[Samba] Pam_mount not working with "sec=krb5"
ole.traupe at tu-berlin.de
Wed Nov 4 11:33:27 UTC 2015
> If by "key" you meant keytab then you were right. A keytab is a file
> dedicated to contains credentials (https://kb.iu.edu/d/aumh or
> Keytab are used when you want to automate actions which need
> authentication. When some automated action requires credentials you
> have to provide these credentials so some where you will need a couple
> user/password. Without keytab you would need a clear text password, or
> a hashed one if it is possible. With a keytab you have encrypted
> credentials which not worst than clear text.
> Of course it is a security hole: someone can use that keytab to
> authenticate. Today, next week... until contained credentials are
> valid. The point, for me, is this hole does not comes from the keytab
> but from automation which needs credentials stored somewhere.
Mathias, thank you for making the purpose and functioning of the keytab
clearer for me!
I think it is possible to have automation without storing credentials.
That is what kerberos authentication is for.
Before compiling a more recent version of cifs-utils to get the
'multiuser' option, I tested this 'sec=krb5' option more thoroughly. If
my observations were correct, it turns out: if you use it (together with
'cruid=12345'), you can't have 'username=user_xyz' as an option, too.
You do either (username and) password-based authentication, or you use
an existing kerberos cache for that. This was formerly acquired
interactively via username/password, and that way you have something
like a single sign-on.
This is what works so far:
1. log in as the domain user 'userxyz' (id=12345) via ssh to a Linux
member server -> the kerberos cache file is created in /tmp
2. while the user is logged in (and the cache exists), use this command
to mount his home share (as root):
# mount.cifs //server/home/userxyz /home/userxyz -o
So, users' krb5 cache files are actually used by the cifs mount upcall.
I made sure that no other cache file was present, and I never put
anything into keytab.
What isn't working so far, is automating this mount via pam_mount.
Pam_mount of cifs on this member server is working with explicit
credentials, so far. But if I use 'sec=krb5,cruid=12345' I get the
# mount error(126): Required key not available
which is what I also get, when I try to mount without logging in as
Here is my volume definition from the '/etc/security/pam_mount.conf.xml'
<volume fstype="cifs" server="server" path="home/userxyz"
I figure, that I have to adjust my pam configuration to perform kerberos
authentication _before_ doing the pam_mount.
I will report back with more results.
More information about the samba