kerberised cifs must have root krb5cc_0 cache?

kerberised cifs must have root krb5cc_0 cache?

[steve]

Ubuntu 12.10 clients in a Samba4 domain.

Hi
We are automounting cifs using:
-osec=krb5,multiuser.

It seems that unless the root cache:
/tmp/krb5cc_0
is present, users cannot enter the share even if they have a ticket with 
their own cache under /tmp

Is this the correct behavior?

If so, how to go about maintaining the cache alive. I thought about 
creating s domain user, say autofs-user and extracting his keytab. I 
would then run a script as root that calls k5start to maintain the 
ticket cache. But then, it could be overwritten if, say, Administrator 
logs in from a root account. Would that matter? So long as the root 
cache is present, does it matter which principal it has?

Cheers,
Steve

Re: kerberised cifs must have root krb5cc_0 cache?

[Jeff Layton]

On Sat, 13 Apr 2013 16:27:46 +0200
steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> Ubuntu 12.10 clients in a Samba4 domain.
> 
> Hi
> We are automounting cifs using:
> -osec=krb5,multiuser.
> 
> It seems that unless the root cache:
> /tmp/krb5cc_0
> is present, users cannot enter the share even if they have a ticket with 
> their own cache under /tmp
> 
> Is this the correct behavior?
> 
> If so, how to go about maintaining the cache alive. I thought about 
> creating s domain user, say autofs-user and extracting his keytab. I 
> would then run a script as root that calls k5start to maintain the 
> ticket cache. But then, it could be overwritten if, say, Administrator 
> logs in from a root account. Would that matter? So long as the root 
> cache is present, does it matter which principal it has?
> 
> Cheers,
> Steve

You do need a krb5 ticket somewhere to use as root's credentials. If
you set the cruid= mount option that can be a credcache owned by a
different user.

Alternately, you can set up the system-wide keytab in /etc/krb5.keytab
with the correct credentials for root.

-- 
Jeff Layton <jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>

Re: kerberised cifs must have root krb5cc_0 cache?

[Robert J. Hendelman Jr]

The other option which worked for me was using the KRB5 credentials of the machine account to do the mount.

A few months ago Mr. Layton point this out to me and I did eventually end up getting it to work fairly well.  If you are root & need to browse around, you'll need to kinit as somebody (unless root is not just a local account but a domain user as well).  

My setup is samba 3.6.3 connected to AD, but I imagine it should work the same if you have a samba4 DC.

My fstab looks something like:

//server/share /localmntpoint cifs cache=strict,sec=krb5i,multiuser,acl,username=MACHINENAME$ 0 2

THis is in ubuntu 12.10.

The only 2 issues I've found are: 

1) Wwhen logging in via xfce I have to log-in twice.  I login/logout so infrequently it doesn't matter much to me.  I'm not sure why this is, but it only happens when I have my homedir on a samba mount using the above mounting line.

2) Just after setting up this mountpoint, I experienced it not mounting at startup, however logging in with a localuser and doing "mount -a", it would then work & things would work normally.  This no longer happens (or doesn't happen regularly - race condition in ubuntu startup?) so I mostly had forgotten about it until I started typing this out.

For #2 I've opened a bug on launchpad:
https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1130781

Thanks,

Robert



----- Original Message -----
From: "Jeff Layton" <jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>
To: "steve" <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org>
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Sent: Sunday, April 14, 2013 7:05:25 AM
Subject: Re: kerberised cifs must have root krb5cc_0 cache?

On Sat, 13 Apr 2013 16:27:46 +0200
steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> Ubuntu 12.10 clients in a Samba4 domain.
> 
> Hi
> We are automounting cifs using:
> -osec=krb5,multiuser.
> 
> It seems that unless the root cache:
> /tmp/krb5cc_0
> is present, users cannot enter the share even if they have a ticket with 
> their own cache under /tmp
> 
> Is this the correct behavior?
> 
> If so, how to go about maintaining the cache alive. I thought about 
> creating s domain user, say autofs-user and extracting his keytab. I 
> would then run a script as root that calls k5start to maintain the 
> ticket cache. But then, it could be overwritten if, say, Administrator 
> logs in from a root account. Would that matter? So long as the root 
> cache is present, does it matter which principal it has?
> 
> Cheers,
> Steve

You do need a krb5 ticket somewhere to use as root's credentials. If
you set the cruid= mount option that can be a credcache owned by a
different user.

Alternately, you can set up the system-wide keytab in /etc/krb5.keytab
with the correct credentials for root.

-- 
Jeff Layton <jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: kerberised cifs must have root krb5cc_0 cache?

[steve]

Hi everyone and thanks for the input.

On 14/04/13 14:44, Robert J. Hendelman Jr wrote:
> The other option which worked for me was using the KRB5 credentials of the machine account to do the mount.
>
> A few months ago Mr. Layton point this out to me and I did eventually end up getting it to work fairly well.  If you are root & need to browse around, you'll need to kinit as somebody (unless root is not just a local account but a domain user as well).
>
> My setup is samba 3.6.3 connected to AD, but I imagine it should work the same if you have a samba4 DC.
>
> My fstab looks something like:
>
> //server/share /localmntpoint cifs cache=strict,sec=krb5i,multiuser,acl,username=MACHINENAME$ 0 2
>
> THis is in ubuntu 12.10.
We've got around it for the moment by extracting a keytab and keeping 
the cache alive by using k5start. It's pretty ugly but it'll do until we 
get some time to tidy it up. I must admit that your solution is better. 
It's further complicated for us as we use autofs. Any reasons why it 
wouldn't adapt to the automounter? Will test and report back anyway if I 
get the time.
>
> The only 2 issues I've found are:
>
> 1) Wwhen logging in via xfce I have to log-in twice.  I login/logout so infrequently it doesn't matter much to me.  I'm not sure why this is, but it only happens when I have my homedir on a samba mount using the above mounting line.
Same here with LXDM. 2 logins are required. This has to be a DM issue 
since KDM logs in fine. The problem there is that you need most of KDE 
to get it installed.  It's more of an issue for us as users on the 
clients are constantly logging in and out. Do you think this is worth a 
bug report? Reproducible on openSUSE. Maybe the XFCE DM and LXDM have 
something in common.
>
> 2) Just after setting up this mountpoint, I experienced it not mounting at startup, however logging in with a localuser and doing "mount -a", it would then work & things would work normally.  This no longer happens (or doesn't happen regularly - race condition in ubuntu startup?) so I mostly had forgotten about it until I started typing this out.
Unfortunately our hardware isn't up to maintaining permanent mounts, so 
we have to use the automounter. Maybe the latter could be an interim 
solution for you until the bug is fixed?
>
> For #2 I've opened a bug on launchpad:
> https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1130781
>
> Thanks,
>
> Robert
Cheers,
Steve