[Samba] Good practices to make a Kerberos "mount.cifs" launched by root but with the credentials of another user

Francois Lafont francois.lafont.1978 at gmail.com
Tue Apr 11 16:56:57 UTC 2017


I have a Debian Stretch computer which is a "samba4 member
server" of an Samba4 AD domain (versions etc. are mentioned
at the end of the message). I think my config is OK and I
can open a _graphical_ session with an AD account user. The
display manager of the computer is Lightdm. For for instance,
I can open a graphical session with the AD account bob (uid
== 14001). In this case, I have the environment variable
KRB5CCNAME which is well set in the graphical session of bob:

  # In a gnome-terminal of the bob graphical session, I have:
  bob at stretch:~$ env | grep KR

  bob at stretch:~$ ls -l /tmp/krb5cc_14001_I1H5wf
  -rw------- 1 bob domusers 3534 Apr 11 15:43 /tmp/krb5cc_14001_I1H5wf

The display manager Lightdm uses PAM and especially pam_krb5
and it's this lib which has created the credentials cache file
/tmp/krb5cc_14001_I1H5wf where 14001 is the uid of bob and
"I1H5wf" is just a random string generated by pam_krb5.

Then, I have a logon script which is set by Lightdm via this

    root at stretch:~# cat /etc/lightdm/lightdm.conf.d/custom.conf
      session-setup-script = /usr/local/bin/logon

Important: this script is run as _root_ and during the execution
of this script the envvar USER is well set and I have USER == "bob"
_but_ no KRB5CCNAME envvar is set. The KRB5CCNAME envvar is set
in the graphical session of bob but not during the execution of
the logon script.

In the logon script, I want to make the mounts of shares with
mount.cifs. Here is my problem: what is the proper way to mount
with mount.cifs shares of "bob" with Kerberos authentication?

If I have well understood, I have to set the envvar KRB5CCNAME
and pass it to the mount.cifs command. So currently, I make this
in the logon script (and it _works_):

  KRB5CCNAME=$(find /tmp/ -maxdepth 1 -mindepth 1 -type f -name 'krb5cc_*' -user bob)

  KRB5CCNAME=$KRB5CCNAME mount.cifs //samba.athome.priv/myhome /mnt/docs/ \
      -o username=bob,domain=ATHOME.PRIV,sec=krb5i,cruid=bob

But I have the feeling that I miss completely the "Kerberos" good
practices by this way.

What is the good practice to make a "mount.cifs" of a share for a
specific AD user (bob) via Kerberos authentication in a script
which is launched by root and without specific information
concerning the path of credential cache file of the specific user
(no envvar KRB5CCNAME is set)?

NB: I really want to manage mounts in logon with a shell script
run as root because I need flexibility (for instance make some
mounts if the user is in the group "foo" and some other mounts
if not etc).

Thanks in advance for your help.
Fran├žois Lafont

The member server
* OS          => Debian Stretch
* Samba       => 4.5.8 (from the distribution)
* mount.cifs  => 6.7   (from the distribution)
* libkrb5     => 1.15  (from the distribution)
* libpam-krb5 => 4.7   (from the distribution)

I don't think it's relevant here but just in case, my Samba4
_AD_ server is a Ubuntu Xenial with Samba4 version 4.5.4
installed from sources.

More information about the samba mailing list