On Sun, 08 Jun 2008, Atte Peltomki wrote: >smbclient (and other samba utilities) do not refer to krb5.conf when >figuring out the kerberos realm. > >you will have to put to your krb5.conf on both client and server: > >[domain_realms] > cifs.example.com = realm.example.com
I've done this step, but there seems to be no difference. When I did a tcpdump and viewed the results in wireshark there was no attempt to do anything kerberos related, the first thing related to auth mentioned was NTLM. I don't see anything with lsknobs or make config. Am I missing something? -Derek. >Otherwise it will just try to use example.com as the realm. > >On 6/6/08, Derek Taylor <[EMAIL PROTECTED]> wrote: >> On Tue, 03 Jun 2008, Atte Peltomki wrote: >>>You will have to adjust your krb5.conf to map a given domain or hostname >>>to a kerberos realm, if you are doing cross-realm authentication. See MIT >>>kerberos admin guide for details. >> >> I'm pretty sure it's set up ok. I can use smbclient -k just fine: >> $ kinit >> [EMAIL PROTECTED]'s Password: >> kinit: NOTICE: ticket renewable lifetime is 1 week >> $ klist >> Credentials cache: FILE:/tmp/krb5cc_1001 >> Principal: [EMAIL PROTECTED] >> >> Issued Expires Principal >> Jun 6 15:08:47 Jun 7 01:08:47 krbtgt/[EMAIL PROTECTED] >> $ smbclient -k -U det135 //cifs.example.com/dir1 >> OS=[Unix] Server=[Samba 3.0.30] >> smb: \> ls >> . D 0 Thu Feb 14 14:46:42 2008 >> .. D 0 Fri Jun 6 10:16:29 2008 >> [ other files/directories here ] >> >> smb: \> quit >> $ cd ~/mount/smbbeta.pass.psu.edu/pass >> $ ls >> ls: .: Permission denied >> $ klist >> Credentials cache: FILE:/tmp/krb5cc_1001 >> Principal: [EMAIL PROTECTED] >> >> Issued Expires Principal >> Jun 6 15:08:47 Jun 7 01:08:47 krbtgt/[EMAIL PROTECTED] >> Jun 6 15:09:17 Jun 7 01:08:47 cifs/[EMAIL PROTECTED] >> $ >> >> -Derek. >> >>>On 6/3/08, Derek Taylor <[EMAIL PROTECTED]> wrote: >>>> On Tue, 03 Jun 2008, Harti Brandt wrote: >>>>>On Tue, 3 Jun 2008, Derek Taylor wrote: >>>>> >>>>>DT>On Thu, 22 May 2008, Hartmut Brandt wrote: >>>>>DT>>Derek Taylor wrote: >>>>>DT>>> This question was previously posed of the freebsd-questions list, >>>>> but >>>>>DT>>> with no response for a week, I'd like to try my luck here. If >>>>> there's >>>>>DT>>> any more information I should include, please speak up: I would be >>>>> glad >>>>>DT>>> to oblige. >>>>>DT>>> >>>>>DT>>> I would like to use smb/cifs with kerberos auth, but mount_smbfs >>>>> doesn't >>>>>DT>>> seem to support this. >>>>>DT>>> >>>>>DT>>> Is anyone aware of an alternate means of performing a mount via >>>>> smb/cifs >>>>>DT>>> or any patches to provide such functionality? >>>>>DT>>> >>>>>DT>>> I already have smbclient working with -k, but I am also interested >>>>> in >>>>> a >>>>>DT>>> mount. >>>>>DT>> >>>>>DT>>Try smbnetfs from ports. It's fuse based and seems to work very nice. >>>>> If >>>>>DT>>you have a large amount of shares floating in your network you want >>>>> to >>>>>DT>>restrict it to mount only the needed shares via the config file. >>>>>DT>>Otherwise it will mount what it can find... >>>>>DT>> >>>>>DT>>It plays nicely with kerberors. When your ticket expires you >>>>> immediately >>>>>DT>>loose access; when you renew it you gain access again. All without >>>>> the >>>>>DT>>need to unmount/mount. Just call smbnetfs once you have your ticket. >>>>> You >>>>>DT>>may even do this from your .profile. >>>>>DT>> >>>>>DT>>harti >>>>>DT> >>>>>DT>Sorry for not replying sooner. >>>>>DT> >>>>>DT>Initial tests here are promising (I can see some mount paths being >>>>>DT>exported from the server), but it's not fully working (I don't see all >>>>>DT>of the mount paths that *should* be exported and I get permission >>>>> denied >>>>>DT>errors). My thoughts are leaning towards an issue in negotiating auth >>>>>DT>with the server -- perhaps my krb creds aren't being used? >>>>> >>>>>You can test this easily: if your ticket expires you get permission >>>>> denied >>>>>errors when you try to look into the mounted directories. As soon as you >>>>>renew the ticket you get access again. All without restarting smbnetfs. >>>>> >>>>>harti >>>> >>>> I replaced all server names below with "example.com" (and derivatives) >>>> where appropriate: >>>> >>>> From my FreeBSD machine, using smbnetfs: >>>> >>>> $ klist >>>> klist: No ticket file: /tmp/krb5cc_1001 >>>> $ kinit det135 >>>> [EMAIL PROTECTED]'s Password: >>>> kinit: NOTICE: ticket renewable lifetime is 1 week >>>> $ klist >>>> Credentials cache: FILE:/tmp/krb5cc_1001 >>>> Principal: [EMAIL PROTECTED] >>>> >>>> Issued Expires Principal >>>> Jun 3 11:51:20 Jun 3 21:51:04 >>>> krbtgt/[EMAIL PROTECTED] >>>> $ cd ~/mount/cifs.example.com/dir1 >>>> $ ls >>>> ls: .: Permission denied >>>> $ cd .. >>>> $ ls >>>> dir1 dir2 >>>> $ klist >>>> Credentials cache: FILE:/tmp/krb5cc_1001 >>>> Principal: [EMAIL PROTECTED] >>>> >>>> Issued Expires Principal >>>> Jun 3 11:51:20 Jun 3 21:51:04 >>>> krbtgt/[EMAIL PROTECTED] >>>> >>>> >>>> From my Mac, using (from Finder) >>>> Go -> Connect to Server -> cifs://cifs.example.com/dir1 >>>> >>>> $ klist >>>> klist: No Kerberos 5 tickets in credentials cache >>>> $ kinit det135 >>>> Please enter the password for [EMAIL PROTECTED]: >>>> $ klist >>>> Kerberos 5 ticket cache: 'API:Initial default ccache' >>>> Default principal: [EMAIL PROTECTED] >>>> >>>> Valid Starting Expires Service Principal >>>> 06/03/08 11:59:41 06/03/08 21:59:41 >>>> krbtgt/[EMAIL PROTECTED] >>>> renew until 06/10/08 11:59:41 >>>> >>>> #### Here I mount via Finder before continuing with the commands below >>>> >>>> $ cd /Volumes/dir1/ >>>> $ ls >>>> subdir1 subdir2 file1 file2 >>>> $ klist >>>> Kerberos 5 ticket cache: 'API:Initial default ccache' >>>> Default principal: [EMAIL PROTECTED] >>>> >>>> Valid Starting Expires Service Principal >>>> 06/03/08 11:59:41 06/03/08 21:59:41 >>>> krbtgt/[EMAIL PROTECTED] >>>> renew until 06/10/08 11:59:41 >>>> 06/03/08 12:00:31 06/03/08 21:59:41 >>>> cifs/[EMAIL PROTECTED] >>>> renew until 06/10/08 11:59:41 >>>> >>>> >>>> It looks like my creds aren't being used on the FreeBSD machine. >>>> >>>> -Derek. >>>> _______________________________________________ >>>> freebsd-hackers@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>>> To unsubscribe, send any mail to >>>> "[EMAIL PROTECTED]" >>>> >>> >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "[EMAIL PROTECTED]" >> > _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
