[Samba] libpam_mount and sec=krb5
Stefan Kania
stefan at kania-online.de
Tue Dec 27 16:58:46 UTC 2022
Hi Rowland,
finaly I found my problem. Comparing your settings with my I saw what I
did wrong :-(
The option is "cruid=%(USERUID)" I had "cruid=%(USERID)" so the "U" from
UID was missing. So again, than kyou for your help :-)
As allways: Problems in Samba either DNS or in front of the monitor :-)
Stefan
Am 24.12.22 um 12:19 schrieb Rowland Penny via samba:
>
>
> On 23/12/2022 18:31, Stefan Kania via samba wrote:
>>
>>
>> Am 23.12.22 um 18:29 schrieb Stefan Kania via samba:
>>>
>>>
>>> Am 23.12.22 um 18:17 schrieb Rowland Penny via samba:
>>>>
>>>>
>>>> On 23/12/2022 16:55, Stefan Kania via samba wrote:
>>>>>
>>>>>
>>>>> Am 23.12.22 um 17:48 schrieb Rowland Penny via samba:
>>>>>>>
>>>>>>
>>>>>> It could be that pam_mount is looking for the kerberos ticket
>>>>>> '/tmp/krb5cc_1001107' and as you can see, it is actually
>>>>>> '/tmp/krb5cc_1001107_dUP4GZ'
>>>>>
>>>>> That's what I also thought, but this is the ticket filename
>>>>> creating when the user logs in to the system. Do you know a way to
>>>>> force the system NOT to add the last digits after the uid?
>>>>>
>>>>
>>>> I think there is a parameter you can set, try reading the krb5.conf
>>>> manpage. Have you tried turning on debug in pam_mount.conf.xml ?
>>>>
>>>
>>> Yes, and I got the same error :-(.
>>>
>>> One more thing:
>>>
>>> I just testet kinit together with MIT-Kerberos and OpenLDAP and there
>>> I got a filename krb5cc_<uid> without the suffix after the uid, so it
>>> must have something to do with heimdal-kerberos if so, it would be bad.
>>>
>>>
>>>> Rowland
>>>>
>>>
>>>
>>
>> I found out, Heimdal is NOT using default_ccache_name but
>> default_cc_name. I now changed my krb5.conf to:
>> -----------------
>> [libdefaults]
>> default_realm = EXAMPLE.NET
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> default_cc_name = FILE:/tmp/krb5cc_%{uid}
>>
>> -----------------
>> But still the same, but it has someting to do with Heimdal-Kerberos.
>> Change the filename together with MIT-Kerberos and OpenLDAP works.
>>
>>
>
> Sorry Stefan, but it works for me.
>
> Installed on Debian bullseye:
>
> apt install libpam-mount cifs-utils hxtools keyutils
>
> Changed /etc/krb5.conf to this:
>
> [libdefaults]
> default_realm = SAMDOM.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
> default_ccache_name = FILE:/tmp/krb5cc_%{uid}
>
> [realms]
> SAMDOM.EXAMPLE.COM = {
> default_domain = samdom.example.com
> }
>
>
> [domain_realm]
> samdom.example.com = SAMDOM.EXAMPLE.COM
> .samdom.example.com = SAMDOM.EXAMPLE.COM
>
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> set /etc/security/pam_mount.conf.xml to this:
>
> <?xml version="1.0" encoding="utf-8" ?>
> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
> <!--
> See pam_mount.conf(5) for a description.
> -->
>
> <pam_mount>
>
> <!-- debug should come before everything else,
> since this file is still processed in a single pass
> from top-to-bottom -->
>
> <!--<debug enable="0" /> -->
> <debug enable="3" />
>
> <!-- Volume definitions -->
> <volume
> fstype="cifs"
> server="devstation.samdom.example.com"
> path="data"
> mountpoint="/home/SAMDOM/data"
> uid="10000-640000"
>
> options="user=%(USER),domain=samdom,sec=krb5,cruid=%(USERUID),multiuser,vers=3.0"
> />
>
> <!-- pam_mount parameters: General tunables -->
>
> <!--
> <luserconf name=".pam_mount.conf.xml" />
> -->
>
> <!-- Note that commenting out mntoptions will give you the defaults.
