From owner-freebsd-hackers@FreeBSD.ORG Wed Jun 11 23:38:43 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C091106568B for ; Wed, 11 Jun 2008 23:38:43 +0000 (UTC) (envelope-from det135@hoenikker.aset.psu.edu) Received: from f04n01.cac.psu.edu (f04s01.cac.psu.edu [128.118.141.31]) by mx1.freebsd.org (Postfix) with ESMTP id EDADA8FC1A for ; Wed, 11 Jun 2008 23:38:42 +0000 (UTC) (envelope-from det135@hoenikker.aset.psu.edu) Received: from hoenikker.aset.psu.edu (hoenikker.aset.psu.edu [128.118.99.49]) by f04n01.cac.psu.edu (8.13.2/8.13.2) with ESMTP id m5BNcfXX067258 for ; Wed, 11 Jun 2008 19:38:41 -0400 Received: from hoenikker.aset.psu.edu (hoenikker.aset.psu.edu [128.118.99.49]) by hoenikker.aset.psu.edu (8.14.2/8.14.2) with ESMTP id m5BNcf9L091385 for ; Wed, 11 Jun 2008 19:38:41 -0400 (EDT) (envelope-from det135@hoenikker.aset.psu.edu) Received: (from det135@localhost) by hoenikker.aset.psu.edu (8.14.2/8.14.2/Submit) id m5BNcZws091384 for freebsd-hackers@freebsd.org; Wed, 11 Jun 2008 19:38:36 -0400 (EDT) (envelope-from det135) Date: Wed, 11 Jun 2008 19:38:35 -0400 From: Derek Taylor To: freebsd-hackers@freebsd.org Message-ID: <20080611233835.GJ1189@psu.edu> Mail-Followup-To: freebsd-hackers@freebsd.org References: <20080521182722.GC40818@psu.edu> <483554FC.9040908@dlr.de> <20080603134307.GK76952@psu.edu> <20080603173601.W41705@beagle.kn.op.dlr.de> <20080603160608.GA56965@psu.edu> <20080606191524.GQ56965@psu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) X-Virus-Scanned: by amavisd-new Subject: Re: Kerberized CIFS client? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Derek Taylor List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2008 23:38:43 -0000 On Sun, 08 Jun 2008, Atte Peltomki wrote: >smbclient (and other samba utilities) do not refer to krb5.conf when >figuring out the kerberos realm. > >you will have to put to your krb5.conf on both client and server: > >[domain_realms] > cifs.example.com = realm.example.com I've done this step, but there seems to be no difference. When I did a tcpdump and viewed the results in wireshark there was no attempt to do anything kerberos related, the first thing related to auth mentioned was NTLM. I don't see anything with lsknobs or make config. Am I missing something? -Derek. >Otherwise it will just try to use example.com as the realm. > >On 6/6/08, Derek Taylor wrote: >> On Tue, 03 Jun 2008, Atte Peltomki wrote: >>>You will have to adjust your krb5.conf to map a given domain or hostname >>>to a kerberos realm, if you are doing cross-realm authentication. See MIT >>>kerberos admin guide for details. >> >> I'm pretty sure it's set up ok. I can use smbclient -k just fine: >> $ kinit >> det135@realm.example.com's Password: >> kinit: NOTICE: ticket renewable lifetime is 1 week >> $ klist >> Credentials cache: FILE:/tmp/krb5cc_1001 >> Principal: det135@realm.example.com >> >> Issued Expires Principal >> Jun 6 15:08:47 Jun 7 01:08:47 krbtgt/realm.example.com@realm.example.com >> $ smbclient -k -U det135 //cifs.example.com/dir1 >> OS=[Unix] Server=[Samba 3.0.30] >> smb: \> ls >> . D 0 Thu Feb 14 14:46:42 2008 >> .. D 0 Fri Jun 6 10:16:29 2008 >> [ other files/directories here ] >> >> smb: \> quit >> $ cd ~/mount/smbbeta.pass.psu.edu/pass >> $ ls >> ls: .: Permission denied >> $ klist >> Credentials cache: FILE:/tmp/krb5cc_1001 >> Principal: det135@dce.psu.edu >> >> Issued Expires Principal >> Jun 6 15:08:47 Jun 7 01:08:47 krbtgt/realm.example.com@realm.example.com >> Jun 6 15:09:17 Jun 7 01:08:47 cifs/cifs.example.com@realm.example.com >> $ >> >> -Derek. >> >>>On 6/3/08, Derek Taylor wrote: >>>> On Tue, 03 Jun 2008, Harti Brandt wrote: >>>>>On Tue, 3 Jun 2008, Derek Taylor wrote: >>>>> >>>>>DT>On Thu, 22 May 2008, Hartmut Brandt wrote: >>>>>DT>>Derek Taylor wrote: >>>>>DT>>> This question was previously posed of the freebsd-questions list, >>>>> but >>>>>DT>>> with no response for a week, I'd like to try my luck here. If >>>>> there's >>>>>DT>>> any more information I should include, please speak up: I would be >>>>> glad >>>>>DT>>> to oblige. >>>>>DT>>> >>>>>DT>>> I would like to use smb/cifs