[Samba] Pam_mount not working with "sec=krb5"

Ole Traupe ole.traupe at tu-berlin.de
Wed Nov 4 11:04:57 UTC 2015



Am 04.11.2015 um 09:31 schrieb buhorojo:
> On 03/11/15 17:18, Ole Traupe wrote:
>>
>>
>> Am 03.11.2015 um 16:44 schrieb buhorojo:
>>> On 03/11/15 10:56, Ole Traupe wrote:
>>>>
>>>>>> I mean, putting the key in the keytab looks like a security risk 
>>>>>> to me.
>>>>> In what way does it appear any more of a risk than having the keys 
>>>>> which you have there already? Even if someone steals the keytab, 
>>>>> they're gonna be hard pressed to crack the key in the few hours 
>>>>> before the tgt expires. Do you have very sensitive data maybe?
>>>>
>>>> Ok. And maybe I misunderstood something: I thought the key would be 
>>>> valid indefinitely, while the ticket expires. But then there is the 
>>>> Ticket-Granting-Ticket (TGT). And if also the TGT expires after a 
>>>> few hours, for how long will a share mounted with 
>>>> "sec=krb5,multiuser" be accessible to the user?
>>> Hi
>>> The upcall will maintain the validity of the mount for as long as it 
>>> is accessed, so maybe a better question would be how long a ticket 
>>> does your kdc issue for a user. The latter will be the determining 
>>> factor, not the upcall.
>>
>> Up to 7 days if renewed within 24h, if I understand correctly 
>> (ticket_lifetime = 24h,  renew_lifetime = 7d).
>>
>> Thanks for the clarification!
> Sorry, we don't know what the renew_lifetime means. Ours last 8 hours, 
> after which the mount is inaccessible.

As far as I understood what I have read: the ticket can be refreshed 
within 24h, up to a max lifetime of 7d (with these settings).




More information about the samba mailing list