[Freeipa-users] Mount cifs share using kerberos

John Obaterspok john.obaterspok at gmail.com
Mon Jan 12 08:46:37 UTC 2015 

2015-01-11 16:33 GMT+01:00 Jakub Hrozek <jhrozek at redhat.com>:

> On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote:
> > 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi <gianluca.cecchi at gmail.com>:
> >
> > > To get the whole root environment you have to run
> > > su - root
> > > did you try with it?
> > >
> >
> > ahh... that works fine Gianluca!
> >
> > Final question, if I have a file on the share like:
> >      [john at ipaserver mountpoint]$ ll test.txt
> >      -rwxr-----. 1 root admins 12 11 jan 10.42 test.txt
> >
> > Should I be able to access it if I aquire an admin ticket? Currently I
> get
> > Permission denied
> >
> > [john at ipaserver mountpoint]$ id
> > uid=1434400004(john) gid=1434400004(john) grupper=1434400004(john)
> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >
> > [john at ipaserver mountpoint]$ getfacl test.txt
> > # file: test.txt
> > # owner: root
> > # group: admins
> > user::rwx
> > group::r--
> > other::---
> >
> > [john at ipaserver mountpoint]$ id admin
> > uid=1434400000(admin) gid=1434400000(admins) groups=1434400000(admins)
> >
> > [john at ipaserver mountpoint]$ klist
> > Ticket cache: KEYRING:persistent:1434400004:krb_ccache_MVjxTqf
> > Default principal: admin at MY.LAN
> >
> > Valid starting       Expires              Service principal
> > 2015-01-11 10:43:52  2015-01-12 10:43:50  krbtgt/MY.LAN at MY.LAN
> >
> > [john at ipaserver mountpoint]$ cat test.txt
> > cat: test.txt: Permission denied
>
> Looks like your account needs to be in the 'admins' group in order to
> access the file.
>
> Acquiring the admin ticket doesn't switch the user ID nor add you to the
> group..
>
>
I thought the krb5 mount option would allow ticked based access to the
file.
Is the purpose of the krb5 mount option just used during mounting of the
share? Otherwise I see no difference compared to not using krb5 mount
option!?

-- john
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150112/8b4f5496/attachment.htm>

More information about the Freeipa-users mailing list