with kerberos auth, but mount_smbfs >>>>> doesn't >>>>>DT>>> seem to support this. >>>>>DT>>> >>>>>DT>>> Is anyone aware of an alternate means of performing a mount via >>>>> smb/cifs >>>>>DT>>> or any patches to provide such functionality? >>>>>DT>>> >>>>>DT>>> I already have smbclient working with -k, but I am also interested >>>>> in >>>>> a >>>>>DT>>> mount. >>>>>DT>> >>>>>DT>>Try smbnetfs from ports. It's fuse based and seems to work very nice. >>>>> If >>>>>DT>>you have a large amount of shares floating in your network you want >>>>> to >>>>>DT>>restrict it to mount only the needed shares via the config file. >>>>>DT>>Otherwise it will mount what it can find... >>>>>DT>> >>>>>DT>>It plays nicely with kerberors. When your ticket expires you >>>>> immediately >>>>>DT>>loose access; when you renew it you gain access again. All without >>>>> the >>>>>DT>>need to unmount/mount. Just call smbnetfs once you have your ticket. >>>>> You >>>>>DT>>may even do this from your .profile. >>>>>DT>> >>>>>DT>>harti >>>>>DT> >>>>>DT>Sorry for not replying sooner. >>>>>DT> >>>>>DT>Initial tests here are promising (I can see some mount paths being >>>>>DT>exported from the server), but it's not fully working (I don't see all >>>>>DT>of the mount paths that *should* be exported and I get permission >>>>> denied >>>>>DT>errors). My thoughts are leaning towards an issue in negotiating auth >>>>>DT>with the server -- perhaps my krb creds aren't being used? >>>>> >>>>>You can test this easily: if your ticket expires you get permission >>>>> denied >>>>>errors when you try to look into the mounted directories. As soon as you >>>>>renew the ticket you get access again. All without restarting smbnetfs. >>>>> >>>>>harti >>>> >>>> I replaced all server names below with "example.com" (and derivatives) >>>> where appropriate: >>>> >>>> From my FreeBSD machine, using smbnetfs: >>>> >>>> $ klist >>>> klist: No ticket file: /tmp/krb5cc_1001 >>>> $ kinit det135 >>>> det135@realm.example.com's Password: >>>> kinit: NOTICE: ticket renewable lifetime is 1 week >>>> $ klist >>>> Credentials cache: FILE:/tmp/krb5cc_1001 >>>> Principal: det135@realm.example.com >>>> >>>> Issued Expires Principal >>>> Jun 3 11:51:20 Jun 3 21:51:04 >>>> krbtgt/realm.example.com@realm.example.com >>>> $ cd ~/mount/cifs.example.com/dir1 >>>> $ ls >>>> ls: .: Permission denied >>>> $ cd .. >>>> $ ls >>>> dir1 dir2 >>>> $ klist >>>> Credentials cache: FILE:/tmp/krb5cc_1001 >>>> Principal: det135@realm.example.com >>>> >>>> Issued Expires Principal >>>> Jun 3 11:51:20 Jun 3 21:51:04 >>>> krbtgt/realm.example.com@realm.example.com >>>> >>>> >>>> From my Mac, using (from Finder) >>>> Go -> Connect to Server -> cifs://cifs.example.com/dir1 >>>> >>>> $ klist >>>> klist: No Kerberos 5 tickets in credentials cache >>>> $ kinit det135 >>>> Please enter the password for det135@realm.example.com: >>>> $ klist >>>> Kerberos 5 ticket cache: 'API:Initial default ccache' >>>> Default principal: det135@realm.example.com >>>> >>>> Valid Starting Expires Service Principal >>>> 06/03/08 11:59:41 06/03/08 21:59:41 >>>> krbtgt/realm.example.com@realm.example.com >>>> renew until 06/10/08 11:59:41 >>>> >>>> #### Here I mount via Finder before continuing with the commands below >>>> >>>> $ cd /Volumes/dir1/ >>>> $ ls >>>> subdir1 subdir2 file1 file2 >>>> $ klist >>>> Kerberos 5 ticket cache: 'API:Initial default ccache' >>>> Default principal: det135@realm.example.com >>>> >>>> Valid Starting Expires Service Principal >>>> 06/03/08 11:59:41 06/03/08 21:59:41 >>>> krbtgt/realm.example.com@realm.example.com >>>> renew until 06/10/08 11:59:41 >>>> 06/03/08 12:00:31 06/03/08 21:59:41 >>>> cifs/cifs.example.com@realm.example.com >>>> renew until 06/10/08 11:59:41 >>>> >>>> >>>> It looks like my creds aren't being used on the FreeBSD machine. >>>> >>>> -Derek. >>>> _______________________________________________ >>>> freebsd-hackers@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>>> To unsubscribe, send any mail to >>>> "freebsd-hackers-unsubscribe@freebsd.org" >>>> >>> >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >> >