The other option which worked for me was using the KRB5 credentials of the machine account to do the mount. A few months ago Mr. Layton point this out to me and I did eventually end up getting it to work fairly well. If you are root & need to browse around, you'll need to kinit as somebody (unless root is not just a local account but a domain user as well). My setup is samba 3.6.3 connected to AD, but I imagine it should work the same if you have a samba4 DC. My fstab looks something like: //server/share /localmntpoint cifs cache=strict,sec=krb5i,multiuser,acl,username=MACHINENAME$ 0 2 THis is in ubuntu 12.10. The only 2 issues I've found are: 1) Wwhen logging in via xfce I have to log-in twice. I login/logout so infrequently it doesn't matter much to me. I'm not sure why this is, but it only happens when I have my homedir on a samba mount using the above mounting line. 2) Just after setting up this mountpoint, I experienced it not mounting at startup, however logging in with a localuser and doing "mount -a", it would then work & things would work normally. This no longer happens (or doesn't happen regularly - race condition in ubuntu startup?) so I mostly had forgotten about it until I started typing this out. For #2 I've opened a bug on launchpad: https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1130781 Thanks, Robert ----- Original Message ----- From: "Jeff Layton" <jlayton@xxxxxxxxxxxxxxx> To: "steve" <steve@xxxxxxxxxxxx> Cc: linux-cifs@xxxxxxxxxxxxxxx Sent: Sunday, April 14, 2013 7:05:25 AM Subject: Re: kerberised cifs must have root krb5cc_0 cache? On Sat, 13 Apr 2013 16:27:46 +0200 steve <steve@xxxxxxxxxxxx> wrote: > Ubuntu 12.10 clients in a Samba4 domain. > > Hi > We are automounting cifs using: > -osec=krb5,multiuser. > > It seems that unless the root cache: > /tmp/krb5cc_0 > is present, users cannot enter the share even if they have a ticket with > their own cache under /tmp > > Is this the correct behavior? > > If so, how to go about maintaining the cache alive. I thought about > creating s domain user, say autofs-user and extracting his keytab. I > would then run a script as root that calls k5start to maintain the > ticket cache. But then, it could be overwritten if, say, Administrator > logs in from a root account. Would that matter? So long as the root > cache is present, does it matter which principal it has? > > Cheers, > Steve You do need a krb5 ticket somewhere to use as root's credentials. If you set the cruid= mount option that can be a credcache owned by a different user. Alternately, you can set up the system-wide keytab in /etc/krb5.keytab with the correct credentials for root. -- Jeff Layton <jlayton@xxxxxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
