[Samba] libpam_mount and sec=krb5

Stefan Kania stefan at kania-online.de
Fri Dec 23 16:08:35 UTC 2022 

I forgot :-)

If I login as "root" get a ticket for the user "ktom" and then do a:
--------------
'mount' '-t' 'cifs' '//fs-01.example.net/users/ktom' 
'/home/EXAMPLE/ktom' '-o' 
'username=ktom,uid=1001107,gid=1000513,sec=krb5,cruid,workgroup=EXAMPLE,vers=3.1.1'
--------------
So giving the command pam-mount is using, everything works fine.

Am 23.12.22 um 17:02 schrieb Stefan Kania via samba:
> Hi all,
> 
> I try to get pam-mount working with sec=krb5 I've got the following config:
> ---------------------
> <volume
>          fstype="cifs"
>          server="fs-01.example.net"
>          path="users/%(DOMAIN_USER)"
>          mountpoint="/home/EXAMPLE/%(DOMAIN_USER)"
>          sgrp="domain users"
>          options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> 
> <volume
>          fstype="cifs"
>          server="fs-01.example.net"
>          path="abteilungen"
>          mountpoint="/abteilungen"
>          sgrp="domain users"
>          options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> ---------------------
> 
> When I connect with a user I see:
> ---------------------
> Dec 23 16:23:46 client-02 kernel: [   81.158008] CIFS: Attempting to 
> mount \\fs-01.example.net\users
> Dec 23 16:23:46 client-02 kernel: [   81.253128] CIFS: VFS: Verify user 
> has a krb5 ticket and keyutils is installed
> Dec 23 16:23:46 client-02 kernel: [   81.253134] CIFS: VFS: 
> \\fs-01.example.net Send error in SessSetup = -126
> Dec 23 16:23:46 client-02 kernel: [   81.253154] CIFS: VFS: cifs_mount 
> failed w/return code = -126
> 
> ---------------------
> 
> When I switch to "sec=ntlmssp" pam-mount is working.
> 
> I then tried to get a ticket and access the share via smbclient:
> -----------------
> ktom at client-02:~$ kinit ktom
> ktom at EXAMPLE.NET's Password:
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
>          Principal: ktom at EXAMPLE.NET
> 
> ktom at client-02:~$ smbclient //fs-01/abteilungen
> Enter ktom at EXAMPLE.NET's password:
> Try "help" to get a list of possible commands.
> smb: \>
> 
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
>          Principal: ktom at EXAMPLE.NET
> 
>    Issued                Expires               Principal
> Dec 23 16:44:49 2022  Dec 24 02:44:49 2022  krbtgt/EXAMPLE.NET at EXAMPLE.NET
> Dec 23 16:46:09 2022  Dec 24 02:44:49 2022  cifs/fs-01 at EXAMPLE.NET
> -----------------
> 
> Here is my krb5.conf:
> ---------------
> [libdefaults]
>          default_realm = EXAMPLE.NET
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
> ---------------
> 
> And smb.conf
> ---------------
> [global]
>          workgroup = example
>          realm = EXAMPLE.NET
>          security = ADS
>          winbind refresh tickets = yes
>          winbind use default domain = yes
>          template shell = /bin/bash
>          idmap config * : range = 100000 - 199999
>          idmap config EXAMPLE : backend = rid
>          idmap config EXAMPLE : range = 1000000 - 1999999
> ---------------
> 
> Any idea?
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre 
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter 
https://www.dgn.de/dgncert/index.html

More information about the samba mailing list