[Samba] Pam_mount not working with "sec=krb5"

Ole Traupe ole.traupe at tu-berlin.de
Wed Nov 4 11:33:27 UTC 2015 

>
> If by "key" you meant keytab then you were right. A keytab is a file 
> dedicated to contains credentials (https://kb.iu.edu/d/aumh or 
> http://web.mit.edu/Kerberos/krb5-1.12/doc/basic/keytab_def.html).
>
> Keytab are used when you want to automate actions which need 
> authentication. When some automated action requires credentials you 
> have to provide these credentials so some where you will need a couple 
> user/password. Without keytab you would need a clear text password, or 
> a hashed one if it is possible. With a keytab you have encrypted 
> credentials which not worst than clear text.
>
> Of course it is a security hole: someone can use that keytab to 
> authenticate. Today, next week... until contained credentials are 
> valid. The point, for me, is this hole does not comes from the keytab 
> but from automation which needs credentials stored somewhere.

Mathias, thank you for making the purpose and functioning of the keytab 
clearer for me!

I think it is possible to have automation without storing credentials. 
That is what kerberos authentication is for.

Before compiling a more recent version of cifs-utils to get the 
'multiuser' option, I tested this 'sec=krb5' option more thoroughly. If 
my observations were correct, it turns out: if you use it (together with 
'cruid=12345'), you can't have 'username=user_xyz' as an option, too. 
You do either (username and) password-based authentication, or you use 
an existing kerberos cache for that. This was formerly acquired 
interactively via username/password, and that way you have something 
like a single sign-on.

This is what works so far:

1. log in as the domain user 'userxyz' (id=12345) via ssh to a Linux 
member server -> the kerberos cache file is created in /tmp 
("krb5cc_12345_afcdeb")
2. while the user is logged in (and the cache exists), use this command 
to mount his home share (as root):
# mount.cifs //server/home/userxyz /home/userxyz -o 
sec=krb5,cruid=12345,uid=12345,gid=someGroupID

So, users' krb5 cache files are actually used by the cifs mount upcall. 
I made sure that no other cache file was present, and I never put 
anything into keytab.

What isn't working so far, is automating this mount via pam_mount. 
Pam_mount of cifs on this member server is working with explicit 
credentials, so far. But if I use 'sec=krb5,cruid=12345' I get the
# mount error(126): Required key not available
which is what I also get, when I try to mount without logging in as 
'userxyz', first.

Here is my volume definition from the '/etc/security/pam_mount.conf.xml' 
file:

<volume fstype="cifs" server="server" path="home/userxyz" 
mountpoint="/home/userxyz" 
options="sec=krb5,cruid=12345,uid=12345,gid=someGroupID,nosuid,nodev" />

I figure, that I have to adjust my pam configuration to perform kerberos 
authentication _before_ doing the pam_mount.

I will report back with more results.

More information about the samba mailing list