[Freeipa-users] Mount cifs share using kerberos
Simo Sorce
simo at redhat.com
Tue Jan 13 18:15:42 UTC 2015
On Mon, 12 Jan 2015 09:46:37 +0100
John Obaterspok <john.obaterspok at gmail.com> wrote:
> 2015-01-11 16:33 GMT+01:00 Jakub Hrozek <jhrozek at redhat.com>:
>
> > On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote:
> > > 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi
> > > <gianluca.cecchi at gmail.com>:
> > >
> > > > To get the whole root environment you have to run
> > > > su - root
> > > > did you try with it?
> > > >
> > >
> > > ahh... that works fine Gianluca!
> > >
> > > Final question, if I have a file on the share like:
> > > [john at ipaserver mountpoint]$ ll test.txt
> > > -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt
> > >
> > > Should I be able to access it if I aquire an admin ticket?
> > > Currently I
> > get
> > > Permission denied
> > >
> > > [john at ipaserver mountpoint]$ id
> > > uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john)
> > > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > >
> > > [john at ipaserver mountpoint]$ getfacl test.txt
> > > # file: test.txt
> > > # owner: root
> > > # group: admins
> > > user::rwx
> > > group::r--
> > > other::---
> > >
> > > [john at ipaserver mountpoint]$ id admin
> > > uid=1434400000(admin) gid=1434400000(admins)
> > > groups=1434400000(admins)
> > >
> > > [john at ipaserver mountpoint]$ klist
> > > Ticket cache: KEYRING:persistent:1434400004:krb_ccache_MVjxTqf
> > > Default principal: admin at MY.LAN
> > >
> > > Valid starting Expires Service principal
> > > 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/MY.LAN at MY.LAN
> > >
> > > [john at ipaserver mountpoint]$ cat test.txt
> > > cat: test.txt: Permission denied
> >
> > Looks like your account needs to be in the 'admins' group in order
> > to access the file.
> >
> > Acquiring the admin ticket doesn't switch the user ID nor add you
> > to the group..
> >
> >
> I thought the krb5 mount option would allow ticked based access to the
> file.
> Is the purpose of the krb5 mount option just used during mounting of
> the share? Otherwise I see no difference compared to not using krb5
> mount option!?
You need to pass the 'multiuser' option at mount time for that, the
default for cifs.ko is still to just use the mount credentials.
See mount.cifs manpage, search for 'multiuser'
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list