On Wed, 06 Aug 2014 11:45:30 -0400 Craig Huckabee <[email protected]> wrote:
> A little research turned up a suggestion of doing something like this > in the smb.conf for AFS shares: > > ... > root preexec = /usr/bin/aklog -setpag -cell mycell.mil -keytab > /usr/afs/etc/rxkad.keytab -principal %u > ... I haven't used a setup like this myself, but I can try to offer some more information. Are you getting this specific configuration from somewhere, or adapting some old instructions to newer openafs? I'm just wondering because, all of the things I remember talking about this are relatively old (at least older than rxkad.keytab). Things may have changed since then. I would expect that the most likely reasons this is behaving oddly is either because 'aklog -setpag' is not working, or the architecture of samba may have changed. 'aklog -setpag' support has been a bit shaky, but it does appear to work on an RHEL6 vm here. It is possible that it can break on different kernel versions, though, or just problems when building your binary. I would first try running 'aklog -setpag' manually to see if it works. Ideally, I would run it from a session without a pag, and then acquire tokens with -setpag, and see if you gain a pag: $ keyctl show | grep pag $ kinit [...] $ aklog -setpag $ keyctl show | grep pag 932129517 ----s--v 0 0 \_ afs_pag: _pag $ If that second 'keyctl show' invocation shows an afs_pag entry, you gained a pag and 'aklog -setpag' appears to be working. If that's not working, then we can provide some more information on finding out why. However, even if that is working, I would think that setup would only work if samba uses separate processes for connections for different users; I don't know if that's true. You could ask samba for more info (or maybe someone on this list knows), but you can also debug it by setting 'root preexec' to some script where you put the output of 'keyctl show', 'tokens', 'aklog -setpag -d [...]', and maybe also a process list in some log file somewhere. That would help give you a better picture of what's happening with the pag and credentials and such when the 'root preexec' is running. (I'd run keyctl/tokens/etc before and after the actual aklog) > This almost works but I think I'm running into either PAG issues or > some other weirdness. Testing the connection it appears that sometimes > I get tokens, sometimes I don't. Not sure if I need to force the smbd > into a new PAG on startup. No, I don't think you should need to have a pag for the parent smbd process itself. The 'parent' pag shouldn't matter, since credentials for users should be contained to just that session/connection. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
