multiuser kerberised cifs via autofs needs root ticket cache

multiuser kerberised cifs via autofs needs root ticket cache

[steve]

Hi
one of my automount files is:
* -fstype=cifs,sec=krb5,multiuser ://doloresdc/users/&

It works fine but only if the krb5cc_0 cache is available under /tmp. 
When a user logs in, he gets his own cache. With multiuser, why isn't 
that good enough to be able to mount his share?

Question, if we really must have the root cache then how do I get that 
on boot? I need to run this as root:
kinit -k steve2 to get the cache with my key in /etc/krb5.keytab. I 
can't find a way to be able to do that on either Ubuntu 12.10 nor 
openSUSE 12.3.

There must be an easy way.
Cheers,
Steve

Re: multiuser kerberised cifs via autofs needs root ticket cache

[Jeff Layton]

On Sat, 20 Apr 2013 09:10:44 +0200
steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> Hi
> one of my automount files is:
> * -fstype=cifs,sec=krb5,multiuser ://doloresdc/users/&
> 
> It works fine but only if the krb5cc_0 cache is available under /tmp. 
> When a user logs in, he gets his own cache. With multiuser, why isn't 
> that good enough to be able to mount his share?
> 

Because you haven't specified the cruid= that should be used to mount
the share and act as the root credentials for the mount.

I don't think you really want "multiuser" in the above situation. It
sounds like you're trying to set up each autofs-mounted cifs filesystem
for a single user.

In that case, you probably want to do something like:

    * -fstype=cifs,sec=krb5,uid=&,gid=&,cruid=& ://doloresdc/users/&

...assuming of course that the directory names under that filesystem
match the usernames of your users.

> Question, if we really must have the root cache then how do I get that 
> on boot? I need to run this as root:
> kinit -k steve2 to get the cache with my key in /etc/krb5.keytab. I 
> can't find a way to be able to do that on either Ubuntu 12.10 nor 
> openSUSE 12.3.
> 

I think you're confused as to what "multiuser" does. It allows users to
access the *same* mounted filesystem with their own krb5 creds. IOW,
instead of trying to use autofs like you are here, you could simply
do this:

    mount -t cifs //doloresdc/users /cifsusers -o sec=krb5,multiuser

...assuming that you have a credcache for uid=0 or proper credentials
in /etc/krb5.keytab, then it should mount and users can access
everything under /cifsusers with their own credentials.

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: multiuser kerberised cifs via autofs needs root ticket cache

[steve]

On 26/04/13 16:14, Jeff Layton wrote:
> On Sat, 20 Apr 2013 09:10:44 +0200
> steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
>
>> Hi
>> one of my automount files is:
>> * -fstype=cifs,sec=krb5,multiuser ://doloresdc/users/&
>>
>> It works fine but only if the krb5cc_0 cache is available under /tmp.
>> When a user logs in, he gets his own cache. With multiuser, why isn't
>> that good enough to be able to mount his share?
>>
> Because you haven't specified the cruid= that should be used to mount
> the share and act as the root credentials for the mount.
>
> I don't think you really want "multiuser" in the above situation. It
> sounds like you're trying to set up each autofs-mounted cifs filesystem
> for a single user.
>
> In that case, you probably want to do something like:
>
>      * -fstype=cifs,sec=krb5,uid=&,gid=&,cruid=& ://doloresdc/users/&
No, it doesn't work. We'd need one & for the uid and another for the 
gid. We can only have one wild card I think. It's important that even 
though it's a singe user mount, that the files created in it are owned 
by the uid:gid of the user. multiuser gives us this, plus it's essential 
for mounts where many users have group rw to the files in the share.
>
> ...assuming of course that the directory names under that filesystem
> match the usernames of your users.
>
>> Question, if we really must have the root cache then how do I get that
>> on boot? I need to run this as root:
>> kinit -k steve2 to get the cache with my key in /etc/krb5.keytab. I
>> can't find a way to be able to do that on either Ubuntu 12.10 nor
>> openSUSE 12.3.
>>
> I think you're confused as to what "multiuser" does. It allows users to
> access the *same* mounted filesystem with their own krb5 creds. IOW,
> instead of trying to use autofs like you are here, you could simply
> do this:
>
>      mount -t cifs //doloresdc/users /cifsusers -o sec=krb5,multiuser
>
> ...assuming that you have a credcache for uid=0 or proper credentials
> in /etc/krb5.keytab, then it should mount and users can access
> everything under /cifsusers with their own credentials.
>
Hi
Yes, the permanent mount works but it's slow when the lan is busy. The 
automounter speeds things up quite a bit. Maybe our hardware isn't up to 
maintaining the permanent mount. But, in anycase, what you are saying is 
that I have to keep a root cache alive under /tmp to make any mount at 
all. That's what we're finding. How do we go about that? A cron to do 
kinit -k MACHINE$ every few hours for example? k5start looks ok too.
Cheers, Steve

