[systemd-devel] systemd/automount for multiple users using Kerberos

Sebastian Treiber sebastian.treiber at gns-systems.de
Fri Apr 7 08:37:06 UTC 2017 

Dear Mantas,

thank you very much for your reply.
At least on my system (CentOS7) this does not work. The mount process
tries to mount the share as root even when specifying "multiuser":
From /etc/fstab:
//cifs_filer/share /mount_point cifs
sec=krb5,multiuser,x-systemd.automount 0 0

From "journalctl -xf":
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: sec=1
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: uid=0
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: creduid=0
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: user=root
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: pid=78686
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: find_krb5_cc: considering
/tmp/krb5cc_1861017645
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: find_krb5_cc:
/tmp/krb5cc_1861017645 is owned by 1861017645, not 0
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: find_krb5_cc: considering
/tmp/krb5cc_1860718904_nEIDDll408
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: find_krb5_cc:
/tmp/krb5cc_1860718904_nEIDDll408 is owned by 1860718904, not 0
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: find_krb5_cc: considering
/tmp/krb5cc_1860718904
Apr 07 10:31:03 <hostname> cifs.upcall[78691]: find_krb5_cc:
/tmp/krb5cc_1860718904 is owned by 1860718904, not 0
Apr 07 10:31:03 <hostname> cifs.upcall[78691]:
krb5_get_init_creds_keytab: -1765328203

Is that intended behavior or not?

Best regards,

Sebastian

Am 06.04.2017 um 19:58 schrieb Mantas Mikulėnas:
> On Wed, Apr 5, 2017 at 5:28 PM, Sebastian Treiber
> <sebastian.treiber at gns-systems.de
> <mailto:sebastian.treiber at gns-systems.de>> wrote:
>
>     Dear members of the Systemd mailing list,
>
>     for a long time I have been struggling with a problem which sounds
>     relatively easy:
>     I have a cifs file server and a Linux (CentOS 7) client. On the
>     client I want to mount a share from the file server using Kerberos.
>     Only the root user can perform the mount but typically it has no
>     Kerberos ticket. A user, on the other hand, has a Kerberos ticket
>     but must not mount anything.
>     That means the mount has to be done by the root user and the uid
>     of a user who has a valid Kerberos ticket has to be used as an
>     option. For example:
>
>
> cifs supports `-o multiuser`, which allows each UID to use a separate
> session. So you can perform the mount as root using the machine
> credentials (keytab) or another dedicated account, and each user will
> automatically use their own credentials when accessing the share.
>
> -- 
> Mantas Mikulėnas <grawity at gmail.com <mailto:grawity at gmail.com>>

-- 

Mit freundlichen Grüßen
*Dr. Sebastian Treiber* | Systemanalytiker


GNS Systems - IT Dienstleistungen für Engineering
<http://www.gns-systems.de>

GNS Systems GmbH
Fronäckerstraße 36/1
71063 Sindelfingen
Tel.: +49 (0)7031/68838-66
Fax: +49 (0)7031/68838-11


Geschäftsführer: Christopher Woll
Sitz des Unternehmens: Braunschweig
Registergericht: Amtsgericht Braunschweig
Registernummer: HRB 4890
gns-systems.de <http://www.gns-systems.de>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20170407/88627f6f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gns_footer_logo.png
Type: image/png
Size: 7030 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20170407/88627f6f/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gns_footer_splitter.png
Type: image/png
Size: 1444 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20170407/88627f6f/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20170407/88627f6f/attachment-0001.sig>

More information about the systemd-devel mailing list