[Samba] libpam_mount and sec=krb5
Stefan Kania
stefan at kania-online.de
Fri Dec 23 16:08:35 UTC 2022
I forgot :-)
If I login as "root" get a ticket for the user "ktom" and then do a:
--------------
'mount' '-t' 'cifs' '//fs-01.example.net/users/ktom'
'/home/EXAMPLE/ktom' '-o'
'username=ktom,uid=1001107,gid=1000513,sec=krb5,cruid,workgroup=EXAMPLE,vers=3.1.1'
--------------
So giving the command pam-mount is using, everything works fine.
Am 23.12.22 um 17:02 schrieb Stefan Kania via samba:
> Hi all,
>
> I try to get pam-mount working with sec=krb5 I've got the following config:
> ---------------------
> <volume
> fstype="cifs"
> server="fs-01.example.net"
> path="users/%(DOMAIN_USER)"
> mountpoint="/home/EXAMPLE/%(DOMAIN_USER)"
> sgrp="domain users"
> options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
>
> <volume
> fstype="cifs"
> server="fs-01.example.net"
> path="abteilungen"
> mountpoint="/abteilungen"
> sgrp="domain users"
> options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> ---------------------
>
> When I connect with a user I see:
> ---------------------
> Dec 23 16:23:46 client-02 kernel: [ 81.158008] CIFS: Attempting to
> mount \\fs-01.example.net\users
> Dec 23 16:23:46 client-02 kernel: [ 81.253128] CIFS: VFS: Verify user
> has a krb5 ticket and keyutils is installed
> Dec 23 16:23:46 client-02 kernel: [ 81.253134] CIFS: VFS:
> \\fs-01.example.net Send error in SessSetup = -126
> Dec 23 16:23:46 client-02 kernel: [ 81.253154] CIFS: VFS: cifs_mount
> failed w/return code = -126
>
> ---------------------
>
> When I switch to "sec=ntlmssp" pam-mount is working.
>
> I then tried to get a ticket and access the share via smbclient:
> -----------------
> ktom at client-02:~$ kinit ktom
> ktom at EXAMPLE.NET's Password:
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
> Principal: ktom at EXAMPLE.NET
>
> ktom at client-02:~$ smbclient //fs-01/abteilungen
> Enter ktom at EXAMPLE.NET's password:
> Try "help" to get a list of possible commands.
> smb: \>
>
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
> Principal: ktom at EXAMPLE.NET
>
> Issued Expires Principal
> Dec 23 16:44:49 2022 Dec 24 02:44:49 2022 krbtgt/EXAMPLE.NET at EXAMPLE.NET
> Dec 23 16:46:09 2022 Dec 24 02:44:49 2022 cifs/fs-01 at EXAMPLE.NET
> -----------------
>
> Here is my krb5.conf:
> ---------------
> [libdefaults]
> default_realm = EXAMPLE.NET
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ---------------
>
> And smb.conf
> ---------------
> [global]
> workgroup = example
> realm = EXAMPLE.NET
> security = ADS
> winbind refresh tickets = yes
> winbind use default domain = yes
> template shell = /bin/bash
> idmap config * : range = 100000 - 199999
> idmap config EXAMPLE : backend = rid
> idmap config EXAMPLE : range = 1000000 - 1999999
> ---------------
>
> Any idea?
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
More information about the samba
mailing list