From owner-freebsd-hackers@FreeBSD.ORG Fri Jun 13 11:09:03 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 132EF1065686 for ; Fri, 13 Jun 2008 11:09:03 +0000 (UTC) (envelope-from oranki@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by mx1.freebsd.org (Postfix) with ESMTP id 9FB068FC17 for ; Fri, 13 Jun 2008 11:09:02 +0000 (UTC) (envelope-from oranki@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so2022044ywe.13 for ; Fri, 13 Jun 2008 04:08:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=uAT6y9vZItwdAyLex6vpzsh6cII9+8am5kEKo6HwMFA=; b=PNvswf3yVV69sEAneeQtF4WPINe7l/SgjEsnCWSYVaIXj6XSH1H0EirD99vOB2F2yA criZHfqGNQ5Pp5QgsPEarQ98PlU90qpLEJ7KORHNdGDzYKHjU0S9Myu11OhhiLC+97U+ zTI/SNXXJl6Nh22D9+mOZADYA9jaAkbSgIPHM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=JpobG8S73xqywgV5wUWYIEC51xA6oeFFP4rHlaZn5IIfcpkP49xpFjHs3bN+Dti7Pg f6vmv9jnk3MhZBMIWykxMU8uO7pnIaFb744Hw83dMTVKYdF39yEwMuKaG6BR1f6xo0en i5eHlhUHSeS7jiX9n5p43B5U7kfMCuomd6dk8= Received: by 10.150.83.22 with SMTP id g22mr4264834ybb.152.1213355334217; Fri, 13 Jun 2008 04:08:54 -0700 (PDT) Received: by 10.150.203.8 with HTTP; Fri, 13 Jun 2008 04:08:54 -0700 (PDT) Message-ID: Date: Fri, 13 Jun 2008 14:08:54 +0300 From: "=?UTF-8?Q?Atte_Peltom=C3=A4ki?=" To: "Derek Taylor" , freebsd-hackers@freebsd.org In-Reply-To: <20080611233835.GJ1189@psu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080521182722.GC40818@psu.edu> <483554FC.9040908@dlr.de> <20080603134307.GK76952@psu.edu> <20080603173601.W41705@beagle.kn.op.dlr.de> <20080603160608.GA56965@psu.edu> <20080606191524.GQ56965@psu.edu> <20080611233835.GJ1189@psu.edu> X-Mailman-Approved-At: Fri, 13 Jun 2008 11:20:17 +0000 Cc: Subject: Re: Kerberized CIFS client? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jun 2008 11:09:03 -0000 I don't think I can be of much further help, since smbnetfs and fuse are unfamiliar to me (except at concept level). Anyway, here's a few more shots in the dark: - Make sure DNS reverse records are correct - Whatever runs the fs share needs to have access to the local /etc/krb5.keytab Debugging Kerberos can be a real PITA, as the MIT libs don't show too relevant info about failures, but instead mask failures behind more generic errors. I've tried stabbing the source a bit to circumvent this, but it's not such an easy task and would only be useful for debugging anyway, since revealing too much information about a failed authentication can easily lead to security issues. -Atte On 6/12/08, Derek Taylor wrote: > On Sun, 08 Jun 2008, Atte Peltomki wrote: >>smbclient (and other samba utilities) do not refer to krb5.conf when >>figuring out the kerberos realm. >> >>you will have to put to your krb5.conf on both client and server: >> >>[domain_realms] >> cifs.example.com = realm.example.com > > I've done this step, but there seems to be no difference. When I did a > tcpdump and viewed the results in wireshark there was no attempt to do > anything kerberos related, the first thing related to auth mentioned was > NTLM. > > I don't see anything with lsknobs or make config. Am I missing > something? > > -Derek. > >>Otherwise it will just try to use example.com as the realm. >> >>On 