From owner-freebsd-hackers@FreeBSD.ORG Tue Jun 3 16:06:26 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60F57106564A for ; Tue, 3 Jun 2008 16:06:26 +0000 (UTC) (envelope-from det135@hoenikker.aset.psu.edu) Received: from f04n01.cac.psu.edu (f04s01.cac.psu.edu [128.118.141.31]) by mx1.freebsd.org (Postfix) with ESMTP id 1CAF28FC17 for ; Tue, 3 Jun 2008 16:06:25 +0000 (UTC) (envelope-from det135@hoenikker.aset.psu.edu) Received: from hoenikker.aset.psu.edu (hoenikker.aset.psu.edu [128.118.99.49]) by f04n01.cac.psu.edu (8.13.2/8.13.2) with ESMTP id m53G6OvS112362 for ; Tue, 3 Jun 2008 12:06:24 -0400 Received: from hoenikker.aset.psu.edu (hoenikker.aset.psu.edu [128.118.99.49]) by hoenikker.aset.psu.edu (8.14.2/8.14.2) with ESMTP id m53G683f057785 for ; Tue, 3 Jun 2008 12:06:08 -0400 (EDT) (envelope-from det135@hoenikker.aset.psu.edu) Received: (from det135@localhost) by hoenikker.aset.psu.edu (8.14.2/8.14.2/Submit) id m53G68VF057784 for freebsd-hackers@freebsd.org; Tue, 3 Jun 2008 12:06:08 -0400 (EDT) (envelope-from det135) Date: Tue, 3 Jun 2008 12:06:08 -0400 From: Derek Taylor To: freebsd-hackers@freebsd.org Message-ID: <20080603160608.GA56965@psu.edu> Mail-Followup-To: freebsd-hackers@freebsd.org References: <20080521182722.GC40818@psu.edu> <483554FC.9040908@dlr.de> <20080603134307.GK76952@psu.edu> <20080603173601.W41705@beagle.kn.op.dlr.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20080603173601.W41705@beagle.kn.op.dlr.de> User-Agent: Mutt/1.5.18 (2008-05-17) X-Virus-Scanned: by amavisd-new Subject: Re: Kerberized CIFS client? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Derek Taylor List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jun 2008 16:06:26 -0000 On Tue, 03 Jun 2008, Harti Brandt wrote: >On Tue, 3 Jun 2008, Derek Taylor wrote: > >DT>On Thu, 22 May 2008, Hartmut Brandt wrote: >DT>>Derek Taylor wrote: >DT>>> This question was previously posed of the freebsd-questions list, but >DT>>> with no response for a week, I'd like to try my luck here. If there= 's >DT>>> any more information I should include, please speak up: I would be g= lad >DT>>> to oblige. >DT>>>=20 >DT>>> I would like to use smb/cifs with kerberos auth, but mount_smbfs doe= sn't >DT>>> seem to support this. >DT>>>=20 >DT>>> Is anyone aware of an alternate means of performing a mount via smb/= cifs >DT>>> or any patches to provide such functionality? >DT>>>=20 >DT>>> I already have smbclient working with -k, but I am also interested i= n a >DT>>> mount. >DT>> >DT>>Try smbnetfs from ports. It's fuse based and seems to work very nice. = If=20 >DT>>you have a large amount of shares floating in your network you want to= =20 >DT>>restrict it to mount only the needed shares via the config file.=20 >DT>>Otherwise it will mount what it can find... >DT>> >DT>>It plays nicely with kerberors. When your ticket expires you immediate= ly=20 >DT>>loose access; when you renew it you gain access again. All without the= =20 >DT>>need to unmount/mount. Just call smbnetfs once you have your ticket. Y= ou=20 >DT>>may even do this from your .profile. >DT>> >DT>>harti >DT> >DT>Sorry for not replying sooner. >DT> >DT>Initial tests here are promising (I can see some mount paths being >DT>exported from the server), but it's not fully working (I don't see all >DT>of the mount paths that *should* be exported and I get permission denied >DT>errors). My thoughts are leaning towards an issue in negotiating auth >DT>with the server -- perhaps my krb creds aren't being used? > >You can test this easily: if your ticket expires you get permission denied= =20 >errors when you try to look into the mounted directories. As soon as you= =20 >renew the ticket you get access again. All without restarting smbnetfs. > >harti I replaced all server names below with "example.com" (and derivatives) where appropriate: =46rom my FreeBSD machine, using smbnetfs: $ klist klist: No ticket file: /tmp/krb5cc_1001 $ kinit det135 det135@realm.example.com's Password:=20 kinit: NOTICE: ticket renewable lifetime is 1 week $ klist Credentials cache: FILE:/tmp/krb5cc_1001 Principal: det135@realm.example.com Issued Expires Principal =20 Jun 3 11:51:20 Jun 3 21:51:04 krbtgt/realm.example.com@realm.example.com $ cd ~/mount/cifs.example.com/dir1 $ ls ls: .: Permission denied $ cd .. $ ls dir1 dir2 $ klist Credentials cache: FILE:/tmp/krb5cc_1001 Principal: det135@realm.example.com Issued Expires Principal =20 Jun 3 11:51:20 Jun 3 21:51:04 krbtgt/realm.example.com@realm.example.com =46rom my Mac, using (from Finder) Go -> Connect to Server -> cifs://cifs.example.com/dir1 $ klist klist: No Kerberos 5 tickets in credentials cache $ kinit det135 Please enter the password for det135@realm.example.com: $ klist Kerberos 5 ticket cache: 'API:Initial default ccache' Default principal: det135@realm.example.com Valid Starting Expires Service Principal 06/03/08 11:59:41 06/03/08 21:59:41 krbtgt/realm.example.com@realm.exampl= e.com renew until 06/10/08 11:59:41 #### Here I mount via Finder before continuing with the commands below $ cd /Volumes/dir1/ $ ls subdir1 subdir2 file1 file2 $ klist Kerberos 5 ticket cache: 'API:Initial default ccache' Default principal: det135@realm.example.com Valid Starting Expires Service Principal 06/03/08 11:59:41 06/03/08 21:59:41 krbtgt/realm.example.com@realm.exampl= e.com renew until 06/10/08 11:59:41 06/03/08 12:00:31 06/03/08 21:59:41 cifs/cifs.example.com@realm.example.c= om renew until 06/10/08 11:59:41 It looks like my creds aren't being used on the FreeBSD machine. -Derek.