Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 6 Jun 2008 15:15:24 -0400
From:      Derek Taylor <det135@psu.edu>
To:        freebsd-hackers@freebsd.org
Subject:   Re: Kerberized CIFS client?
Message-ID:  <20080606191524.GQ56965@psu.edu>
In-Reply-To: <e58ed31f0806031132n7a0d9a42kc05c4939cdfb596@mail.gmail.com>
References:  <20080521182722.GC40818@psu.edu> <483554FC.9040908@dlr.de> <20080603134307.GK76952@psu.edu> <20080603173601.W41705@beagle.kn.op.dlr.de> <20080603160608.GA56965@psu.edu> <e58ed31f0806031132n7a0d9a42kc05c4939cdfb596@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 03 Jun 2008, Atte Peltomki wrote:
>You will have to adjust your krb5.conf to map a given domain or hostname
>to a kerberos realm, if you are doing cross-realm authentication. See MIT
>kerberos admin guide for details.

I'm pretty sure it's set up ok.  I can use smbclient -k just fine:
$ kinit
det135@realm.example.com's Password: 
kinit: NOTICE: ticket renewable lifetime is 1 week
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: det135@realm.example.com

  Issued           Expires          Principal                   
Jun  6 15:08:47  Jun  7 01:08:47  krbtgt/realm.example.com@realm.example.com
$ smbclient -k -U det135 //cifs.example.com/dir1
OS=[Unix] Server=[Samba 3.0.30]
smb: \> ls
  .                                   D        0  Thu Feb 14 14:46:42 2008
  ..                                  D        0  Fri Jun  6 10:16:29 2008
[ other files/directories here ]

smb: \> quit
$ cd ~/mount/smbbeta.pass.psu.edu/pass
$ ls
ls: .: Permission denied
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: det135@dce.psu.edu

  Issued           Expires          Principal                          
Jun  6 15:08:47  Jun  7 01:08:47  krbtgt/realm.example.com@realm.example.com
Jun  6 15:09:17  Jun  7 01:08:47  cifs/cifs.example.com@realm.example.com
$ 

-Derek.

>On 6/3/08, Derek Taylor <det135@psu.edu> wrote:
>> On Tue, 03 Jun 2008, Harti Brandt wrote:
>>>On Tue, 3 Jun 2008, Derek Taylor wrote:
>>>
>>>DT>On Thu, 22 May 2008, Hartmut Brandt wrote:
>>>DT>>Derek Taylor wrote:
>>>DT>>> This question was previously posed of the freebsd-questions list, but
>>>DT>>> with no response for a week, I'd like to try my luck here.  If
>>> there's
>>>DT>>> any more information I should include, please speak up: I would be
>>> glad
>>>DT>>> to oblige.
>>>DT>>>
>>>DT>>> I would like to use smb/cifs with kerberos auth, but mount_smbfs
>>> doesn't
>>>DT>>> seem to support this.
>>>DT>>>
>>>DT>>> Is anyone aware of an alternate means of performing a mount via
>>> smb/cifs
>>>DT>>> or any patches to provide such functionality?
>>>DT>>>
>>>DT>>> I already have smbclient working with -k, but I am also interested in
>>> a
>>>DT>>> mount.
>>>DT>>
>>>DT>>Try smbnetfs from ports. It's fuse based and seems to work very nice.
>>> If
>>>DT>>you have a large amount of shares floating in your network you want to
>>>DT>>restrict it to mount only the needed shares via the config file.
>>>DT>>Otherwise it will mount what it can find...
>>>DT>>
>>>DT>>It plays nicely with kerberors. When your ticket expires you
>>> immediately
>>>DT>>loose access; when you renew it you gain access again. All without the
>>>DT>>need to unmount/mount. Just call smbnetfs once you have your ticket.
>>> You
>>>DT>>may even do this from your .profile.
>>>DT>>
>>>DT>>harti
>>>DT>
>>>DT>Sorry for not replying sooner.
>>>DT>
>>>DT>Initial tests here are promising (I can see some mount paths being
>>>DT>exported from the server), but it's not fully working (I don't see all
>>>DT>of the mount paths that *should* be exported and I get permission denied
>>>DT>errors).  My thoughts are leaning towards an issue in negotiating auth
>>>DT>with the server -- perhaps my krb creds aren't being used?
>>>
>>>You can test this easily: if your ticket expires you get permission denied
>>>errors when you try to look into the mounted directories. As soon as you
>>>renew the ticket you get access again. All without restarting smbnetfs.
>>>
>>>harti
>>
>> I replaced all server names below with "example.com" (and derivatives)
>> where appropriate:
>>
>> From my FreeBSD machine, using smbnetfs:
>>
>> $ klist
>> klist: No ticket file: /tmp/krb5cc_1001
>> $ kinit det135
>> det135@realm.example.com's Password:
>> kinit: NOTICE: ticket renewable lifetime is 1 week
>> $ klist
>> Credentials cache: FILE:/tmp/krb5cc_1001
>>         Principal: det135@realm.example.com
>>
>>   Issued           Expires          Principal
>> Jun  3 11:51:20  Jun  3 21:51:04  krbtgt/realm.example.com@realm.example.com
>> $ cd ~/mount/cifs.example.com/dir1
>> $ ls
>> ls: .: Permission denied
>> $ cd ..
>> $ ls
>> dir1  dir2
>> $ klist
>> Credentials cache: FILE:/tmp/krb5cc_1001
>>         Principal: det135@realm.example.com
>>
>>   Issued           Expires          Principal
>> Jun  3 11:51:20  Jun  3 21:51:04  krbtgt/realm.example.com@realm.example.com
>>
>>
>> From my Mac, using (from Finder)
>> Go -> Connect to Server -> cifs://cifs.example.com/dir1
>>
>> $ klist
>> klist: No Kerberos 5 tickets in credentials cache
>> $ kinit det135
>> Please enter the password for det135@realm.example.com:
>> $ klist
>> Kerberos 5 ticket cache: 'API:Initial default ccache'
>> Default principal: det135@realm.example.com
>>
>> Valid Starting     Expires            Service Principal
>> 06/03/08 11:59:41  06/03/08 21:59:41
>> krbtgt/realm.example.com@realm.example.com
>>         renew until 06/10/08 11:59:41
>>
>> #### Here I mount via Finder before continuing with the commands below
>>
>> $ cd /Volumes/dir1/
>> $ ls
>> subdir1  subdir2  file1 file2
>> $ klist
>> Kerberos 5 ticket cache: 'API:Initial default ccache'
>> Default principal: det135@realm.example.com
>>
>> Valid Starting     Expires            Service Principal
>> 06/03/08 11:59:41  06/03/08 21:59:41
>> krbtgt/realm.example.com@realm.example.com
>>         renew until 06/10/08 11:59:41
>> 06/03/08 12:00:31  06/03/08 21:59:41
>> cifs/cifs.example.com@realm.example.com
>>         renew until 06/10/08 11:59:41
>>
>>
>> It looks like my creds aren't being used on the FreeBSD machine.
>>
>> -Derek.
>> _______________________________________________
>> freebsd-hackers@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080606191524.GQ56965>