Re: multiuser kerberised cifs via autofs needs root ticket cache

[Jeff Layton]

On Sat, 27 Apr 2013 01:22:34 +0200
steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> On 26/04/13 16:14, Jeff Layton wrote:
> > On Sat, 20 Apr 2013 09:10:44 +0200
> > steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
> >
> >> Hi
> >> one of my automount files is:
> >> * -fstype=cifs,sec=krb5,multiuser ://doloresdc/users/&
> >>
> >> It works fine but only if the krb5cc_0 cache is available under /tmp.
> >> When a user logs in, he gets his own cache. With multiuser, why isn't
> >> that good enough to be able to mount his share?
> >>
> > Because you haven't specified the cruid= that should be used to mount
> > the share and act as the root credentials for the mount.
> >
> > I don't think you really want "multiuser" in the above situation. It
> > sounds like you're trying to set up each autofs-mounted cifs filesystem
> > for a single user.
> >
> > In that case, you probably want to do something like:
> >
> >      * -fstype=cifs,sec=krb5,uid=&,gid=&,cruid=& ://doloresdc/users/&
> No, it doesn't work. We'd need one & for the uid and another for the 
> gid. We can only have one wild card I think. It's important that even 
> though it's a singe user mount, that the files created in it are owned 
> by the uid:gid of the user. multiuser gives us this, plus it's essential 
> for mounts where many users have group rw to the files in the share.

Yeah, you'd need to figure out what should be added into there if you
really think you need a separate mount per user directory. Note too
that there's a catch with the above configuration -- there's nothing
that prevents an entirely unrelated user from getting into the
directory that's been mounted and accessing it with the mount
credentials.

None of that's an issue however if you use a proper multiuser mount.

> >
> > ...assuming of course that the directory names under that filesystem
> > match the usernames of your users.
> >
> >> Question, if we really must have the root cache then how do I get that
> >> on boot? I need to run this as root:
> >> kinit -k steve2 to get the cache with my key in /etc/krb5.keytab. I
> >> can't find a way to be able to do that on either Ubuntu 12.10 nor
> >> openSUSE 12.3.
> >>
> > I think you're confused as to what "multiuser" does. It allows users to
> > access the *same* mounted filesystem with their own krb5 creds. IOW,
> > instead of trying to use autofs like you are here, you could simply
> > do this:
> >
> >      mount -t cifs //doloresdc/users /cifsusers -o sec=krb5,multiuser
> >
> > ...assuming that you have a credcache for uid=0 or proper credentials
> > in /etc/krb5.keytab, then it should mount and users can access
> > everything under /cifsusers with their own credentials.
> >
> Hi
> Yes, the permanent mount works but it's slow when the lan is busy. The 
> automounter speeds things up quite a bit. Maybe our hardware isn't up to 
> maintaining the permanent mount. But, in anycase, what you are saying is 
> that I have to keep a root cache alive under /tmp to make any mount at 
> all.

No, that's not what I'm saying at all. You can get the same effect by
setting up credentials for root in /etc/krb5.keytab. Just pass in the
correct username= mount option for the principal that you want root to
be.

> That's what we're finding. How do we go about that? A cron to do 
> kinit -k MACHINE$ every few hours for example? k5start looks ok too.
> Cheers, Steve
> 

Erm...I'm not sure how to respond to this since it doesn't make much
sense. Perhaps you can outline what you mean? What exactly, is "slow"
when you use a "permanent" multiuser mount? None of this should be
terribly taxing on a modern computer...

