Re: Kerberized CIFS client?

On Tue, 03 Jun 2008, Harti Brandt wrote:
On Tue, 3 Jun 2008, Derek Taylor wrote:

DT>On Thu, 22 May 2008, Hartmut Brandt wrote:
DT>>Derek Taylor wrote:
DT>>> This question was previously posed of the freebsd-questions list, but
DT>>> with no response for a week, I'd like to try my luck here. If there's
DT>>> any more information I should include, please speak up: I would be glad
DT>>> to oblige.
DT>>>
DT>>> I would like to use smb/cifs with kerberos auth, but mount_smbfs doesn't
DT>>> seem to support this.
DT>>>
DT>>> Is anyone aware of an alternate means of performing a mount via smb/cifs
DT>>> or any patches to provide such functionality?
DT>>>
DT>>> I already have smbclient working with -k, but I am also interested in a
DT>>> mount.
DT>>
DT>>Try smbnetfs from ports. It's fuse based and seems to work very nice. If
DT>>you have a large amount of shares floating in your network you want to
DT>>restrict it to mount only the needed shares via the config file.
DT>>Otherwise it will mount what it can find...
DT>>
DT>>It plays nicely with kerberors. When your ticket expires you immediately
DT>>loose access; when you renew it you gain access again. All without the
DT>>need to unmount/mount. Just call smbnetfs once you have your ticket. You
DT>>may even do this from your .profile.
DT>>
DT>>harti
DT>
DT>Sorry for not replying sooner.
DT>
DT>Initial tests here are promising (I can see some mount paths being
DT>exported from the server), but it's not fully working (I don't see all
DT>of the mount paths that *should* be exported and I get permission denied
DT>errors). My thoughts are leaning towards an issue in negotiating auth
DT>with the server -- perhaps my krb creds aren't being used?

You can test this easily: if your ticket expires you get permission denied
errors when you try to look into the mounted directories. As soon as you
renew the ticket you get access again. All without restarting smbnetfs.

harti

I replaced all server names below with "example.com" (and derivatives)
where appropriate:

From my FreeBSD machine, using smbnetfs:

$ klist
klist: No ticket file: /tmp/krb5cc_1001
$ kinit det135
det135@xxxxxxxxxxxxxxxxx's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: det135@xxxxxxxxxxxxxxxxx

Issued Expires Principal
Jun 3 11:51:20 Jun 3 21:51:04 krbtgt/realm.example.com@xxxxxxxxxxxxxxxxx
$ cd ~/mount/cifs.example.com/dir1
$ ls
ls: .: Permission denied
$ cd ..
$ ls
dir1 dir2
$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: det135@xxxxxxxxxxxxxxxxx

Issued Expires Principal
Jun 3 11:51:20 Jun 3 21:51:04 krbtgt/realm.example.com@xxxxxxxxxxxxxxxxx


From my Mac, using (from Finder)
Go -> Connect to Server -> cifs://cifs.example.com/dir1

$ klist
klist: No Kerberos 5 tickets in credentials cache
$ kinit det135
Please enter the password for det135@xxxxxxxxxxxxxxxxx:
$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: det135@xxxxxxxxxxxxxxxxx

Valid Starting Expires Service Principal
06/03/08 11:59:41 06/03/08 21:59:41 krbtgt/realm.example.com@xxxxxxxxxxxxxxxxx
renew until 06/10/08 11:59:41

#### Here I mount via Finder before continuing with the commands below

$ cd /Volumes/dir1/
$ ls
subdir1 subdir2 file1 file2
$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: det135@xxxxxxxxxxxxxxxxx

Valid Starting Expires Service Principal
06/03/08 11:59:41 06/03/08 21:59:41 krbtgt/realm.example.com@xxxxxxxxxxxxxxxxx
renew until 06/10/08 11:59:41
06/03/08 12:00:31 06/03/08 21:59:41 cifs/cifs.example.com@xxxxxxxxxxxxxxxxx
renew until 06/10/08 11:59:41


It looks like my creds aren't being used on the FreeBSD machine.

-Derek.
_______________________________________________
freebsd-hackers@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Kerberized CIFS client?
    ... Debugging Kerberos can be a real PITA, as the MIT libs don't show too relevant ... DT>>> Is anyone aware of an alternate means of performing a mount via ... DT>>Try smbnetfs from ports. ... When your ticket expires you ...
    (freebsd-hackers)
  • Re: Kerberized CIFS client?
    ... to a kerberos realm, if you are doing cross-realm authentication. ... kinit: NOTICE: ticket renewable lifetime is 1 week ... DT>>> Is anyone aware of an alternate means of performing a mount via ... When your ticket expires you ...
    (freebsd-hackers)
  • Re: Kerberized CIFS client?
    ... to a kerberos realm, if you are doing cross-realm authentication. ... kinit: NOTICE: ticket renewable lifetime is 1 week ... DT>>> Is anyone aware of an alternate means of performing a mount via ... When your ticket expires you ...
    (freebsd-hackers)
  • Re: Kerberized CIFS client?
    ... figuring out the kerberos realm. ... DT>>> Is anyone aware of an alternate means of performing a mount via ... When your ticket expires you ... DT>exported from the server), but it's not fully working (I don't see all ...
    (freebsd-hackers)
  • [UNIX] Vulnerabilities in the Kerberos Version 4 Protocol
    ... Several cryptographic vulnerabilities exist in the basic Kerberos Version ... Kerberos realm and gain any privilege authorized through that Kerberos ... in a realm is sufficient to print any ticket in the realm. ... an attacker can cause the right text to be encrypted in a Kerberos service ...
    (Securiteam)