> You will need to explicitly initialize it with the empty string
> to reset the defaults to nothing. -->
> <mntoptions
> allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
> <!--
> <mntoptions deny="suid,dev" />
> <mntoptions allow="*" />
> <mntoptions deny="*" />
> -->
> <mntoptions require="nosuid,nodev" />
>
> <!-- requires ofl from hxtools to be present -->
> <logout wait="0" hup="no" term="no" kill="no" />
>
> <!-- We need to over-ride the cifs mount command so that uid and gid are
> not
> set as they would by default. This would result in a permission
> denied error. -->
> <cifsmount>mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o
> %(OPTIONS)"</cifsmount>
>
> <!-- pam_mount parameters: Volume-related -->
>
> <mkmountpoint enable="1" remove="true" />
>
>
> </pam_mount>
>
> Logged out as root and logged in as 'rowland'
>
> This lead to this in /var/log/auth.log:
>
> Dec 24 10:48:30 deb11 lightdm: pam_unix(lightdm:session): session opened
> for user rowland(uid=11104) by (uid=0)
> Dec 24 10:48:30 deb11 lightdm: (pam_mount.c:568): pam_mount 2.18:
> entering session stage
> Dec 24 10:48:30 deb11 lightdm: (mount.c:776): Could not get realpath of
> /home/SAMDOM/data: No such file or directory
> Dec 24 10:48:30 deb11 lightdm: (mount.c:246): Mount info: globalconf,
> user=rowland <volume fstype="cifs"
> server="devstation.samdom.example.com" path="data"
> mountpoint="/home/SAMDOM/data"cipher="(null)" fskeypath="(null)"
> fskeycipher="(null)" fskeyhash="(null)"
> options="user=rowland,domain=samdom,sec=krb5,cruid=11104,multiuser,vers=3.0" /> fstab=0 ssh=0
> Dec 24 10:48:30 deb11 lightdm: (mount.c:300): mkmountpoint: checking /home
> Dec 24 10:48:30 deb11 lightdm: (mount.c:300): mkmountpoint: checking
> /home/SAMDOM
> Dec 24 10:48:30 deb11 lightdm: (mount.c:300): mkmountpoint: checking
> /home/SAMDOM/data
> Dec 24 10:48:30 deb11 lightdm: (mount.c:340): mkdir[0] /home/SAMDOM/data
> Dec 24 10:48:30 deb11 lightdm: (mount.c:346): chown /home/SAMDOM/data ->
> 11104:10513
> Dec 24 10:48:30 deb11 lightdm: (mount.c:655): Password will be sent to
> helper as-is.
> Dec 24 10:48:30 deb11 lightdm: command: 'mount' '-t' 'cifs'
> '//devstation.samdom.example.com/data' '/home/SAMDOM/data' '-o'
> 'user=rowland,domain=samdom,sec=krb5,cruid=11104,multiuser,vers=3.0'
> ..............................................
> Dec 24 10:48:31 deb11 lightdm: (mount.c:549): 229 27 0:37 /
> /home/SAMDOM/data rw,relatime shared:129 - cifs
> //devstation.samdom.example.com/data
> rw,vers=3.0,sec=krb5,cruid=11104,cache=strict,multiuser,domain=samdom,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.5,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,noperm,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,closetimeo=5
> Dec 24 10:48:31 deb11 lightdm: command: 'pmvarrun' '-u' 'rowland' '-o' '1'
> Dec 24 10:48:31 deb11 lightdm: (pam_mount.c:441): pmvarrun says login
> count is 1
> Dec 24 10:48:31 deb11 lightdm: (pam_mount.c:660): done opening session
> (ret=0)
> Dec 24 10:48:31 deb11 systemd-logind[450]: New session 17 of user rowland.
>
> And this in /var/log/syslog:
>
> Dec 24 10:48:30 deb11 cifs.upcall: key description:
> cifs.spnego;0;0;39010000;ver=0x2;host=devstation.samdom.example.com;ip4=192.168.1.5;sec=krb5;uid=0x0;creduid=0x2b60;user=rowland;pid=0x887b2
> Dec 24 10:48:30 deb11 cifs.upcall: ver=2
> Dec 24 10:48:30 deb11 cifs.upcall: host=devstation.samdom.example.com
> Dec 24 10:48:30 deb11 cifs.upcall: ip=192.168.1.5
> Dec 24 10:48:30 deb11 cifs.upcall: sec=1
> Dec 24 10:48:30 deb11 cifs.upcall: uid=0
> Dec 24 10:48:30 deb11 cifs.upcall: creduid=11104
> Dec 24 10:48:30 deb11 cifs.upcall: user=rowland
> Dec 24 10:48:30 deb11 cifs.upcall: pid=559026
> Dec 24 10:48:30 deb11 cifs.upcall: get_cachename_from_process_env:
> pathname=/proc/559026/environ
> Dec 24 10:48:30 deb11 cifs.upcall: get_cachename_from_process_env:
> cachename = FILE:/tmp/krb5cc_11104
> Dec 24 10:48:30 deb11 cifs.upcall: get_existing_cc: default ccache is
> FILE:/tmp/krb5cc_11104
> Dec 24 10:48:30 deb11 cifs.upcall: handle_krb5_mech: getting service
> ticket for devstation.samdom.example.com
> Dec 24 10:48:30 deb11 cifs.upcall: handle_krb5_mech: obtained service
> ticket
> Dec 24 10:48:30 deb11 cifs.upcall: Exit status 0
>
> And when I went to --> Places --> Computer --> File System --> home -->
> SAMDOM
>
> There was a folder named 'data' which contained files and folders from
> //devstation/data.
>
> When I looked in /tmp, I found 'krb5cc_11104', and running 'getent
> passwd rowland produced this:
>
> rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash
>
> Rowland
>
>
>
>
>
>
>
>
>
>
>
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
More information about the samba
mailing list