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: multiuser kerberised cifs via autofs needs root ticket cache

[Peter Parzer]

Hi,

Am 30.04.2013 15:22, schrieb Jeff Layton:
>
> No, that's not what I'm saying at all. You can get the same effect by
> setting up credentials for root in /etc/krb5.keytab. Just pass in the
> correct username= mount option for the principal that you want root to
> be.
>

Not exactly on the topic, but I have been struggling a long time with 
this question. How can I setup credentials for root in /etc/krb5.keytab? 
I do the cifs multiuser mount in /etc/fstab at boot time. To create 
Kerberos tickets for root I have a network if-up hook with the command 
"net ads kerberos kinit -P". Is there an easier way using the keytab file?



Peter

Re: multiuser kerberised cifs via autofs needs root ticket cache

[steve]

On 30/04/13 16:07, Peter Parzer wrote:
> Hi,
>
> Am 30.04.2013 15:22, schrieb Jeff Layton:
>>
>> No, that's not what I'm saying at all. You can get the same effect by
>> setting up credentials for root in /etc/krb5.keytab. Just pass in the
>> correct username= mount option for the principal that you want root to
>> be.
>>
>
> Not exactly on the topic, but I have been struggling a long time with 
> this question. How can I setup credentials for root in 
> /etc/krb5.keytab? I do the cifs multiuser mount in /etc/fstab at boot 
> time. To create Kerberos tickets for root I have a network if-up hook 
> with the command "net ads kerberos kinit -P". Is there an easier way 
> using the keytab file?
>
Hi Peter
I'm a fellow struggler but I think I can answer this one. I just tested 
it. You can choose anyone to be root. You can choose any key you happen 
to have around in the keytab. We use the machine key because its 
produced when you join the domain. If you didn't secify kerberos metod = 
xxx before you joined, you can create the keys using net ads keytab 
create -UAdminUser The, on boot run:
kinit -k MACHINE$
on boot and put the same command in a file under /etc/cron.hourly to 
keep it alive.

I don't think this is the correct way, but hey it works.

Re: multiuser kerberised cifs via autofs needs root ticket cache

[Robert J. Hendelman Jr]

On 30/04/13 16:07, Peter Parzer wrote:
> Hi,
>
> Am 30.04.2013 15:22, schrieb Jeff Layton:
>>
>> No, that's not what I'm saying at all. You can get the same effect by
>> setting up credentials for root in /etc/krb5.keytab. Just pass in the
>> correct username= mount option for the principal that you want root to
>> be.
>>

>
> Not exactly on the topic, but I have been struggling a long time with 
> this question. How can I setup credentials for root in 
> /etc/krb5.keytab? I do the cifs multiuser mount in /etc/fstab at boot 
> time. To create Kerberos tickets for root I have a network if-up hook 
> with the command "net ads kerberos kinit -P". Is there an easier way 
> using the keytab file?
>


I was originally trying to do something similar.  

See https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1130781 for my Ubuntu bug report for more info.

The bug report probably doesn't concern you, but I do have a working fstab line & pointers to a discussion about this earlier.

When I log into my (XFCE) desktop (twice - probably a bug), I have my ticket created and accessing files in my homedir (smb mounted) works just fine.

Hope this helps!

Best regards,

Robert

Re: multiuser kerberised cifs via autofs needs root ticket cache

[steve]

