From owner-freebsd-hackers@FreeBSD.ORG  Sun Jun  8 14:59:04 2008
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 59B97106567C
	for <freebsd-hackers@freebsd.org>; Sun,  8 Jun 2008 14:59:04 +0000 (UTC)
	(envelope-from oranki@gmail.com)
Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.29])
	by mx1.freebsd.org (Postfix) with ESMTP id 097B08FC19
	for <freebsd-hackers@freebsd.org>; Sun,  8 Jun 2008 14:59:03 +0000 (UTC)
	(envelope-from oranki@gmail.com)
Received: by yw-out-2324.google.com with SMTP id 9so891033ywe.13
	for <freebsd-hackers@freebsd.org>; Sun, 08 Jun 2008 07:59:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to
	:subject:in-reply-to:mime-version:content-type
	:content-transfer-encoding:content-disposition:references;
	bh=2bFTJtjVoAjAp+VaD3DRYhmLNrDDN4kya++d08h08BA=;
	b=Fev2SWpzFFzwvMWn8gZ7yOt3+4+QZWjFbier8jPtL/ao0Zk30yyLn2QbK5eiYOsTqo
	dp6rzLpr6topZrK0qf7s9NYVEdkw93IjLPYxsTVRZjcjb7c1j9wXce25L5i5PTqADeVB
	+ZojW1JQZGTp9owOFZDtWc7qEs/DEhS8AghcA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:to:subject:in-reply-to:mime-version
	:content-type:content-transfer-encoding:content-disposition
	:references;
	b=tSO0ar0KrvFYDmBQqIiw+oNwCE9oT0Z9hTd5ZGq4NVULgvxeBHiEtAcG3+FcY/cCFm
	RPn8AEY0YkLAm4uJHOGpoirBWi1j14meb7Ki5BK0DoRtIqAiQ4Uw1+c5c/Vst5BdxdLl
	OUpe2V76BvfMXmv0zxbIqSmHSEwLCdbh1U+oE=
Received: by 10.151.144.15 with SMTP id w15mr4313885ybn.161.1212935572096;
	Sun, 08 Jun 2008 07:32:52 -0700 (PDT)
Received: by 10.150.203.8 with HTTP; Sun, 8 Jun 2008 07:32:51 -0700 (PDT)
Message-ID: <e58ed31f0806080732u390f9dbo9bdcd6c0ace2d122@mail.gmail.com>
Date: Sun, 8 Jun 2008 17:32:51 +0300
From: "=?UTF-8?Q?Atte_Peltom=C3=A4ki?=" <oranki@gmail.com>
To: "Derek Taylor" <det135@psu.edu>, freebsd-hackers@freebsd.org
In-Reply-To: <20080606191524.GQ56965@psu.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20080521182722.GC40818@psu.edu> <483554FC.9040908@dlr.de>
	<20080603134307.GK76952@psu.edu>
	<20080603173601.W41705@beagle.kn.op.dlr.de>
	<20080603160608.GA56965@psu.edu>
	<e58ed31f0806031132n7a0d9a42kc05c4939cdfb596@mail.gmail.com>
	<20080606191524.GQ56965@psu.edu>
X-Mailman-Approved-At: Sun, 08 Jun 2008 15:03:29 +0000
Cc: 
Subject: Re: Kerberized CIFS client?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jun 2008 14:59:04 -0000

smbclient (and other samba utilities) do not refer to krb5.conf when
figuring out the kerberos realm.

you will have to put to your krb5.conf on both client and server:

[domain_realms]
    cifs.example.com = realm.example.com

Otherwise it will just try to use example.com as the realm.

