[Samba] Samba, Kerberos, Autofs: Shares get disconnected

Wed Feb 7 09:11:23 UTC 2024

Hi Kees,

I do not think the share keeps being mounted while nobody is logged in, as
I try to use autofs which only mounts shares when they are actually
accessed.
So the scenario is

a) some user logs into his workstation, Kerberos ticket is created
b) the user accesses the share, works fine
c) user does not switch off PC, e.g. because some programs need to continue
running during the weekend
d) when user returns after more than 10 hours have passed, he is still
logged into his workstation, but the ticket is expired and he cannot any
more access the share, and autofs cannot remount it, as the ticket has
expired.

How do I use the machine account for mounting?

On Wed, Feb 7, 2024 at 9:56 AM Kees van Vloten <keesvanvloten at gmail.com>
wrote:

>
> Op 06-02-2024 om 16:02 schreef Pluess, Tobias:
>
> Good day Kees,
>
> I have no special user to connect the share. Instead, I tried to use the
> user's own Kerberos ticket, which seems to work fine.
> I use the options
>
> sec=krb5,multiuser,cruid=$USER
>
> to mount the share. That seems to accept the user's Kerberos ticket which
> is created when he logs in.
>
> best
> Tobias
>
> It looks like the share remains mounted while the user logs out, is that
> correct?
>
> In any case the user's kerberos ticket is not valid at some point in time
> (likely after it expires after 10h) and hence the error "required key not
> available".
>
> When the user is logged in, it will refresh the ticket on time, so this
> does not (or at least, should not) happen.
>
> Why not unmount the share when the user logs out?
>
> Or if you want it to remain mounted, I would suggest to use the machine
> account to mount it with a multi-user mount. The machine-account ticket
> gets refreshed by winbind with the option Rowland suggested.
>
> - Kees.
>
>
>
> On Tue, Feb 6, 2024 at 1:37 PM Kees van Vloten via samba <
> samba at lists.samba.org> wrote:
>
>>
>> Op 06-02-2024 om 13:27 schreef Pluess, Tobias via samba:
>> > Hi,
>> > I am still trying to figure out the best settings for Samba and Kerberos
>> > with autofs.
>> > My setup so far works good, users can log in on their computers using AD
>> > credentials, and they can access network shares with AD credentials as
>> > well. This works perfect.
>> > Also I notice that some Kerberos ticket is created upon user login,
>> which
>> > allows the users to access a Samba share without entering the password,
>> > which is very convenient.
>> > For this to work, I had to create the SPNs in AD. However, that worked.
>> So
>> > currently, it works all quite convenient.
>> > Further, I have configured autofs to automatically mount for each user
>> the
>> > network shares they need.
>> > For this, I used the "multiuser" and "sec=krb5" options. This also
>> works as
>> > I expected. However, I notice the following problem.
>> >
>> > Assume I log in on my workstation and I have a Samba share automounted
>> (via
>> > autofs) under /storage/work. Just after logging in into my workstation,
>> I
>> > can easily access the share without troubles. However, when I leave my
>> > workstation running during the night and return the next morning, I
>> notice
>> > the /storage/work has been disconnected, even if I had some program
>> running
>> > there that accesses these data. Furthermore, autofs cannot anymore
>> > automatically reconnect the network share, it claims "required key not
>> > available". The only way to reconnect the share seems to be
>> >
>> > a) stop autofs
>> > b) kdestroy
>> > c) kinit, and enter the password
>> > d) restart autofs
>> >
>> > then the share works again as normal.
>> > I wonder, is this behaviour intentional or is this a bug or just
>> > misconfiguration? I thought as long as I stay logged in on my
>> workstation,
>> > the Kerberos ticket does not expire. However according to above error
>> > message from autofs this seems not to be the case. Can I somehow fix
>> this?
>> > It happens often that I leave my computer running over night, with some
>> > program left open to access some network shares. Previously I did that
>> with
>> > a credentials file, but I still dislike this concept and would favour
>> > autofs + Kerberos if possible.
>> >
>> > Thanks
>> > best
>> > Tobias
>>
>> A ticket expires after 10 hours (this is the default setting), I guess
>> you need to do something to refresh it. Are you using the user's ticket
>> to mount the share or do you have a special user that performs a
>> multi-user mount?
>>
>> - Kees.
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>