<div dir="ltr"><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-01-12 10:13 GMT+01:00 Alexander Bokovoy <span dir="ltr"><<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><div class="h5">On Mon, 12 Jan 2015, John Obaterspok wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> 2015-01-11 16:33 GMT+01:00 Jakub Hrozek <<a href="mailto:jhrozek@redhat.com" target="_blank">jhrozek@redhat.com</a>>:<br> <br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote:<br> > 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi <<a href="mailto:gianluca.cecchi@gmail.com" target="_blank">gianluca.cecchi@gmail.com</a>>:<br> ><br> > > To get the whole root environment you have to run<br> > > su - root<br> > > did you try with it?<br> > ><br> ><br> > ahh... that works fine Gianluca!<br> ><br> > Final question, if I have a file on the share like:<br> > [john@ipaserver mountpoint]$ ll test.txt<br> > -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt<br> ><br> > Should I be able to access it if I aquire an admin ticket? Currently I<br> get<br> > Permission denied<br> ><br> > [john@ipaserver mountpoint]$ id<br> > uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john)<br> > context=unconfined_u:<u></u>unconfined_r:unconfined_t:s0-<u></u>s0:c0.c1023<br> ><br> > [john@ipaserver mountpoint]$ getfacl test.txt<br> > # file: test.txt<br> > # owner: root<br> > # group: admins<br> > user::rwx<br> > group::r--<br> > other::---<br> ><br> > [john@ipaserver mountpoint]$ id admin<br> > uid=1434400000(admin) gid=1434400000(admins) groups=1434400000(admins)<br> ><br> > [john@ipaserver mountpoint]$ klist<br> > Ticket cache: KEYRING:persistent:1434400004:<u></u>krb_ccache_MVjxTqf<br> > Default principal: admin@MY.LAN<br> ><br> > Valid starting Expires Service principal<br> > 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/MY.LAN@MY.LAN<br> ><br> > [john@ipaserver mountpoint]$ cat test.txt<br> > cat: test.txt: Permission denied<br> <br> Looks like your account needs to be in the 'admins' group in order to<br> access the file.<br> <br> Acquiring the admin ticket doesn't switch the user ID nor add you to the<br> group..<br> <br> <br> </blockquote> I thought the krb5 mount option would allow ticked based access to the<br> file.<br> Is the purpose of the krb5 mount option just used during mounting of the<br> share? Otherwise I see no difference compared to not using krb5 mount<br> option!?<br> </blockquote></div></div> Its purpose is authentication. After you have been successfully<br> recognized by the server, both client and server need to map your<br> identity while authorizing your access to actual files.<br> <br> In CIFS there are two types of access control which are applied at the<br> same time:<br> - ACLs per file or directory<br> - POSIX access control based on uid/gid of a process that accesses the<br> file or directory<br> <br> Client-side checks in cifs.ko can be switched off by noperm option. In<br> this case server side will be doing actual access enforcement, using the<br> uid/gid mapped on the server side (based on the Kerberos principal),<br> unless CIFS Unix Extensions were negotiated between cifs.ko and the<br> server. In the latter case client will pass uid/gid of a client to the<br> server and server will do the actual check using them instead of<br> discovering them based on the authentication token.<br> <br> In case where there is a common identity store in use with Kerberos, it<br> is often better to use cifs.ko option multiuser which will imply noperm<br> and server will be doing all the checks.</blockquote><div><br></div><div>Simo also added that "<span style="font-size:13px">You need to pass the 'multiuser' option at mount time for that, the</span></div><span style="font-size:13px">default for cifs.ko is still to just use the mount credentials."</span><br style="font-size:13px"><br style="font-size:13px"><div>Well, I were actually using multiuser in the original test where I got "permission denied" but there is something weird going on.</div><div><br></div><div>mount -t cifs //ipaserver.MY.LAN/Share -o sec=krb5,multiuser mountpoint (I also tried -o sec=krb5,multiuser,cache=none)<br></div><div><br></div><div>Anyway, it works if I do the mount as root and then as user john gets the admin ticket *before* going to the share. Then it doesn't matter if I do kdestroy, I can still access a file that would require admin ticket.</div><div>If I remount the share and go to share as john without admin ticket I can't access a file that would require admin ticket. If I get an admin ticket then I'm still not able to access the file.</div><div><br></div><div><div>[john@ipaserver mountpoint]$ ll test.txt</div><div>-rwxr-----. 1 root admins 12 11 jan 10.42 test.txt</div><div><br></div><div>[john@ipaserver mountpoint]$ cat test.txt</div><div>Hello World</div><div><br></div><div>[john@ipaserver mountpoint]$ id john</div><div>uid=1434400004(john) gid=1434400004(john) groups=1434400004(john),1434400010(mediafiles)</div><div><br></div><div>[john@ipaserver mountpoint]$ klist</div><div>Ticket cache: KEYRING:persistent:1434400004:krb_ccache_Ri45Eiw</div><div>Default principal: admin@MY.LAN</div><div><br></div><div>Valid starting Expires Service principal</div><div>2015-01-14 21:54:24 2015-01-15 21:53:57 cifs/ipaserver.MY.LAN@MY.LAN</div><div>2015-01-14 21:53:59 2015-01-15 21:53:57 krbtgt/MY.LAN@MY.LAN</div><div><br></div><div>[john@ipaserver mountpoint]$ kdestroy</div><div>[john@ipaserver mountpoint]$ klist</div><div>klist: Credentials cache keyring 'persistent:1434400004:krb_ccache_Ri45Eiw' not found</div><div><br></div><div>[john@ipaserver mountpoint]$ cat test.txt</div><div>Hello World</div><div><br></div><div>[john@ipaserver mountpoint]$ klist</div><div>klist: Credentials cache keyring 'persistent:1434400004:krb_ccache_Ri45Eiw' not found</div><div><br></div><div>-------------------------------------------------------------</div><div>---------- then remount share. john has non-admin ticket ----</div><div>-------------------------------------------------------------</div><div><br></div><div>[john@ipaserver mountpoint]$ id</div><div>uid=1434400004(john) gid=1434400004(john) groups=1434400004(john),1434400010(mediafiles) kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023</div><div>[john@ipaserver mountpoint]$ klist</div><div>Ticket cache: KEYRING:persistent:1434400004:krb_ccache_RiwpwLT</div><div>Default principal: john@MY.LAN</div><div><br></div><div>Valid starting Expires Service principal</div><div>2015-01-14 22:16:00 2015-01-15 22:15:55 cifs/ipaserver.MY.LAN@MY.LAN</div><div>2015-01-14 22:15:58 2015-01-15 22:15:55 krbtgt/MY.LAN@MY.LAN</div><div><br></div><div>[john@ipaserver mountpoint]$ ll test.txt</div><div>-rwxr-----. 1 root admins 12 11 jan 10.42 test.txt</div><div><br></div><div>[john@ipaserver mountpoint]$ cat test.txt</div><div>cat: test.txt: Permission denied</div><div><br></div><div>[john@ipaserver mountpoint]$ kinit admin</div><div>Password for admin@MY.LAN:</div><div><br></div><div>[john@ipaserver mountpoint]$ cat test.txt</div><div>cat: test.txt: Permission denied</div><div><br></div><div>[john@ipaserver mountpoint]$ klist</div><div>Ticket cache: KEYRING:persistent:1434400004:krb_ccache_H7RvRpA</div><div>Default principal: admin@MY.LAN</div><div><br></div><div>Valid starting Expires Service principal</div><div>2015-01-14 22:16:24 2015-01-15 22:16:22 krbtgt/MY.LAN@MY.LAN</div><div><br></div><div><br></div><div><br></div><div><br></div></div><div><br></div><div>Any ideas?</div><div><br></div><div>-- john</div><div><br></div><div><br></div><div><br></div></div></div></div>