On 6/6/08, Derek Taylor <det135@psu.edu> wrote:
> On Tue, 03 Jun 2008, Atte Peltomki wrote:
>>You will have to adjust your krb5.conf to map a given domain or hostname
>>to a kerberos realm, if you are doing cross-realm authentication. See MIT
>>kerberos admin guide for details.
>
> I'm pretty sure it's set up ok.  I can use smbclient -k just fine:
> $ kinit
> det135@realm.example.com's Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
> $ klist
> Credentials cache: FILE:/tmp/krb5cc_1001
>         Principal: det135@realm.example.com
>
>   Issued           Expires          Principal
> Jun  6 15:08:47  Jun  7 01:08:47  krbtgt/realm.example.com@realm.example.com
> $ smbclient -k -U det135 //cifs.example.com/dir1
> OS=[Unix] Server=[Samba 3.0.30]
> smb: \> ls
>   .                                   D        0  Thu Feb 14 14:46:42 2008
>   ..                                  D        0  Fri Jun  6 10:16:29 2008
> [ other files/directories here ]
>
> smb: \> quit
> $ cd ~/mount/smbbeta.pass.psu.edu/pass
> $ ls
> ls: .: Permission denied
> $ klist
> Credentials cache: FILE:/tmp/krb5cc_1001
>         Principal: det135@dce.psu.edu
>
>   Issued           Expires          Principal
> Jun  6 15:08:47  Jun  7 01:08:47  krbtgt/realm.example.com@realm.example.com
> Jun  6 15:09:17  Jun  7 01:08:47  cifs/cifs.example.com@realm.example.com
> $
>
> -Derek.
>
>>On 6/3/08, Derek Taylor <det135@psu.edu> wrote:
>>> On Tue, 03 Jun 2008, Harti Brandt wrote:
>>>>On Tue, 3 Jun 2008, Derek Taylor wrote:
>>>>
>>>>DT>On Thu, 22 May 2008, Hartmut Brandt wrote:
>>>>DT>>Derek Taylor wrote:
>>>>DT>>> This question was previously posed of the freebsd-questions list,
>>>> but
>>>>DT>>> with no response for a week, I'd like to try my luck here.  If
>>>> there's
>>>>DT>>> any more information I should include, please speak up: I would be
>>>> glad
>>>>DT>>> to oblige.
>>>>DT>>>
>>>>DT>>> I would like to use smb/cifs with kerberos auth, but mount_smbfs
>>>> doesn't
>>>>DT>>> seem to support this.
>>>>DT>>>
>>>>DT>>> Is anyone aware of an alternate means of performing a mount via
>>>> smb/cifs
>>>>DT>>> or any patches to provide such functionality?
>>>>DT>>>
>>>>DT>>> I already have smbclient working with -k, but I am also interested
>>>> in
>>>> a
>>>>DT>>> mount.
>>>>DT>>
>>>>DT>>Try smbnetfs from ports. It's fuse based and seems to work very nice.
>>>> If
>>>>DT>>you have a large amount of shares floating in your network you want
>>>> to
>>>>DT>>restrict it to mount only the needed shares via the config file.
>>>>DT>>Otherwise it will mount what it can find...
>>>>DT>>
>>>>DT>>It plays nicely with kerberors. When your ticket expires you
>>>> immediately
>>>>DT>>loose access; when you renew it you gain access again. All without
>>>> the
>>>>DT>>need to unmount/mount. Just call smbnetfs once you have your ticket.
>>>> You
>>>>DT>>may even do this from your .profile.
>>>>DT>>
>>>>DT>>harti
>>>>DT>
>>>>DT>Sorry for not replying sooner.
>>>>DT>
>>>>DT>Initial tests here are promising (I can see some mount paths being
>>>>DT>exported from the server), but it's not fully working (I don't see all
>>>>DT>of the mount paths that *should* be exported and I get permission
>>>> denied
>>>>DT>errors).  My thoughts are leaning towards an issue in negotiating auth
>>>>DT>with the server -- perhaps my krb creds aren't being used?
>>>>
>>>>You can test this easily: if your ticket expires you get permission
>>>> denied
>>>>errors when you try to look into the mounted directories. As soon as you
>>>>renew the ticket you get access again. All without restarting smbnetfs.
>>>>
>>>>harti
>>>
>>> I replaced all server names below with "example.com" (and derivatives)
>>> where appropriate:
>>>
>>> From my FreeBSD machine, using smbnetfs:
>>>
>>> $ klist
>>> klist: No ticket file: /tmp/krb5cc_1001
>>> $ kinit det135
>>> det135@realm.example.com's Password:
>>> kinit: NOTICE: ticket renewable lifetime is 1 week
>>> $ klist
>>> Credentials cache: FILE:/tmp/krb5cc_1001
>>>         Principal: det135@realm.example.com
>>>
>>>   Issued           Expires          Principal
>>> Jun  3 11:51:20  Jun  3 21:51:04
>>> krbtgt/realm.example.com@realm.example.com
>>> $ cd ~/mount/cifs.example.com/dir1
>>> $ ls
>>> ls: .: Permission denied
>>> $ cd ..
>>> $ ls
>>> dir1  dir2
>>> $ klist
>>> Credentials cache: FILE:/tmp/krb5cc_1001
>>>         Principal: det135@realm.example.com
>>>
>>>   Issued           Expires          Principal
>>> Jun  3 11:51:20  Jun  3 21:51:04
>>> krbtgt/realm.example.com@realm.example.com
>>>
>>>
>>> From my Mac, using (from Finder)
>>> Go -> Connect to Server -> cifs://cifs.example.com/dir1
>>>
>>> $ klist
>>> klist: No Kerberos 5 tickets in credentials cache
>>> $ kinit det135
>>> Please enter the password for det135@realm.example.com:
>>> $ klist
>>> Kerberos 5 ticket cache: 'API:Initial default ccache'
>>> Default principal: det135@realm.example.com
>>>
>>> Valid Starting     Expires            Service Principal
>>> 06/03/08 11:59:41  06/03/08 21:59:41
>>> krbtgt/realm.example.com@realm.example.com
>>>         renew until 06/10/08 11:59:41
>>>
>>> #### Here I mount via Finder before continuing with the commands below
>>>
>>> $ cd /Volumes/dir1/
>>> $ ls
>>> subdir1  subdir2  file1 file2
>>> $ klist
>>> Kerberos 5 ticket cache: 'API:Initial default ccache'
>>> Default principal: det135@realm.example.com
>>>
>>> Valid Starting     Expires            Service Principal
>>> 06/03/08 11:59:41  06/03/08 21:59:41
>>> krbtgt/realm.example.com@realm.example.com
>>>         renew until 06/10/08 11:59:41
>>> 06/03/08 12:00:31  06/03/08 21:59:41
>>> cifs/cifs.example.com@realm.example.com
>>>         renew until 06/10/08 11:59:41
>>>
>>>
>>> It looks like my creds aren't being used on the FreeBSD machine.
>>>
>>> -Derek.
>>> _______________________________________________
>>> freebsd-hackers@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>>> To unsubscribe, send any mail to
>>> "freebsd-hackers-unsubscribe@freebsd.org"
>>>
>>
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
>