Bug#1023609: [Pkg-samba-maint] Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type
08.11.2022 14:19, Vincent Danjean wrote: [building samba with mit kerberos] Actually, I had a thought like this for quite some time, to try the MIT kerberos samba build. Myself, I don't know much about the two kerberos implementations and less so about their usage in samba. What I do know is that redhat/fedora uses mit-kerberos builds of samba for quite some time, their build instructions removes whole thord_party/heimdal directory as the very first step to ensure this stuff is never used by samba build. So it might be interesting to take a look there. For now I have other stuff to do but this is definitely in my todo list. An additional data point: with samba, you have to rely on your own basically, since for many things, there's no one to assist you. Thank you for your feedback. Perhaps, the first thing I will do will be to get the fedora smbclient binary (with its libraries) just to check that my use case would be successful. In any case, I will report here the progress I do if any. I just gave it a try, and it went rather smooth actually, - one needs to add the libkrb5-dev package to build-depends, specify 3 extra configure options, and adjust file lists for a few packages (exclude heimdal libs and include a few new files). But now I've a big question, actually two: 1. how does one sets up the samba AD DC --with-experimental-mit-ad-dc, 2. how does one "upgrade" existing samba AD DC controller created with samba which was built with the embedded heimdal, to samba built --with-experimental-mit-ad-dc ? I guess this is a question for samba-users@ ? Thanks, /mjt
Bug#1023609: [Pkg-samba-maint] Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type
Le 08/11/2022 à 10:51, Michael Tokarev a écrit :
07.11.2022 23:54, Vincent Danjean wrote:
..
As I'm only using the client part (the AD is managed by Microsoft
products in my case), do you have some advises about how to modify
debian/rules,control to (locally) build the samba package with MIT?
Are you really so serious about using the in-kernel ccache?
I did not find another way to make cifs automount with kerberos working.
Using FILE: ccache does not work because credential are required for
the initial mount (done be autofs), and not only for the latter accesses
(that are done in the user context with its kerberos ticket as I'm
using the multiuser,sec=krb5).
For the initial mount by autofs, I'm using cruid=${UID} to do it
on behalf of the initiating user with its kerberos credentials.
But with FILE: ccache, the exact filename is not known.
Another workaround would be to have a fixed (by user) FILE:filename
but I did not test if that would work with multiple parallel sessions
of the same user on the same machine (and some long, non-interactive
sessions started with k5start)
So, for cifs automount, I need
1) that the cifs mount with the cruid=${UID} be able to find the
kerberos ticket of the user with the ${UID} uid.
I'm currently using KEYRING: for that
2) that the smbclient be able to list the available shares with
the credentials of the user with the ${UID} uid
("smbclient -gL server")
=> I'm trying to solve that by trying to recompiling smbclient
with MIT in order to also use the KEYRING: ccache
Changing the AD or the CIFS server (allowing the machine to do the
"smbclient -gL server" without auth or with the host keytab) is not
really an option. The people in charge of the AD won't want to change
such things in the AD for the small group doing HPC on linux in the
big structure using mainly windows (it is already very difficult to
just get some groups we need...)
I suppose there will be :
- a few build dependencies to change (quickly looking, I see nothing
about heimdal?)
- a few configure options to tweek
I should be able to find the options to add such as
--with-system-mitkrb5
(and --with-experimental-mit-ad-dc just to pass the compilation?)
but what should be disabled?
Or which binary packages should I disable/remove ?
I would be very pleased if you can give me a few hints.
I'd have to take a look at this. So far I've no idea how large
this project would be and what'll be needed.
Actually, I had a thought like this for quite some time, to try
the MIT kerberos samba build. Myself, I don't know much about the
two kerberos implementations and less so about their usage in
samba. What I do know is that redhat/fedora uses mit-kerberos builds
of samba for quite some time, their build instructions removes whole
thord_party/heimdal directory as the very first step to ensure this
stuff is never used by samba build. So it might be interesting to
take a look there.
For now I have other stuff to do but this is definitely in my todo list.
An additional data point: with samba, you have to rely on your own
basically, since for many things, there's no one to assist you.
Thank you for your feedback. Perhaps, the first thing I will do
will be to get the fedora smbclient binary (with its libraries)
just to check that my use case would be successful.
In any case, I will report here the progress I do if any.
Regards,
Vincent
Bug#1023609: [Pkg-samba-maint] Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type
07.11.2022 23:54, Vincent Danjean wrote: .. As I'm only using the client part (the AD is managed by Microsoft products in my case), do you have some advises about how to modify debian/rules,control to (locally) build the samba package with MIT? Are you really so serious about using the in-kernel ccache? I suppose there will be : - a few build dependencies to change (quickly looking, I see nothing about heimdal?) - a few configure options to tweek I should be able to find the options to add such as --with-system-mitkrb5 (and --with-experimental-mit-ad-dc just to pass the compilation?) but what should be disabled? Or which binary packages should I disable/remove ? I would be very pleased if you can give me a few hints. I'd have to take a look at this. So far I've no idea how large this project would be and what'll be needed. Actually, I had a thought like this for quite some time, to try the MIT kerberos samba build. Myself, I don't know much about the two kerberos implementations and less so about their usage in samba. What I do know is that redhat/fedora uses mit-kerberos builds of samba for quite some time, their build instructions removes whole thord_party/heimdal directory as the very first step to ensure this stuff is never used by samba build. So it might be interesting to take a look there. For now I have other stuff to do but this is definitely in my todo list. An additional data point: with samba, you have to rely on your own basically, since for many things, there's no one to assist you. /mjt
