[Samba] Samba, Kerberos, Autofs: Shares get disconnected

Wed Feb 28 08:32:01 UTC 2024

Op 28-02-2024 om 09:02 schreef Pluess, Tobias via samba:
> Hallo again,
>
> I would like to ask if there exists any possibility to have a Samba mount
> point with multiuser and with a credentials file or something similar.
> After a couple weeks testing I just find that my shares get disconnected
> after one week, which is not acceptable: I have stored some large project
> files on the Samba share which is opened in some calculation software, and
> simulations take up to one month; during this time, the computer needs
> access to the Samba share.
Did you try a multiuser mount with the computer's machine account?
> I am considering a plain old credentials file now, with a service account,
> but two things I dislike about this approach:
>
> a) credentials file contains clear text password;
> b) as the permissions of the service account will be used, all users will
> be able to access the share, i.e. access permissions of the service account
> are considered, and not of the currently logged in user.
>
> So I am really sorry for asking again, but is it even possible with Linux
> or probably not?
>
> Thanks!
> best
> Tobias
>
>
>
>
> On Mon, Feb 12, 2024 at 10:20 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Mon, 12 Feb 2024 09:38:01 +0100
>> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>>
>>> Good day
>>>
>>> please excuse my delayed response.
>>> Thanks for the hint with the machine account. I will try this.
>>> I realised I can also manually refresh Kerberos tickets.
>>>
>>> I have the following:
>>>
>>> $ klist
>>> Valid starting       Expires              Service principal
>>> 02/12/2024 08:39:44  02/12/2024 18:39:44  krbtgt/CAMPUS
>>> renew until 02/13/2024 08:39:40
>>>
>>> so this ticket is valid until 12. February 18:39. Fine.
>> Not really, my tickets have a renewal time of one week i.e.
>>
>> klist -c /tmp/krb5cc_11104
>> Ticket cache: FILE:/tmp/krb5cc_11104
>> Default principal: rowland at SAMDOM.EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 12/02/24 07:56:02  12/02/24 17:56:02  krbtgt/
>> SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
>>          renew until 19/02/24 07:56:02
>>
>>
>>> And I can
>>> refresh it using kinit -R. This also works.
>> You shouldn't have to manually refresh the ticket, winbind can do it
>> for you.
>>
>>> However, there is the
>>> line "renew until". I read that this means this very ticket can only
>>> be refreshed until 13. February 8:39. After that date, it is no
>>> longer possible to refresh this ticket. So I am still wondering how
>>> it could be possible to have a mountpoint that uses Kerberos and
>>> stays connected for longer than a couple days, without disconnecting
>>> and reconnecting again? is that even possible?
>> I Think we need to see your /etc/krb5.conf and the output of 'testparm
>> -s'
>>
>>> Will try now the machine account as well, hopefully with better
>>> results.
>> The machine ticket can mount a share, but you will also need
>> 'multiuser' and your users will also require a valid ticket.
>>
>>> Concerning the questions for autofs:
>>> This is a service that automatically mounts any file systems as soon
>>> as they are accessed. I didn't want to put my network shares into the
>>> fstab, as this may cause trouble when the network is not reachable
>>> for some reason. With autofs, the shares are mounted as soon as they
>>> are accessed, and unmounted if no process is accessing them anymore.
>>>
>> Surely the network not being reachable is also a problem for autofs and
>> what if the connection goes idle (for whatever reason), does autofs
>> drop the connection ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>