[Samba] libpam_mount and sec=krb5

Rowland Penny rpenny at samba.org
Sat Dec 24 11:19:53 UTC 2022 


On 23/12/2022 18:31, Stefan Kania via samba wrote:
> 
> 
> Am 23.12.22 um 18:29 schrieb Stefan Kania via samba:
>>
>>
>> Am 23.12.22 um 18:17 schrieb Rowland Penny via samba:
>>>
>>>
>>> On 23/12/2022 16:55, Stefan Kania via samba wrote:
>>>>
>>>>
>>>> Am 23.12.22 um 17:48 schrieb Rowland Penny via samba:
>>>>>>
>>>>>
>>>>> It could be that pam_mount is looking for the kerberos ticket 
>>>>> '/tmp/krb5cc_1001107' and as you can see, it is actually 
>>>>> '/tmp/krb5cc_1001107_dUP4GZ'
>>>>
>>>> That's what I also thought, but this is the ticket filename creating 
>>>> when the user logs in to the system. Do you know a way to force the 
>>>> system NOT to add the last digits after the uid?
>>>>
>>>
>>> I think there is a parameter you can set, try reading the krb5.conf 
>>> manpage. Have you tried turning on debug in pam_mount.conf.xml ?
>>>
>>
>> Yes, and I got the same error :-(.
>>
>> One more thing:
>>
>> I just testet kinit together with MIT-Kerberos and OpenLDAP and there 
>> I got a filename krb5cc_<uid> without the suffix after the uid, so it 
>> must have something to do with heimdal-kerberos if so, it would be bad.
>>
>>
>>> Rowland
>>>
>>
>>
> 
> I found out, Heimdal is NOT using default_ccache_name but 
> default_cc_name. I now changed my krb5.conf to:
> -----------------
> [libdefaults]
>          default_realm = EXAMPLE.NET
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>          default_cc_name = FILE:/tmp/krb5cc_%{uid}
> 
> -----------------
> But still the same, but it has someting to do with Heimdal-Kerberos. 
> Change the filename together with MIT-Kerberos and OpenLDAP works.
> 
> 

Sorry Stefan, but it works for me.

Installed on Debian bullseye:

apt install libpam-mount cifs-utils hxtools keyutils

Changed /etc/krb5.conf to this:

[libdefaults]
   default_realm = SAMDOM.EXAMPLE.COM
   dns_lookup_realm = false
   dns_lookup_kdc = true
   default_ccache_name = FILE:/tmp/krb5cc_%{uid}

[realms]
     SAMDOM.EXAMPLE.COM = {
         default_domain = samdom.example.com
     }


[domain_realm]
     samdom.example.com = SAMDOM.EXAMPLE.COM
     .samdom.example.com = SAMDOM.EXAMPLE.COM


[logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log

set /etc/security/pam_mount.conf.xml to this:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
         See pam_mount.conf(5) for a description.
-->

<pam_mount>

                 <!-- debug should come before everything else,
                 since this file is still processed in a single pass
                 from top-to-bottom -->

<!--<debug enable="0" /> -->
<debug enable="3" />

                 <!-- Volume definitions -->
<volume
     fstype="cifs"
     server="devstation.samdom.example.com"
     path="data"
     mountpoint="/home/SAMDOM/data"
     uid="10000-640000"
 
options="user=%(USER),domain=samdom,sec=krb5,cruid=%(USERUID),multiuser,vers=3.0"
/>

                 <!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
      You will need to explicitly initialize it with the empty string
      to reset the defaults to nothing. -->
<mntoptions 
allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />

<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no" kill="no" />

<!-- We need to over-ride the cifs mount command so that uid and gid are not
      set as they would by default. This would result in a permission 
denied error. -->
<cifsmount>mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o 
%(OPTIONS)"</cifsmount>

                 <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />


</pam_mount>

Logged out as root and logged in as 'rowland'

This lead to this in /var/log/auth.log:

