Re: Configuring kerberos for CIFS

eric roseme · ‎04-16-2010

Hi Oscar,

The CIFS Client can only mount the mountpoint that is exported by the CIFS/SMB server (Windows or Samba). So if /home/oscar is exported, then the client can mount it. If /home/oscar/data is exported, then the client can mount it. If /home/oscar is exported and you want to mount /home/oscar/data, the CIFS client does not know that it exists because it is not exported, so you have to mount the share and cd to /data.

Eric

Oscar Garcia · ‎04-20-2010

Yes Eric, that seems to be the case.
Anyway, now that I have mounted the shares, I want to be able to use the same user names and passwords that a Win server (my KDC)is that possible with PAM? I've been reading about but it is just adding more confusion.
Basically I want to eliminate the manual cifslogin for the users or make it thru the login or something like that. Can you recommend me something?

eric roseme · ‎04-22-2010

Yes - it is possible. But it will take some work.

First, you need to set up your local HP-UX logins to authenticate using krb5 to your Windows KDC. For the CIFS Client, the KDC needs to be W2003R2 or earlier. To find out how to set up that environment, it's in the whitepaper at:

http://docs.hp.com/en/16322/CIFSUnifiedLoginV2.pdf

Second, your CIFS Client has to be configured to use krb5 for logins. That's in the CIFS Client Admin Guide:

http://docs.hp.com/en/B8724-90079/B8724-90079.pdf

Third, you need to follow the guidelines in the CIFS Client Release Notes on page 11:

http://docs.hp.com/en/B8724-90105/B8724-90105.pdf

To test this without doing the script, login to HP-UX as a normal user (buffy) and make sure that you have a krb5 ticket (klist). Your CIFS Client mountpoint should already be mounted by Administrator or someone. Now go to /tmp and look for the krb5 temp credentials file for buffy - it will be named krb5cc_###_####. Copy that file to krb5_buffy's_UID (do an "id buffy"). Then chown and chgrp the file to buffy. Now on the buffy HP-UX local user logon try to cd to the CIFS Client mountpoint. Remember that the W2003R2 (or whatever) share that the CIFS Client is mounting must have access set up for buffy. You can check that out in the whitepaper listed above.

Once you know that you can access the share by kludging the krb5 credentials file, you can implement the script that is shown in the release notes.

Eric

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Configuring kerberos for CIFS