Re: [PATCH 2/2, 2nd attempt] samples/auto.smb: add logic to obtain credentials

Re: [PATCH 2/2, 2nd attempt] samples/auto.smb: add logic to obtain credentials

[Ian Kent]

On Wed, 2013-01-30 at 13:41 +0100, Martin Wilck wrote:
> In some environments, hosts will require credentials for a share
> listing.
> 
> This patch introduces 2 methods to obtain credentials:
>  1) if a credentials file is present
>     under /etc/creds/$key, use it.
>  2) Otherwise, try to find a usable kerberos credentials cache
>     for the calling user (using the UID the script is running as)
>     and use that.
> If both methods fail, the script will try to obtain the list
> of shares anonymously, falling back to the previous behavior.
> ---
>  samples/auto.smb | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 51 insertions(+), 1 deletion(-)
> 
> diff --git a/samples/auto.smb b/samples/auto.smb
> index 2dfb8f8..977b29b 100755
> --- a/samples/auto.smb
> +++ b/samples/auto.smb
> @@ -2,6 +2,40 @@
>  
>  # This file must be executable to work! chmod 755!
>  
> +# Automagically mount CIFS shares in the network, similar to
> +# what autofs -hosts does for NFS. 
> +
> +# Put a line like the following in /etc/auto.master:
> +# /cifs  /etc/auto.smb --timeout=300
> +# You'll be able to access Windows and Samba shares in your network
> +# under /cifs/host.domain/share
> +
> +# "smbclient -L" is used to obtain a list of shares from the given host. 
> +# In some environments, this requires valid credentials.
> +
> +# This script knows 2 methods to obtain credentials:
> +# 1) if a credentials file (see mount.cifs(8)) is present
> +#    under /etc/creds/$key, use it.
> +# 2) Otherwise, try to find a usable kerberos credentials cache
> +#    for the calling user and use that.
> +# If both methods fail, the script will try to obtain the list
> +# of shares anonymously.
> +
> +get_krb5_cache() {
> +    cache=
> +    uid=$(id -u)
> +    for x in $(ls -d /run/user/$uid/krb5cc_* 2>/dev/null); do
> +        if [ -d "$x" ] && klist -s DIR:"$x"; then
> +	    cache=DIR:$x
> +            return
> +        fi
> +    done
> +    if [ -f /tmp/krb5cc_$uid ] && klist -s /tmp/krb5cc_$uid; then
> +	    cache=/tmp/krb5cc_$uid
> +	    return
> +    fi
> +}
> +
>  key="$1"
>  opts="-fstype=cifs"
>  
> @@ -16,7 +50,23 @@ done
>  
>  [ -x $SMBCLIENT ] || exit 1
>  
> -$SMBCLIENT -gNL $key 2>/dev/null| awk -v key="$key" -v opts="$opts" -F'|' -- '
> +creds=/etc/creds/$key
> +if [ -f "$creds" ]; then
> +    opts="$opts"',uid=$UID,gid=$GID,credentials='"$creds"
> +    smbopts="-A $creds"
> +else
> +    get_krb5_cache
> +    if [ -n "$cache" ]; then
> +        opts="$opts"',multiuser,cruid=$UID,sec=krb5i'
> +        smbopts="-k"
> +        export KRB5CCNAME=$cache 
> +    else
> +        opts="$opts"',guest'

Why add guest?
Is that going to change the behavior of the existing script.

> +        smbopts="-N"
> +    fi
> +fi
> +
> +$SMBCLIENT $smbopts -gL "$key" 2>/dev/null| awk -v "key=$key" -v "opts=$opts" -F '|' -- '
>  	BEGIN	{ ORS=""; first=1 }
>  	/Disk/	{
>  		  if (first)

Re: [PATCH 2/2, 2nd attempt] samples/auto.smb: add logic to obtain credentials

[Martin Wilck]

On 09/06/2013 09:59 AM, Ian Kent wrote:

>> -$SMBCLIENT -gNL $key 2>/dev/null| awk -v key="$key" -v opts="$opts" -F'|' -- '
>> +creds=/etc/creds/$key
>> +if [ -f "$creds" ]; then
>> +    opts="$opts"',uid=$UID,gid=$GID,credentials='"$creds"
>> +    smbopts="-A $creds"
>> +else
>> +    get_krb5_cache
>> +    if [ -n "$cache" ]; then
>> +        opts="$opts"',multiuser,cruid=$UID,sec=krb5i'
>> +        smbopts="-k"
>> +        export KRB5CCNAME=$cache 
>> +    else
>> +        opts="$opts"',guest'
> 
> Why add guest?

"guest" means "don't prompt for a password" which is what mount.cifs
will attempt to do if no credentials are available already (e.g. via
kerberos ticket). IMO that's what's needed for autofs, otherwise the
mount attempt might hang waiting for password input.

> Is that going to change the behavior of the existing script.

"guest" mode was all the previous script could do, thus it seems to have
been written with servers in mind that only offered guest access in the
first place (und thus wouldn't prompt for a password, either).

