Hi, Currently, for sec=krb5, mount.cifs assumes that the kerberos TGT is already downloaded and stored in krb5 cred cache file. If an AD user is logged in through ssh or su, those utilities authenticate with PAM (winbind or sssd), and winbind/sssd can be configured to perform krbtgt house-keeping (like refreshing the tickets). However, if the AD user is not logged in, and the local root user wants to mount the share using the credentials for an AD user, he/she will need to resort to manual kinit, and this does not go through winbind/sssd. Attached patch will introduce PAM authentication in mount.cifs. If sec=krb5 is specified, mount.cifs will attempt to authenticate with PAM as the username mentioned in mount options. If the authentication fails, we fall back to the old behavior and proceed with the mount nevertheless. @linux-cifs: Please review the overall flow, and let me know if there are any issues/suggestions. The feature is enabled by default in a configure parameter (krb5pam), and can be disabled. Do we also need a new mount option to trigger this new behavior? (try-pam-auth?) @samba-technical: Please review the overall flow of PAM authentication. Currently, I'm mainly doing pam_authenticate and pam_setcreds. Is there any added benefit opening and closing session? Is it possible to call pam_open_session from mount.cifs, and then call pam_close_session in another binary (umount.cifs)? Also attached the output of my test runs. Thanks in advance. -- -Shyam
localadmin@linux-vm:~$ sudo mount -t cifs //mystorageaccount.file.core.windows.net/share2 /mnt/abc/ -o vers=3.0,sec=krb5,serverino,cifsacl,mfsymlinks,actimeo=60,multiuser,cruid=aduser,username=aduser,domain=mydomain Authenticating as user: aduser Password: (no echo) localadmin@linux-vm:~$ mount -t cifs //mystorageaccount.file.core.windows.net/share2 on /mnt/abc type cifs (rw,relatime,vers=3.0,sec=krb5,cruid=11195,cache=strict,multiuser,domain=mydomain,uid=0,noforceuid,gid=0,noforcegid,file_mode=0755,dir_mode=0755,soft,persistenthandles,nounix,serverino,mapposix,cifsacl,mfsymlinks,noperm,rsize=1048576,wsize=1048576,bsize=1048576,echo_interval=60,actimeo=60) aduser@linux-vm:~$ ls /mnt/abc/ a.sh abc bac datefile dir1 hahaha test.sh testfile localadmin@linux-vm:~$ sudo mount -t cifs //mystorageaccount.file.core.windows.net/share2 /mnt/abc/ -o vers=3.0,sec=krb5,serverino,cifsacl,mfsymlinks,actimeo=60,multiuser,cruid=aduser,credentials=/home/localadmin/.smb/aduser.creds Authenticating as user: aduser localadmin@linux-vm:~$ mount -t cifs //mystorageaccount.file.core.windows.net/share2 on /mnt/abc type cifs (rw,relatime,vers=3.0,sec=krb5,cruid=11195,cache=strict,multiuser,domain=mydomain,uid=0,noforceuid,gid=0,noforcegid,file_mode=0755,dir_mode=0755,soft,persistenthandles,nounix,serverino,mapposix,cifsacl,mfsymlinks,noperm,rsize=1048576,wsize=1048576,bsize=1048576,echo_interval=60,actimeo=60) localadmin@linux-vm:~$ ls -l /tmp/krb5cc_11195 -rw------- 1 aduser root 6077 Aug 14 04:19 /tmp/krb5cc_11195
Attachment:
0001-mount.cifs-Try-to-authenticate-the-krb5-user-against.patch
Description: Binary data
