[Samba] libpam_mount and sec=krb5

Rowland Penny rpenny at samba.org
Fri Dec 23 16:48:31 UTC 2022 


On 23/12/2022 16:02, Stefan Kania via samba wrote:
> Hi all,
> 
> I try to get pam-mount working with sec=krb5 I've got the following config:
> ---------------------
> <volume
>          fstype="cifs"
>          server="fs-01.example.net"
>          path="users/%(DOMAIN_USER)"
>          mountpoint="/home/EXAMPLE/%(DOMAIN_USER)"
>          sgrp="domain users"
>          options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> 
> <volume
>          fstype="cifs"
>          server="fs-01.example.net"
>          path="abteilungen"
>          mountpoint="/abteilungen"
>          sgrp="domain users"
>          options="sec=krb5,cruid=%(USERID),workgroup=EXAMPLE,vers=3.1.1" />
> ---------------------
> 
> When I connect with a user I see:
> ---------------------
> Dec 23 16:23:46 client-02 kernel: [   81.158008] CIFS: Attempting to 
> mount \\fs-01.example.net\users
> Dec 23 16:23:46 client-02 kernel: [   81.253128] CIFS: VFS: Verify user 
> has a krb5 ticket and keyutils is installed
> Dec 23 16:23:46 client-02 kernel: [   81.253134] CIFS: VFS: 
> \\fs-01.example.net Send error in SessSetup = -126
> Dec 23 16:23:46 client-02 kernel: [   81.253154] CIFS: VFS: cifs_mount 
> failed w/return code = -126

If I remember correctly, '-126' basically means 'help, I cannot find the 
kerberos ticket'.

> 
> ---------------------
> 
> When I switch to "sec=ntlmssp" pam-mount is working.
> 
> I then tried to get a ticket and access the share via smbclient:
> -----------------
> ktom at client-02:~$ kinit ktom
> ktom at EXAMPLE.NET's Password:
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
>          Principal: ktom at EXAMPLE.NET
> 
> ktom at client-02:~$ smbclient //fs-01/abteilungen
> Enter ktom at EXAMPLE.NET's password:
> Try "help" to get a list of possible commands.
> smb: \>

That isn't using kerberos, try adding '--use-kerberos=required'

> 
> ktom at client-02:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1001107_dUP4GZ
>          Principal: ktom at EXAMPLE.NET
> 
>    Issued                Expires               Principal
> Dec 23 16:44:49 2022  Dec 24 02:44:49 2022  krbtgt/EXAMPLE.NET at EXAMPLE.NET
> Dec 23 16:46:09 2022  Dec 24 02:44:49 2022  cifs/fs-01 at EXAMPLE.NET
> -----------------
> 
> Here is my krb5.conf:
> ---------------
> [libdefaults]
>          default_realm = EXAMPLE.NET
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
> ---------------
> 
> And smb.conf
> ---------------
> [global]
>          workgroup = example
>          realm = EXAMPLE.NET
>          security = ADS
>          winbind refresh tickets = yes
>          winbind use default domain = yes
>          template shell = /bin/bash
>          idmap config * : range = 100000 - 199999
>          idmap config EXAMPLE : backend = rid
>          idmap config EXAMPLE : range = 1000000 - 1999999
> ---------------
> 
> Any idea?
> 

It could be that pam_mount is looking for the kerberos ticket 
'/tmp/krb5cc_1001107' and as you can see, it is actually 
'/tmp/krb5cc_1001107_dUP4GZ'

Rowland

More information about the samba mailing list