Dec 24 10:48:30 deb11 lightdm: pam_unix(lightdm:session): session opened 
for user rowland(uid=11104) by (uid=0)
Dec 24 10:48:30 deb11 lightdm: (pam_mount.c:568): pam_mount 2.18: 
entering session stage
Dec 24 10:48:30 deb11 lightdm: (mount.c:776): Could not get realpath of 
/home/SAMDOM/data: No such file or directory
Dec 24 10:48:30 deb11 lightdm: (mount.c:246): Mount info: globalconf, 
user=rowland <volume fstype="cifs" 
server="devstation.samdom.example.com" path="data" 
mountpoint="/home/SAMDOM/data"cipher="(null)" fskeypath="(null)" 
fskeycipher="(null)" fskeyhash="(null)" 
options="user=rowland,domain=samdom,sec=krb5,cruid=11104,multiuser,vers=3.0" 
/> fstab=0 ssh=0
Dec 24 10:48:30 deb11 lightdm: (mount.c:300): mkmountpoint: checking /home
Dec 24 10:48:30 deb11 lightdm: (mount.c:300): mkmountpoint: checking 
/home/SAMDOM
Dec 24 10:48:30 deb11 lightdm: (mount.c:300): mkmountpoint: checking 
/home/SAMDOM/data
Dec 24 10:48:30 deb11 lightdm: (mount.c:340): mkdir[0] /home/SAMDOM/data
Dec 24 10:48:30 deb11 lightdm: (mount.c:346): chown /home/SAMDOM/data -> 
11104:10513
Dec 24 10:48:30 deb11 lightdm: (mount.c:655): Password will be sent to 
helper as-is.
Dec 24 10:48:30 deb11 lightdm: command: 'mount' '-t' 'cifs' 
'//devstation.samdom.example.com/data' '/home/SAMDOM/data' '-o' 
'user=rowland,domain=samdom,sec=krb5,cruid=11104,multiuser,vers=3.0'
..............................................
Dec 24 10:48:31 deb11 lightdm: (mount.c:549): 229 27 0:37 / 
/home/SAMDOM/data rw,relatime shared:129 - cifs 
//devstation.samdom.example.com/data 
rw,vers=3.0,sec=krb5,cruid=11104,cache=strict,multiuser,domain=samdom,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.5,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=5
Dec 24 10:48:31 deb11 lightdm: command: 'pmvarrun' '-u' 'rowland' '-o' '1'
Dec 24 10:48:31 deb11 lightdm: (pam_mount.c:441): pmvarrun says login 
count is 1
Dec 24 10:48:31 deb11 lightdm: (pam_mount.c:660): done opening session 
(ret=0)
Dec 24 10:48:31 deb11 systemd-logind[450]: New session 17 of user rowland.

And this in /var/log/syslog:

Dec 24 10:48:30 deb11 cifs.upcall: key description: 
cifs.spnego;0;0;39010000;ver=0x2;host=devstation.samdom.example.com;ip4=192.168.1.5;sec=krb5;uid=0x0;creduid=0x2b60;user=rowland;pid=0x887b2
Dec 24 10:48:30 deb11 cifs.upcall: ver=2
Dec 24 10:48:30 deb11 cifs.upcall: host=devstation.samdom.example.com
Dec 24 10:48:30 deb11 cifs.upcall: ip=192.168.1.5
Dec 24 10:48:30 deb11 cifs.upcall: sec=1
Dec 24 10:48:30 deb11 cifs.upcall: uid=0
Dec 24 10:48:30 deb11 cifs.upcall: creduid=11104
Dec 24 10:48:30 deb11 cifs.upcall: user=rowland
Dec 24 10:48:30 deb11 cifs.upcall: pid=559026
Dec 24 10:48:30 deb11 cifs.upcall: get_cachename_from_process_env: 
pathname=/proc/559026/environ
Dec 24 10:48:30 deb11 cifs.upcall: get_cachename_from_process_env: 
cachename = FILE:/tmp/krb5cc_11104
Dec 24 10:48:30 deb11 cifs.upcall: get_existing_cc: default ccache is 
FILE:/tmp/krb5cc_11104
Dec 24 10:48:30 deb11 cifs.upcall: handle_krb5_mech: getting service 
ticket for devstation.samdom.example.com
Dec 24 10:48:30 deb11 cifs.upcall: handle_krb5_mech: obtained service ticket
Dec 24 10:48:30 deb11 cifs.upcall: Exit status 0

And when I went to --> Places --> Computer --> File System --> home --> 
SAMDOM

There was a folder named 'data' which contained files and folders from 
//devstation/data.

When I looked in /tmp, I found 'krb5cc_11104', and running 'getent 
passwd rowland produced this:

rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

Rowland

More information about the samba mailing list