The goal is to create separate (auto)mounts on Red Hat Enterprise 5.3 machine to shares on various Windows 2003 file servers (64 bit) on a per user basis (just like drive mappings on XP clients) for example:
This will eliminate the need to use NFS file sharing on the Windows servers (which seems to be fraught with permission mapping issues).
Steps taken so far:
I have configured our Red Hat Enterprise 5.3 machines to use Winbind authentication and they are all a member of AD so that users can log in to them using their AD credentials, which is all working nicely.
It should now be possible is to mount the Windows shares using the kerberos ticket already obtained during login.
So I have done:
chmod +s /sbin/*.cifs
to allow the users to actually run the mount.cifs and umount.cifs programs (probably not required for autumouting, but usefull for testing mounts manually).
/home /etc/auto.cifs --timeout=5
Created /etc/auto.cifs with the following two lines:
echo "-fstype=cifs,sec=krb5,user=$1 ://our-file-server/our-home-share/$1"
Added the following two lines to /etc/request-key.conf:
create cifs.spnego * * /usr/sbin/cifs.upcall -c %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
A quick test by trying to cd into /home/bob reveals mount error 126 (which is required key not available) in /var/log/messages.
Stopping autofs and trying to mount manually using:
/sbin/mount.cifs //our-file-server/our-home-share/bob /home/bob -o sec=krb5
Does indeed give the same response: "mount error 126 = Required key not available"
But a quick 'klist' shows that I do have a valid ticket.
If I log in as root, and get my kerberos ticket using 'kinit bob' and then try it, everything works (both manually and for autofs.
I suspect this is something to do with the fact that autofs runs as root, and the setuid on mount.cifs means it also runs as root, where there is indeed no valid kerberos ticket.
I'm obviously missing something here, surely automounting cifs shares should be possible?
Are there any options I can pass to cifs.upcall that will tell it to use MY cached kerberos credentials?