Date: Tue, 3 Jun 2008 12:06:08 -0400 From: Derek Taylor <det135@psu.edu> To: freebsd-hackers@freebsd.org Subject: Re: Kerberized CIFS client? Message-ID: <20080603160608.GA56965@psu.edu> In-Reply-To: <20080603173601.W41705@beagle.kn.op.dlr.de> References: <20080521182722.GC40818@psu.edu> <483554FC.9040908@dlr.de> <20080603134307.GK76952@psu.edu> <20080603173601.W41705@beagle.kn.op.dlr.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 03 Jun 2008, Harti Brandt wrote:
>On Tue, 3 Jun 2008, Derek Taylor wrote:
>
>DT>On Thu, 22 May 2008, Hartmut Brandt wrote:
>DT>>Derek Taylor wrote:
>DT>>> This question was previously posed of the freebsd-questions list, but
>DT>>> with no response for a week, I'd like to try my luck here. If there=
's
>DT>>> any more information I should include, please speak up: I would be g=
lad
>DT>>> to oblige.
>DT>>>=20
>DT>>> I would like to use smb/cifs with kerberos auth, but mount_smbfs doe=
sn't
>DT>>> seem to support this.
>DT>>>=20
>DT>>> Is anyone aware of an alternate means of performing a mount via smb/=
cifs
>DT>>> or any patches to provide such functionality?
>DT>>>=20
>DT>>> I already have smbclient working with -k, but I am also interested i=
n a
>DT>>> mount.
>DT>>
>DT>>Try smbnetfs from ports. It's fuse based and seems to work very nice. =
If=20
>DT>>you have a large amount of shares floating in your network you want to=
=20
>DT>>restrict it to mount only the needed shares via the config file.=20
>DT>>Otherwise it will mount what it can find...
>DT>>
>DT>>It plays nicely with kerberors. When your ticket expires you immediate=
ly=20
>DT>>loose access; when you renew it you gain access again. All without the=
=20
>DT>>need to unmount/mount. Just call smbnetfs once you have your ticket. Y=
ou=20
>DT>>may even do this from your .profile.
>DT>>
>DT>>harti
>DT>
>DT>Sorry for not replying sooner.
>DT>
>DT>Initial tests here are promising (I can see some mount paths being
>DT>exported from the server), but it's not fully working (I don't see all
>DT>of the mount paths that *should* be exported and I get permission denied
>DT>errors). My thoughts are leaning towards an issue in negotiating auth
>DT>with the server -- perhaps my krb creds aren't being used?
>
>You can test this easily: if your ticket expires you get permission denied=
=20
>errors when you try to look into the mounted directories. As soon as you=
=20
>renew the ticket you get access again. All without restarting smbnetfs.
>
>harti
I replaced all server names below with "example.com" (and derivatives)
where appropriate:
=46rom my FreeBSD machine, using smbnetfs:
$ klist
klist: No ticket file: /tmp/krb5cc_1001
$ kinit det135
det135@realm.example.com's Password:=20
kinit: NOTICE: ticket renewable lifetime is 1 week
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: det135@realm.example.com
Issued Expires Principal =20
Jun 3 11:51:20 Jun 3 21:51:04 krbtgt/realm.example.com@realm.example.com
$ cd ~/mount/cifs.example.com/dir1
$ ls
ls: .: Permission denied
$ cd ..
$ ls
dir1 dir2
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: det135@realm.example.com
Issued Expires Principal =20
Jun 3 11:51:20 Jun 3 21:51:04 krbtgt/realm.example.com@realm.example.com
=46rom my Mac, using (from Finder)
Go -> Connect to Server -> cifs://cifs.example.com/dir1
$ klist
klist: No Kerberos 5 tickets in credentials cache
$ kinit det135
Please enter the password for det135@realm.example.com:
$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: det135@realm.example.com
Valid Starting Expires Service Principal
06/03/08 11:59:41 06/03/08 21:59:41 krbtgt/realm.example.com@realm.exampl=
e.com
renew until 06/10/08 11:59:41
#### Here I mount via Finder before continuing with the commands below
$ cd /Volumes/dir1/
$ ls
subdir1 subdir2 file1 file2
$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: det135@realm.example.com
Valid Starting Expires Service Principal
06/03/08 11:59:41 06/03/08 21:59:41 krbtgt/realm.example.com@realm.exampl=
e.com
renew until 06/10/08 11:59:41
06/03/08 12:00:31 06/03/08 21:59:41 cifs/cifs.example.com@realm.example.c=
om
renew until 06/10/08 11:59:41
It looks like my creds aren't being used on the FreeBSD machine.
-Derek.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080603160608.GA56965>