data maybe?
>>>> Ok. And maybe I misunderstood something: I thought the key would be
>>>> valid indefinitely, while the ticket expires. But then there is the
>>>> Ticket-Granting-Ticket (TGT). And if also the TGT expires after a
>>>> few hours, for how long will a share mounted with
>>>> "sec=krb5,multiuser" be accessible to the user?
>>> The upcall will maintain the validity of the mount for as long as it
>>> is accessed, so maybe a better question would be how long a ticket
>>> does your kdc issue for a user. The latter will be the determining
>>> factor, not the upcall.
>> Up to 7 days if renewed within 24h, if I understand correctly
>> (ticket_lifetime = 24h, renew_lifetime = 7d).
>> Thanks for the clarification!
> Sorry, we don't know what the renew_lifetime means. Ours last 8 hours,
> after which the mount is inaccessible.
As far as I understood what I have read: the ticket can be refreshed
within 24h, up to a max lifetime of 7d (with these settings).
More information about the samba