6/6/08, Derek Taylor wrote: >>> On Tue, 03 Jun 2008, Atte Peltomki wrote: >>>>You will have to adjust your krb5.conf to map a given domain or hostname >>>>to a kerberos realm, if you are doing cross-realm authentication. See MIT >>>>kerberos admin guide for details. >>> >>> I'm pretty sure it's set up ok. I can use smbclient -k just fine: >>> $ kinit >>> det135@realm.example.com's Password: >>> kinit: NOTICE: ticket renewable lifetime is 1 week >>> $ klist >>> Credentials cache: FILE:/tmp/krb5cc_1001 >>> Principal: det135@realm.example.com >>> >>> Issued Expires Principal >>> Jun 6 15:08:47 Jun 7 01:08:47 >>> krbtgt/realm.example.com@realm.example.com >>> $ smbclient -k -U det135 //cifs.example.com/dir1 >>> OS=[Unix] Server=[Samba 3.0.30] >>> smb: \> ls >>> . D 0 Thu Feb 14 14:46:42 >>> 2008 >>> .. D 0 Fri Jun 6 10:16:29 >>> 2008 >>> [ other files/directories here ] >>> >>> smb: \> quit >>> $ cd ~/mount/smbbeta.pass.psu.edu/pass >>> $ ls >>> ls: .: Permission denied >>> $ klist >>> Credentials cache: FILE:/tmp/krb5cc_1001 >>> Principal: det135@dce.psu.edu >>> >>> Issued Expires Principal >>> Jun 6 15:08:47 Jun 7 01:08:47 >>> krbtgt/realm.example.com@realm.example.com >>> Jun 6 15:09:17 Jun 7 01:08:47 cifs/cifs.example.com@realm.example.com >>> $ >>> >>> -Derek. >>> >>>>On 6/3/08, Derek Taylor wrote: >>>>> On Tue, 03 Jun 2008, Harti Brandt wrote: >>>>>>On Tue, 3 Jun 2008, Derek Taylor wrote: >>>>>> >>>>>>DT>On Thu, 22 May 2008, Hartmut Brandt wrote: >>>>>>DT>>Derek Taylor wrote: >>>>>>DT>>> This question was previously posed of the freebsd-questions list, >>>>>> but >>>>>>DT>>> with no response for a week, I'd like to try my luck here. If >>>>>> there's >>>>>>DT>>> any more information I should include, please speak up: I would >>>>>> be >>>>>> glad >>>>>>DT>>> to oblige. >>>>>>DT>>> >>>>>>DT>>> I would like to use smb/cifs with kerberos auth, but mount_smbfs >>>>>> doesn't >>>>>>DT>>> seem to support this. >>>>>>DT>>> >>>>>>DT>>> Is anyone aware of an alternate means of performing a mount via >>>>>> smb/cifs >>>>>>DT>>> or any patches to provide such functionality? >>>>>>DT>>> >>>>>>DT>>> I already have smbclient working with -k, but I am also >>>>>> interested >>>>>> in >>>>>> a >>>>>>DT>>> mount. >>>>>>DT>> >>>>>>DT>>Try smbnetfs from ports. It's fuse based and seems to work very >>>>>> nice. >>>>>> If >>>>>>DT>>you have a large amount of shares floating in your network you want >>>>>> to >>>>>>DT>>restrict it to mount only the needed shares via the config file. >>>>>>DT>>Otherwise it will mount what it can find... >>>>>>DT>> >>>>>>DT>>It plays nicely with kerberors. When your ticket expires you >>>>>> immediately >>>>>>DT>>loose access; when you renew it you gain access again. All without >>>>>> the >>>>>>DT>>need to unmount/mount. Just call smbnetfs once you have your >>>>>> ticket. >>>>>> You >>>>>>DT>>may even do this from your .profile. >>>>>>DT>> >>>>>>DT>>harti >>>>>>DT> >>>>>>DT>Sorry for not replying sooner. >>>>>>DT> >>>>>>DT>Initial tests here are promising (I can see some mount paths being >>>>>>DT>exported from the server), but it's not fully working (I don't see >>>>>> all >>>>>>DT>of the mount paths that *should* be exported and I get permission >>>>>> denied >>>>>>DT>errors). My thoughts are leaning towards an issue in negotiating >>>>>> auth >>>>>>DT>with the server -- perhaps my krb creds aren't being used? >>>>>> >>>>>>You can test this easily: if your ticket expires you get permission >>>>>> denied >>>>>>errors when you try to look into the mounted directories. As soon as >>>>>> you >>>>>>renew the ticket you get access again. All without restarting smbnetfs. >>>>>> >>>>>>harti >>>>> >>>>> I replaced all server names below with "example.com" (and derivatives) >>>>> where appropriate: >>>>> >>>>> From my FreeBSD machine, using smbnetfs: >>>>> >>>>> $ klist >>>>> klist: No ticket file: /tmp/krb5cc_1001 >>>>> $ kinit det135 >>>>> det135@realm.example.com's Password: >>>>> kinit: NOTICE: ticket renewable lifetime is 1 week >>>>> $ klist >>>>> Credentials cache: FILE:/tmp/krb5cc_1001 >>>>> Principal: det135@realm.example.com >>>>> >>>>> Issued Expires Principal >>>>> Jun 3 11:51:20 Jun 3 21:51:04 >>>>> krbtgt/realm.example.com@realm.example.com >>>>> $ cd ~/mount/cifs.example.com/dir1 >>>>> $ ls >>>>> ls: .: Permission denied >>>>> $ cd .. >>>>> $ ls >>>>> dir1 dir2 >>>>> $ klist >>>>> Credentials cache: FILE:/tmp/krb5cc_1001 >>>>> Principal: det135@realm.example.com >>>>> >>>>> Issued Expires Principal >>>>> Jun 3 11:51:20 Jun 3 21:51:04 >>>>> krbtgt/realm.example.com@realm.example.com >>>>> >>>>> >>>>> From my Mac, using (from Finder) >>>>> Go -> Connect to Server -> cifs://cifs.example.com/dir1 >>>>> >>>>> $ klist >>>>> klist: No Kerberos 5 tickets in credentials cache >>>>> $ kinit det135 >>>>> Please enter the password for det135@realm.example.com: >>>>> $ klist >>>>> Kerberos 5 ticket cache: 'API:Initial default ccache' >>>>> Default principal: det135@realm.example.com >>>>> >>>>> Valid Starting Expires Service Principal >>>>> 06/03/08 11:59:41 06/03/08 21:59:41 >>>>> krbtgt/realm.example.com@realm.example.com >>>>> renew until 06/10/08 11:59:41 >>>>> >>>>> #### Here I mount via Finder before continuing with the commands below >>>>> >>>>> $ cd /Volumes/dir1/ >>>>> $ ls >>>>> subdir1 subdir2 file1 file2 >>>>> $ klist >>>>> Kerberos 5 ticket cache: 'API:Initial default ccache' >>>>> Default principal: det135@realm.example.com >>>>> >>>>> Valid Starting Expires Service Principal >>>>> 06/03/08 11:59:41 06/03/08 21:59:41 >>>>> krbtgt/realm.example.com@realm.example.com >>>>> renew until 06/10/08 11:59:41 >>>>> 06/03/08 12:00:31 06/03/08 21:59:41 >>>>> cifs/cifs.example.com@realm.example.com >>>>> renew until 06/10/08 11:59:41 >>>>> >>>>> >>>>> It looks like my creds aren't being used on the FreeBSD machine. >>>>> >>>>> -Derek. >>>>> _______________________________________________ >>>>> freebsd-hackers@freebsd.org mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>>>> To unsubscribe, send any mail to >>>>> "freebsd-hackers-unsubscribe@freebsd.org" >>>>> >>>> >>> _______________________________________________ >>> freebsd-hackers@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>> To unsubscribe, send any mail to >>> "freebsd-hackers-unsubscribe@freebsd.org" >>> >> > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >