LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 12-13-2009, 11:05 AM   #16
ralish
LQ Newbie
 
Registered: Sep 2009
Posts: 7

Rep: Reputation: 1

0ddba11:
Despite being something you'd think would be relatively simple, there's a huge amount of complexity behind the scenes getting all this to work, so without more information, there's only so much I can suggest.
  • Check the patch on the Red Hat bug report with the absolute latest cifs.upcall source from the master branch from samba git. The guy assigned that bug report is also a samba developer and the maintainer of the cifs.upcall source, and I know he made multiple commits addressing this problem, so it's possible that patch is not the latest in the samba master.
  • You might consider logging in as root (or another local user) and removing all kerberos tickets from /tmp so that all the tickets are recreated as each user in kerberos logs on again. This may help to eliminate any potential permissions issues, as if the tickets aren't accessible for the user trying to authenticate to the share, then the mount is obviously going to fail as the kerberos client can't read the ticket.
  • Try using -v judiciously to determine exactly what is being passed to the kernel from mount.cifs (see previous posts). Try the uid/gid parameters to determine if it is a likely kerberos/permissions issue, or something else. You might need to resort to strace to try and trace exactly what is going on as the mount call proceeds (and eventually fails).

These are all kind of generic, but they should point you in the right direction, and perhaps help to obtain some more useful debugging data.
 
Old 12-18-2009, 10:13 AM   #17
0ddba11
Member
 
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46

Original Poster
Rep: Reputation: 15
Cool

Here's an update.

Two things have ocurred recently....

Number One
If you check this bug at https://bugzilla.redhat.com/show_bug.cgi?id=517195 you'll note that it now says 'Fixed In Version: samba-3.0.33-3.23.el5 '.

This is great news.

However...

Number Two
I have now implemented a different (and I think more appropriate solution) using the pam_mount module.

I'd never seen this pam module before, and when I read what it does I couldn't believe my eyes - it mounts volumes when a user starts a session and unmounts them when their session ends!

Perfect.

Whilst an RPM wasn't available for Red Hat 4 I found some extra packages for Cent OS 4 here: http://centos.karan.org/el4/extras/stable/ which install and run just fine on RHEL4. (remember to get both the 32 bit and 64 bit RPMS if you're running a 64 bit system as some 32 bit apps like Exceed onDemand need the 32 bit pam_mount.so)

For those who are interested, here is my /etc/security/pam_mount.conf:

Code:
debug 0
mkmountpoint 1

fsckloop /dev/loop7

options_allow   nosuid,nodev,loop,encryption
options_require nosuid,nodev

lsof /usr/sbin/lsof %(MNTPT)
fsck /sbin/fsck -p %(FSCKTARGET)
losetup /sbin/losetup -p0 "%(before=\"-e \" CIPHER)" "%(before=\"-k \" KEYBITS)" %(FSCKLOOP) %(VOLUME)
unlosetup /sbin/losetup -d %(FSCKLOOP)
cifsmount /bin/mount -t cifs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
smbmount /bin/mount -t smbfs //%(SERVER)/%(VOLUME) %(MNTPT) -o "username=%(USER)%(before=\",\" OPTIONS)"
ncpmount /bin/mount -t ncpfs %(SERVER)/%(USER) %(MNTPT) -o "pass-fd=0,volume=%(VOLUME)%(before=\",\" OPTIONS)"
umount   /bin/umount %(MNTPT)
lclmount /bin/mount -p0 %(VOLUME) %(MNTPT) "%(before=\"-o \" OPTIONS)"
cryptmount /bin/mount -t crypt "%(before=\"-o \" OPTIONS)" %(VOLUME) %(MNTPT)
nfsmount /bin/mount %(SERVER):%(VOLUME) "%(MNTPT)%(before=\"-o \" OPTIONS)"
mntagain /bin/mount --bind %(PREVMNTPT) %(MNTPT)
mntcheck /bin/mount # For BSD's (don't have /etc/mtab)
pmvarrun /usr/sbin/pmvarrun -u %(USER) -d -o %(OPERATION)

volume * cifs server1 data /winmounts/&/data uid=&,gid=users,dirmode=0700,filemode=0700 - -
volume * cifs server2 home /winmounts/&/home uid=&,gid=users,dirmode=0700,filemode=0700 - -
  • The 'mkmountpoint 1' line means that the mount points get created automatically
  • On the 'volume' line '&' gets replaced with the current user
  • uid=& makes the current user the owner for all files and directories
  • Setting filemode and dirmode 0700 means that only the owner ends up with permission to it, which stops user B accessing a share that user A has mounted.

And to make it all work, here my /etc/pam.d/sshd:

Code:
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_mount.so use_first_pass
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_mount.so
So it's not exactly what we set out to fix, but it works better.

And that's it for the year from me - I'm off to Malaga for Christmas now!!!

Merry Christmas everybody, and Happy New Year.

Last edited by 0ddba11; 12-18-2009 at 10:22 AM.
 
Old 12-21-2009, 05:53 PM   #18
ralish
LQ Newbie
 
Registered: Sep 2009
Posts: 7

Rep: Reputation: 1
I just finished reading about pam_mount and it sounds absolutely perfect, not to mention being a more elegant solution than the autofs kludge I was going to put together. Thanks a bunch for enclosing your detailed configuration information and explanation, it should be a major time saver!

Unfortunately, while the Red Hat patch is good news, it doesn't apply to me as I'm using the unofficial SerNet Samba binaries for CentOS 5 that upgrade the Samba packages to 3.2 (as well as having RPMs for 3.3 and 3.4 available). The reason for this is the 3.2 branch is the earliest Samba branch that supports certain features I need, in particular SMB signing.

Fortunately, the relevant fix for cifs.upcall is simple and can easily be patched into the 3.2 source and compiled with the included SerNet SRPMs. Of course, this is fairly tedious and a time sink, as it really ought to be done each time the packages are upgraded (even if you can get away with not doing so). I might see if I can convince SerNet to backport the fix into their packages, otherwise, the SRPM recompiles will have to continue.

Still, the pam_mount solution sounds excellent, so thanks again for reporting back. Also, I hope you enjoy your Christmas holiday
 
Old 01-12-2011, 09:33 AM   #19
daenney
LQ Newbie
 
Registered: Jul 2004
Distribution: Debian Squeeze, Ubuntu 10.10, CentOS 5.5
Posts: 8

Rep: Reputation: 0
There is actually another fix which works just perfectly:

Code:
/etc/auto.cifs
echo  "-fstype=cifs,sec=krb5,uid=`id -u $1`,user=$1 ://files/Users/$1"
Now the uid is equal to the uid of the user share we want to mount, which means the ticket is now being retrieved as the actual user logging in which gets rid of the error 126 in my case.

Now, when user daenney with uid 10005 logs in the following is being called:
Code:
"-fstype=cifs,sec=krb5,uid=10005,user=daenney ://files/Users/daenney"
This now mounts the homedir for user daenney using the according kerberos ticket. It's a stupid workaround but it does wonders.
 
  


Reply

Tags
kerberos, login, logout, mount, samba, session, share, windows


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem for get ticket from kerberos aspenbr Linux - Networking 1 08-11-2009 10:44 AM
Problem in get ticket with Kerberos aspenbr Linux - Software 0 08-11-2009 04:24 AM
pam_krb5 won't retrieve a kerberos ticket Thakowbbery Conectiva 1 01-10-2007 05:20 AM
Mounting network shares using kerberos ticket dlbuhl Linux - Networking 0 12-19-2006 10:53 AM
Samba Kerberos Ticket sindri Linux - Software 0 11-24-2004 01:10 AM


All times are GMT -5. The time now is 07:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration