[Samba] Pam_mount not working with "sec=krb5"
Ole Traupe
ole.traupe at tu-berlin.de
Wed Nov 4 17:15:29 UTC 2015
Oops, that one was clearly not directed to me. ;)
Am 04.11.2015 um 18:03 schrieb Ole Traupe:
>
>
> Am 04.11.2015 um 17:33 schrieb buhorojo:
>> On 04/11/15 16:50, L.P.H. van Belle wrote:
>>>> However, I have two objections at first glance:
>>>> a) if you remove AD access for an AD user, this user can't mount samba
>>>> shares, because he won't get authenticated correctly (on the Samba
>>>> file
>>>> server sharing the homes), no?
>>> Looks correct to me what your saying,
>>> But how are you removing ad access from an AD user?
>> Only users in the realm or with trust will be able:
>> 1. authenticate
>> 2. use the resultant ticket to request access to the file server
>> Also remember that root is not in the realm;)
>>>
>>>> b) if you use NFS, and I tried that, and a user creates subfolders and
>>>> files in his nfs-mounted home share, these subcontainers won't have
>>>> the
>>>> correctly inherited Windows ACLs (ergo problems with these shares when
>>>> accessing them from Windows AD clients)
>>>>
>>> Strange, this works for me correct in the home folder.
>>>
>>> Test1 : login on a server with a NFS mounted homedir nsfV4 kerberos
>>> mounted.
>>> If i create a folder from a ssh shell access, with a kerberos
>>> authenticated user. ( for me a user who does not type its password
>>> on ssh access )
>> Are you sure you are accessing the nfs mounted share on the server
>> and not the share itself?
> Yes.
>
>> If you are setting the acl from windows on the parent directory, it
>> will not translate correctly across nfs4 unless you have set the acl
>> yourself using the (highly intuitive) nfs4_setfacl.
> I will not start and try out the third permission system after Windows
> ACLs and Unix permissions. Unless there would be a way to automate
> this. But nevermind, I got my Samba pam_mount working. Will report in
> the next mail.
>
>> At least several hours of trying later and failing before we went
>> cifs where the acls just work.
>> HTH
>>
> Thanks for your effort. Yes, cifs works.
>
>
More information about the samba
mailing list