Kerberized CIFS client?
Derek Taylor
det135 at psu.edu
Tue Jun 3 16:06:26 UTC 2008
On Tue, 03 Jun 2008, Harti Brandt wrote:
>On Tue, 3 Jun 2008, Derek Taylor wrote:
>
>DT>On Thu, 22 May 2008, Hartmut Brandt wrote:
>DT>>Derek Taylor wrote:
>DT>>> This question was previously posed of the freebsd-questions list, but
>DT>>> with no response for a week, I'd like to try my luck here. If there's
>DT>>> any more information I should include, please speak up: I would be glad
>DT>>> to oblige.
>DT>>>
>DT>>> I would like to use smb/cifs with kerberos auth, but mount_smbfs doesn't
>DT>>> seem to support this.
>DT>>>
>DT>>> Is anyone aware of an alternate means of performing a mount via smb/cifs
>DT>>> or any patches to provide such functionality?
>DT>>>
>DT>>> I already have smbclient working with -k, but I am also interested in a
>DT>>> mount.
>DT>>
>DT>>Try smbnetfs from ports. It's fuse based and seems to work very nice. If
>DT>>you have a large amount of shares floating in your network you want to
>DT>>restrict it to mount only the needed shares via the config file.
>DT>>Otherwise it will mount what it can find...
>DT>>
>DT>>It plays nicely with kerberors. When your ticket expires you immediately
>DT>>loose access; when you renew it you gain access again. All without the
>DT>>need to unmount/mount. Just call smbnetfs once you have your ticket. You
>DT>>may even do this from your .profile.
>DT>>
>DT>>harti
>DT>
>DT>Sorry for not replying sooner.
>DT>
>DT>Initial tests here are promising (I can see some mount paths being
>DT>exported from the server), but it's not fully working (I don't see all
>DT>of the mount paths that *should* be exported and I get permission denied
>DT>errors). My thoughts are leaning towards an issue in negotiating auth
>DT>with the server -- perhaps my krb creds aren't being used?
>
>You can test this easily: if your ticket expires you get permission denied
>errors when you try to look into the mounted directories. As soon as you
>renew the ticket you get access again. All without restarting smbnetfs.
>
>harti
I replaced all server names below with "example.com" (and derivatives)
where appropriate:
From my FreeBSD machine, using smbnetfs:
$ klist
klist: No ticket file: /tmp/krb5cc_1001
$ kinit det135
det135 at realm.example.com's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: det135 at realm.example.com
Issued Expires Principal
Jun 3 11:51:20 Jun 3 21:51:04 krbtgt/realm.example.com at realm.example.com
$ cd ~/mount/cifs.example.com/dir1
$ ls
ls: .: Permission denied
$ cd ..
$ ls
dir1 dir2
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: det135 at realm.example.com
Issued Expires Principal
Jun 3 11:51:20 Jun 3 21:51:04 krbtgt/realm.example.com at realm.example.com
From my Mac, using (from Finder)
Go -> Connect to Server -> cifs://cifs.example.com/dir1
$ klist
klist: No Kerberos 5 tickets in credentials cache
$ kinit det135
Please enter the password for det135 at realm.example.com:
$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: det135 at realm.example.com
Valid Starting Expires Service Principal
06/03/08 11:59:41 06/03/08 21:59:41 krbtgt/realm.example.com at realm.example.com
renew until 06/10/08 11:59:41
#### Here I mount via Finder before continuing with the commands below
$ cd /Volumes/dir1/
$ ls
subdir1 subdir2 file1 file2
$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: det135 at realm.example.com
Valid Starting Expires Service Principal
06/03/08 11:59:41 06/03/08 21:59:41 krbtgt/realm.example.com at realm.example.com
renew until 06/10/08 11:59:41
06/03/08 12:00:31 06/03/08 21:59:41 cifs/cifs.example.com at realm.example.com
renew until 06/10/08 11:59:41
It looks like my creds aren't being used on the FreeBSD machine.
-Derek.
More information about the freebsd-hackers
mailing list