Hi Steve, I guess my system is not behaving as it is supposed to. Here is what I have in /etc/request-key.d/cifs.spnego.conf
create cifs.spnego * * /usr/sbin/cifs.upcall %k However, I definitely must kinit -k and get a tgt in order to connect. It doesn't seem to work automatically as you described. That's not a problem, I can just kinit automatically. But the problem I'm having is that without periodically accessing the share, CIFS stops being able to access the share and I get "Key has been revoked" and "CIFS VFS: cifs_mount failed w/return code = -128". So maybe the issue is related to what you say, CIFS is not doing the kinit/getting the service principal on its own except right when autofs is started. It doesn't seem to renew its service principals. Thanks, Doug On Jul 15, 2013, at 1:21 PM, steve <[email protected]> wrote: > On Mon, 2013-07-15 at 12:38 -0700, Doug Clow wrote: >> After doing some experimentation I found a workaround, but I still don't >> understand the underlying problem. I put in a cron job that touches a file >> on the share every minute and now my other cron jobs run correctly. I have >> to touch the file periodically or else the share will "go bad" until I >> restart autofs. >> > Hi > cifs.upcall should take care of that without the cron. If you have > sec=krb5 it will automatically look for the key of the user specified > for the mount in the keytab so that even if the ticket has expired 'gone > bad', it refreshes it for you when you need to access the mounted share. > > I too thought that I had to keep a root cache alive for cifs until I had > a long conversation about this on the cifs list. I even suggested they > add a switch to cifs.upcall to specify a keytab other > than /etc/krb5.keytab. It's the -d option to cifs.upcall included as of > cifs-utils 6.1 > > Maybe I've not understood your problem but it certainly is not necessary > to use cron to keep tickets alive for cifs as you are doing at present. > Do let me have any details which you don't understand as it really has > made our domain a lot easier to maintain. > Cheers, > Steve > > > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to [email protected] > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
