[Samba] Mounting Samba shares with Kerberos
Pluess, Tobias
tpluess at ieee.org
Mon Jan 15 13:33:36 UTC 2024
Good day,
I have installed a couple of Linux machines where I want to mount various
Samba shares.
So far, I (and various other users) do this using a credentials file,
because nobody has ever been able to properly configure everything needed
such that the shares can be mounted using the login credentials.
However, from time to time, I try again to set things up properly. So here
it goes:
people login to the computer using their Active Directory credentials and
PAM. This works perfectly. The server where one can log in is joined to the
Active Directory, and therefore, upon login, Kerberos tickets are created:
$ klist
Ticket cache: FILE:/tmp/krb5cc_5486
Default principal: <MY USERNAME>@<THE DOMAIN>
Valid starting Expires Service principal
01/15/24 13:24:20 01/15/24 23:24:20 krbtgt/<THE DOMAIN>@<THE DOMAIN>
renew until 01/22/24 13:24:20
01/15/24 13:24:20 01/15/24 23:24:20 <HOSTNAME>$@<THE DOMAIN>
renew until 01/22/24 13:24:20
So it appears that 2 Kerberos tickets are generated, which looks good to me.
Now. How shall I proceed when I want to use them for mounting a Samba share?
I try to mount manually:
$ sudo mount -t cifs -o sec=krb5 //<servername>/<sharename>/
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log
messages (dmesg)
This does not work. Even though I have authenticated successfully
(otherwise I could not have logged in....) and there are definitely some
Kerberos tickets around.
I do not understand what is missing, but I find throughout the internet
lots of people having the same problem, but no solution. Is it true that
this is not possible, or should it work?
I would highly prefer to get rid of the credentials files, as it is not
very good to have a cleartext file with a password in it.
Thanks
best
Tobias
More information about the samba
mailing list