Martin

-- 
Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering

FUJITSU
Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone:			++49 5251 525 2796
Fax:			++49 5251 525 2820
Email:			martin.wilck@ts.fujitsu.com
Internet:		http://ts.fujitsu.com
Company Details:	http://ts.fujitsu.com/imprint

Re: [PATCH 2/2, 2nd attempt] samples/auto.smb: add logic to obtain credentials

[Ian Kent]

On Fri, 2013-09-06 at 10:23 +0200, Martin Wilck wrote:
> On 09/06/2013 09:59 AM, Ian Kent wrote:
> 
> >> -$SMBCLIENT -gNL $key 2>/dev/null| awk -v key="$key" -v opts="$opts" -F'|' -- '
> >> +creds=/etc/creds/$key
> >> +if [ -f "$creds" ]; then
> >> +    opts="$opts"',uid=$UID,gid=$GID,credentials='"$creds"
> >> +    smbopts="-A $creds"
> >> +else
> >> +    get_krb5_cache
> >> +    if [ -n "$cache" ]; then
> >> +        opts="$opts"',multiuser,cruid=$UID,sec=krb5i'
> >> +        smbopts="-k"
> >> +        export KRB5CCNAME=$cache 
> >> +    else
> >> +        opts="$opts"',guest'
> > 
> > Why add guest?
> 
> "guest" means "don't prompt for a password" which is what mount.cifs
> will attempt to do if no credentials are available already (e.g. via
> kerberos ticket). IMO that's what's needed for autofs, otherwise the
> mount attempt might hang waiting for password input.
> 
> > Is that going to change the behavior of the existing script.
> 
> "guest" mode was all the previous script could do, thus it seems to have
> been written with servers in mind that only offered guest access in the
> first place (und thus wouldn't prompt for a password, either).

From my POV auto.smb is an example program map that happens to get
installed. I don't think it was never meant to be sophisticated.

You are saying that adding guest doesn't change anything as it is the
default when no credentials are provided, correct?

> 
> Martin
> 

Re: [PATCH 2/2, 2nd attempt] samples/auto.smb: add logic to obtain credentials

[Martin Wilck]

On 09/06/2013 11:26 AM, Ian Kent wrote:
> On Fri, 2013-09-06 at 10:23 +0200, Martin Wilck wrote:
>> On 09/06/2013 09:59 AM, Ian Kent wrote:
>>
>>>> -$SMBCLIENT -gNL $key 2>/dev/null| awk -v key="$key" -v opts="$opts" -F'|' -- '
>>>> +creds=/etc/creds/$key
>>>> +if [ -f "$creds" ]; then
>>>> +    opts="$opts"',uid=$UID,gid=$GID,credentials='"$creds"
>>>> +    smbopts="-A $creds"
>>>> +else
>>>> +    get_krb5_cache
>>>> +    if [ -n "$cache" ]; then
>>>> +        opts="$opts"',multiuser,cruid=$UID,sec=krb5i'
>>>> +        smbopts="-k"
>>>> +        export KRB5CCNAME=$cache 
>>>> +    else
>>>> +        opts="$opts"',guest'
>>>
>>> Why add guest?
>>
>> "guest" means "don't prompt for a password" which is what mount.cifs
>> will attempt to do if no credentials are available already (e.g. via
>> kerberos ticket). IMO that's what's needed for autofs, otherwise the
>> mount attempt might hang waiting for password input.
>>
>>> Is that going to change the behavior of the existing script.
>>
>> "guest" mode was all the previous script could do, thus it seems to have
>> been written with servers in mind that only offered guest access in the
>> first place (und thus wouldn't prompt for a password, either).
> 
> From my POV auto.smb is an example program map that happens to get
> installed. I don't think it was never meant to be sophisticated.

Sure. We might as well keep it as it is, or just provide the new one
alongside the old one as another example.

> You are saying that adding guest doesn't change anything as it is the
> default when no credentials are provided, correct?

That's right.

Martin

-- 
Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering

FUJITSU
Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone:			++49 5251 525 2796
Fax:			++49 5251 525 2820
Email:			martin.wilck@ts.fujitsu.com
Internet:		http://ts.fujitsu.com
Company Details:	http://ts.fujitsu.com/imprint

Re: [PATCH 2/2, 2nd attempt] samples/auto.smb: add logic to obtain credentials

[Ian Kent]

On Fri, 2013-09-06 at 11:40 +0200, Martin Wilck wrote:
> On 09/06/2013 11:26 AM, Ian Kent wrote:
> > On Fri, 2013-09-06 at 10:23 +0200, Martin Wilck wrote:
> >> On 09/06/2013 09:59 AM, Ian Kent wrote:
> >>
> >>>> -$SMBCLIENT -gNL $key 2>/dev/null| awk -v key="$key" -v opts="$opts" -F'|' -- '
> >>>> +creds=/etc/creds/$key
> >>>> +if [ -f "$creds" ]; then
> >>>> +    opts="$opts"',uid=$UID,gid=$GID,credentials='"$creds"
> >>>> +    smbopts="-A $creds"
> >>>> +else
> >>>> +    get_krb5_cache
> >>>> +    if [ -n "$cache" ]; then
> >>>> +        opts="$opts"',multiuser,cruid=$UID,sec=krb5i'
> >>>> +        smbopts="-k"
> >>>> +        export KRB5CCNAME=$cache 
> >>>> +    else
> >>>> +        opts="$opts"',guest'
> >>>
> >>> Why add guest?
> >>
> >> "guest" means "don't prompt for a password" which is what mount.cifs
> >> will attempt to do if no credentials are available already (e.g. via
> >> kerberos ticket). IMO that's what's needed for autofs, otherwise the
> >> mount attempt might hang waiting for password input.
> >>
> >>> Is that going to change the behavior of the existing script.
> >>
> >> "guest" mode was all the previous script could do, thus it seems to have
> >> been written with servers in mind that only offered guest access in the
> >> first place (und thus wouldn't prompt for a password, either).
> > 
> > From my POV auto.smb is an example program map that happens to get
> > installed. I don't think it was never meant to be sophisticated.
> 
> Sure. We might as well keep it as it is, or just provide the new one
> alongside the old one as another example.

Maybe, but, having looked more closely at it, it should still function
as it did previously so I'm inclined to add the patch.

> 
> > You are saying that adding guest doesn't change anything as it is the
> > default when no credentials are provided, correct?
> 
> That's right.
> 
> Martin
>