[Samba] libpam_mount and sec=krb5

Stefan Kania stefan at kania-online.de
Fri Dec 23 16:02:24 UTC 2022 

Hi all,

I try to get pam-mount working with sec=krb5 I've got the following config:
---------------------
<volume
         fstype="cifs"
         server="fs-01.example.net"
         path="users/%(DOMAIN_USER)"
         mountpoint="/home/EXAMPLE/%(DOMAIN_USER)"
         sgrp="domain users"
         options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />

<volume
         fstype="cifs"
         server="fs-01.example.net"
         path="abteilungen"
         mountpoint="/abteilungen"
         sgrp="domain users"
         options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
---------------------

When I connect with a user I see:
---------------------
Dec 23 16:23:46 client-02 kernel: [   81.158008] CIFS: Attempting to 
mount \\fs-01.example.net\users
Dec 23 16:23:46 client-02 kernel: [   81.253128] CIFS: VFS: Verify user 
has a krb5 ticket and keyutils is installed
Dec 23 16:23:46 client-02 kernel: [   81.253134] CIFS: VFS: 
\\fs-01.example.net Send error in SessSetup = -126
Dec 23 16:23:46 client-02 kernel: [   81.253154] CIFS: VFS: cifs_mount 
failed w/return code = -126

---------------------

When I switch to "sec=ntlmssp" pam-mount is working.

I then tried to get a ticket and access the share via smbclient:
-----------------
ktom at client-02:~$ kinit ktom
ktom at EXAMPLE.NET's Password:
ktom at client-02:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
         Principal: ktom at EXAMPLE.NET

ktom at client-02:~$ smbclient //fs-01/abteilungen
Enter ktom at EXAMPLE.NET's password:
Try "help" to get a list of possible commands.
smb: \>

ktom at client-02:~$ klist
Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
         Principal: ktom at EXAMPLE.NET

   Issued                Expires               Principal
Dec 23 16:44:49 2022  Dec 24 02:44:49 2022  krbtgt/EXAMPLE.NET at EXAMPLE.NET
Dec 23 16:46:09 2022  Dec 24 02:44:49 2022  cifs/fs-01 at EXAMPLE.NET
-----------------

Here is my krb5.conf:
---------------
[libdefaults]
         default_realm = EXAMPLE.NET
         dns_lookup_realm = false
         dns_lookup_kdc = true
---------------

And smb.conf
---------------
[global]
         workgroup = example
         realm = EXAMPLE.NET
         security = ADS
         winbind refresh tickets = yes
         winbind use default domain = yes
         template shell = /bin/bash
         idmap config * : range = 100000 - 199999
         idmap config EXAMPLE : backend = rid
         idmap config EXAMPLE : range = 1000000 - 1999999
---------------

Any idea?

More information about the samba mailing list