On 30/04/13 15:22, Jeff Layton wrote:
> On Sat, 27 Apr 2013 01:22:34 +0200
> steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
>
>> On 26/04/13 16:14, Jeff Layton wrote:
>>> On Sat, 20 Apr 2013 09:10:44 +0200
>>> steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
>>>
>>>> Hi
>>>> one of my automount files is:
>>>> * -fstype=cifs,sec=krb5,multiuser ://doloresdc/users/&
>>>>
>>>> It works fine but only if the krb5cc_0 cache is available under /tmp.
>>>> When a user logs in, he gets his own cache. With multiuser, why isn't
>>>> that good enough to be able to mount his share?
>>>>
>>> Because you haven't specified the cruid= that should be used to mount
>>> the share and act as the root credentials for the mount.
>>>
>>> I don't think you really want "multiuser" in the above situation. It
>>> sounds like you're trying to set up each autofs-mounted cifs filesystem
>>> for a single user.
>>>
>>> In that case, you probably want to do something like:
>>>
>>>       * -fstype=cifs,sec=krb5,uid=&,gid=&,cruid=& ://doloresdc/users/&
>> No, it doesn't work. We'd need one & for the uid and another for the
>> gid. We can only have one wild card I think. It's important that even
>> though it's a singe user mount, that the files created in it are owned
>> by the uid:gid of the user. multiuser gives us this, plus it's essential
>> for mounts where many users have group rw to the files in the share.
> Yeah, you'd need to figure out what should be added into there if you
> really think you need a separate mount per user directory. Note too
> that there's a catch with the above configuration -- there's nothing
> that prevents an entirely unrelated user from getting into the
> directory that's been mounted and accessing it with the mount
> credentials.
>
> None of that's an issue however if you use a proper multiuser mount.
>
>>> ...assuming of course that the directory names under that filesystem
>>> match the usernames of your users.
>>>
>>>> Question, if we really must have the root cache then how do I get that
>>>> on boot? I need to run this as root:
>>>> kinit -k steve2 to get the cache with my key in /etc/krb5.keytab. I
>>>> can't find a way to be able to do that on either Ubuntu 12.10 nor
>>>> openSUSE 12.3.
>>>>
>>> I think you're confused as to what "multiuser" does. It allows users to
>>> access the *same* mounted filesystem with their own krb5 creds. IOW,
>>> instead of trying to use autofs like you are here, you could simply
>>> do this:
>>>
>>>       mount -t cifs //doloresdc/users /cifsusers -o sec=krb5,multiuser
>>>
>>> ...assuming that you have a credcache for uid=0 or proper credentials
>>> in /etc/krb5.keytab, then it should mount and users can access
>>> everything under /cifsusers with their own credentials.
>>>
>> Hi
>> Yes, the permanent mount works but it's slow when the lan is busy. The
>> automounter speeds things up quite a bit. Maybe our hardware isn't up to
>> maintaining the permanent mount. But, in anycase, what you are saying is
>> that I have to keep a root cache alive under /tmp to make any mount at
>> all.
> No, that's not what I'm saying at all. You can get the same effect by
> setting up credentials for root in /etc/krb5.keytab. Just pass in the
> correct username= mount option for the principal that you want root to
> be.
OK. Based on that and as all the clients have the MACHINE$ principal in 
their keytab, could I say, 'I want root to be MACHINE$'? and put 
username=MACHINE$ as a mount option? But then, wouldn't any file created 
in the mounted share be owned by MACHINE$. But wait, the MACHINE$ object 
doesn't have rfc2307 and even if it did it still gives me files owned by 
MACHINE$ and not e.g. steve2 who wants files in his home directory to be 
owned by steve2.
>> That's what we're finding. How do we go about that? A cron to do
>> kinit -k MACHINE$ every few hours for example? k5start looks ok too.
>> Cheers, Steve
>>
> Erm...I'm not sure how to respond to this since it doesn't make much
> sense. Perhaps you can outline what you mean? What exactly, is "slow"
> when you use a "permanent" multiuser mount? None of this should be
> terribly taxing on a modern computer...
>
What I've done is put:
#!/bin/bash
kinit -k MACHINE$
in a file, chmod +x'd it and stuck it in /etc/cron.hourly

It works. I can leave the client on for 3 days and users will always 
have their home directory mounted just fine. Without the cron, cifs 
fails after 10 hours or so.

On the speed point, this setup is at a school. You notice it when e.g. 
all the kids grab the same big jpg all at the same time at the start of 
a lesson. Remember, schools use 10 year old computers. autofs tightens 
things up. I don't know why. We can't afford a dedicated file server. 
It's a samba4 box which has to be DC and file server for 10 xp and 18 
openSUSE clients.
Thanks for your patience