[Samba] libpam_mount and sec=krb5
Stefan Kania
stefan at kania-online.de
Fri Dec 23 16:02:24 UTC 2022
Hi all,
I try to get pam-mount working with sec=krb5 I've got the following config:
---------------------
<volume
fstype="cifs"
server="fs-01.example.net"
path="users/%(DOMAIN_USER)"
mountpoint="/home/EXAMPLE/%(DOMAIN_USER)"
sgrp="domain users"
options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
<volume
fstype="cifs"
server="fs-01.example.net"
path="abteilungen"
mountpoint="/abteilungen"
sgrp="domain users"
options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
---------------------
When I connect with a user I see:
---------------------
Dec 23 16:23:46 client-02 kernel: [ 81.158008] CIFS: Attempting to
mount \\fs-01.example.net\users
Dec 23 16:23:46 client-02 kernel: [ 81.253128] CIFS: VFS: Verify user
has a krb5 ticket and keyutils is installed
Dec 23 16:23:46 client-02 kernel: [ 81.253134] CIFS: VFS:
\\fs-01.example.net Send error in SessSetup = -126
Dec 23 16:23:46 client-02 kernel: [ 81.253154] CIFS: VFS: cifs_mount
failed w/return code = -126
---------------------
When I switch to "sec=ntlmssp" pam-mount is working.
I then tried to get a ticket and access the share via smbclient:
-----------------
ktom at client-02:~$ kinit ktom
ktom at EXAMPLE.NET's Password:
ktom at client-02:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
Principal: ktom at EXAMPLE.NET
ktom at client-02:~$ smbclient //fs-01/abteilungen
Enter ktom at EXAMPLE.NET's password:
Try "help" to get a list of possible commands.
smb: \>
ktom at client-02:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
Principal: ktom at EXAMPLE.NET
Issued Expires Principal
Dec 23 16:44:49 2022 Dec 24 02:44:49 2022 krbtgt/EXAMPLE.NET at EXAMPLE.NET
Dec 23 16:46:09 2022 Dec 24 02:44:49 2022 cifs/fs-01 at EXAMPLE.NET
-----------------
Here is my krb5.conf:
---------------
[libdefaults]
default_realm = EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
---------------
And smb.conf
---------------
[global]
workgroup = example
realm = EXAMPLE.NET
security = ADS
winbind refresh tickets = yes
winbind use default domain = yes
template shell = /bin/bash
idmap config * : range = 100000 - 199999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 1000000 - 1999999
---------------
Any idea?
More information about the samba
mailing list