[Samba] Pam_mount not working with "sec=krb5"

Ole Traupe ole.traupe at tu-berlin.de
Wed Nov 4 17:15:29 UTC 2015

Oops, that one was clearly not directed to me. ;)

Am 04.11.2015 um 18:03 schrieb Ole Traupe:
> Am 04.11.2015 um 17:33 schrieb buhorojo:
>> On 04/11/15 16:50, L.P.H. van Belle wrote:
>>>> However, I have two objections at first glance:
>>>> a) if you remove AD access for an AD user, this user can't mount samba
>>>> shares, because he won't get authenticated correctly (on the Samba 
>>>> file
>>>> server sharing the homes), no?
>>> Looks correct to me what your saying,
>>> But how are you removing ad access from an AD user?
>> Only users in the realm or with trust will be able:
>> 1. authenticate
>> 2. use the resultant ticket to request access to the file server
>> Also remember that root is not in the realm;)
>>>> b) if you use NFS, and I tried that, and a user creates subfolders and
>>>> files in his nfs-mounted home share, these subcontainers won't have 
>>>> the
>>>> correctly inherited Windows ACLs (ergo problems with these shares when
>>>> accessing them from Windows AD clients)
>>> Strange, this works for me correct in the home folder.
>>> Test1 : login on a server with a NFS mounted homedir nsfV4 kerberos 
>>> mounted.
>>> If i create a folder from a ssh shell access, with a kerberos 
>>> authenticated user. ( for me a user who does not type its password 
>>> on ssh access )
>> Are you sure you are accessing the nfs mounted share on the server 
>> and not the share itself?
> Yes.
>> If you are setting the acl from windows on the parent directory, it 
>> will not translate correctly across nfs4 unless you have set the acl 
>> yourself using the (highly intuitive) nfs4_setfacl. 
> I will not start and try out the third permission system after Windows 
> ACLs and Unix permissions. Unless there would be a way to automate 
> this. But nevermind, I got my Samba pam_mount working. Will report in 
> the next mail.
>> At least several hours of trying later and failing before we went 
>> cifs where the acls just work.
>> HTH
> Thanks for your effort. Yes, cifs works.

More information about the samba mailing list