From mboxrd@z Thu Jan 1 00:00:00 1970 From: steve Subject: Re: multiuser kerberised cifs via autofs needs root ticket cache Date: Sat, 27 Apr 2013 01:22:34 +0200 Message-ID: <517B0C3A.80809@steve-ss.com> References: <51723F74.3010807@steve-ss.com> <20130426101410.1754c9ab@tlielax.poochiereds.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Jeff Layton Return-path: In-Reply-To: <20130426101410.1754c9ab-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org> Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-ID: On 26/04/13 16:14, Jeff Layton wrote: > On Sat, 20 Apr 2013 09:10:44 +0200 > steve wrote: > >> Hi >> one of my automount files is: >> * -fstype=cifs,sec=krb5,multiuser ://doloresdc/users/& >> >> It works fine but only if the krb5cc_0 cache is available under /tmp. >> When a user logs in, he gets his own cache. With multiuser, why isn't >> that good enough to be able to mount his share? >> > Because you haven't specified the cruid= that should be used to mount > the share and act as the root credentials for the mount. > > I don't think you really want "multiuser" in the above situation. It > sounds like you're trying to set up each autofs-mounted cifs filesystem > for a single user. > > In that case, you probably want to do something like: > > * -fstype=cifs,sec=krb5,uid=&,gid=&,cruid=& ://doloresdc/users/& No, it doesn't work. We'd need one & for the uid and another for the gid. We can only have one wild card I think. It's important that even though it's a singe user mount, that the files created in it are owned by the uid:gid of the user. multiuser gives us this, plus it's essential for mounts where many users have group rw to the files in the share. > > ...assuming of course that the directory names under that filesystem > match the usernames of your users. > >> Question, if we really must have the root cache then how do I get that >> on boot? I need to run this as root: >> kinit -k steve2 to get the cache with my key in /etc/krb5.keytab. I >> can't find a way to be able to do that on either Ubuntu 12.10 nor >> openSUSE 12.3. >> > I think you're confused as to what "multiuser" does. It allows users to > access the *same* mounted filesystem with their own krb5 creds. IOW, > instead of trying to use autofs like you are here, you could simply > do this: > > mount -t cifs //doloresdc/users /cifsusers -o sec=krb5,multiuser > > ...assuming that you have a credcache for uid=0 or proper credentials > in /etc/krb5.keytab, then it should mount and users can access > everything under /cifsusers with their own credentials. > Hi Yes, the permanent mount works but it's slow when the lan is busy. The automounter speeds things up quite a bit. Maybe our hardware isn't up to maintaining the permanent mount. But, in anycase, what you are saying is that I have to keep a root cache alive under /tmp to make any mount at all. That's what we're finding. How do we go about that? A cron to do kinit -k MACHINE$ every few hours for example? k5start looks ok too. Cheers, Steve