[Samba] Mounting Samba shares with Kerberos

Pluess, Tobias tpluess at ieee.org
Tue Jan 16 07:25:34 UTC 2024 

Hi Rowland

wow. I am impressed. It works! phantastic :-) why does it work when the
order is reversed, i.e. first the server/share name and then -o sec=krb5 ?
I tried for years with the options first, i.e. mount -t cifs -o ..... but
it never worked and I eventually gave up. I never came to the idea to try
with reversed order of arguments.

Bonus question:
can I make this work with SSH as well?
As we now know, Kerberos is configured correctly on my computer, as I can
access Samba shares. Perfect! Now it would be phantastic if the Kerberos
ticket can also be used for SSH authentication. I have tested this, but
also, no success. I tried to debug but I lack some Kerberos experience,
therefore I cannot judge but at first sight, it seems to work, but in the
end, asks for a password anyways. Possible to fix?


$ KRB5_TRACE=/dev/stdout ssh tp18v123 at dozer.mw.iap.unibe.ch
[42930] 1705389625.599429: ccselect module realm chose cache
FILE:/tmp/krb5cc_1000 with client principal tp18v123 at CAMPUS.UNIBE.CH for
server principal host/dozer at CAMPUS.UNIBE.CH
[42930] 1705389625.599430: Getting credentials tp18v123 at CAMPUS.UNIBE.CH ->
host/dozer@ using ccache FILE:/tmp/krb5cc_1000
[42930] 1705389625.599431: Retrieving tp18v123 at CAMPUS.UNIBE.CH ->
krb5_ccache_conf_data/start_realm at X-CACHECONF: from FILE:/tmp/krb5cc_1000
with result: -1765328243/Matching credential not found (filename:
/tmp/krb5cc_1000)
[42930] 1705389625.599432: Retrieving tp18v123 at CAMPUS.UNIBE.CH ->
host/dozer@ from FILE:/tmp/krb5cc_1000 with result: 0/Success
[42930] 1705389625.599433: Creating authenticator for
tp18v123 at CAMPUS.UNIBE.CH -> host/dozer@, seqnum 192744717, subkey
aes256-cts/E1AB, session key aes256-cts/01CD
[42930] 1705389625.599435: ccselect module realm chose cache
FILE:/tmp/krb5cc_1000 with client principal tp18v123 at CAMPUS.UNIBE.CH for
server principal host/dozer at CAMPUS.UNIBE.CH
[42930] 1705389625.599436: Getting credentials tp18v123 at CAMPUS.UNIBE.CH ->
host/dozer@ using ccache FILE:/tmp/krb5cc_1000
[42930] 1705389625.599437: Retrieving tp18v123 at CAMPUS.UNIBE.CH ->
krb5_ccache_conf_data/start_realm at X-CACHECONF: from FILE:/tmp/krb5cc_1000
with result: -1765328243/Matching credential not found (filename:
/tmp/krb5cc_1000)
[42930] 1705389625.599438: Retrieving tp18v123 at CAMPUS.UNIBE.CH ->
host/dozer@ from FILE:/tmp/krb5cc_1000 with result: 0/Success
[42930] 1705389625.599439: Getting credentials tp18v123 at CAMPUS.UNIBE.CH ->
host/dozer@ using ccache FILE:/tmp/krb5cc_1000
[42930] 1705389625.599440: Retrieving tp18v123 at CAMPUS.UNIBE.CH ->
krb5_ccache_conf_data/start_realm at X-CACHECONF: from FILE:/tmp/krb5cc_1000
with result: -1765328243/Matching credential not found (filename:
/tmp/krb5cc_1000)
[42930] 1705389625.599441: Retrieving tp18v123 at CAMPUS.UNIBE.CH ->
host/dozer@ from FILE:/tmp/krb5cc_1000 with result: 0/Success
[42930] 1705389625.599442: Creating authenticator for
tp18v123 at CAMPUS.UNIBE.CH -> host/dozer@, seqnum 167509320, subkey
aes256-cts/A254, session key aes256-cts/01CD
tp18v123 at dozer.mw.iap.unibe.ch's password:



On Mon, Jan 15, 2024 at 4:55 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 15 Jan 2024 14:33:36 +0100
> "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
>
> > Good day,
> >
> > I have installed a couple of Linux machines where I want to mount
> > various Samba shares.
> > So far, I (and various other users) do this using a credentials file,
> > because nobody has ever been able to properly configure everything
> > needed such that the shares can be mounted using the login
> > credentials. However, from time to time, I try again to set things up
> > properly. So here it goes:
> >
> > people login to the computer using their Active Directory credentials
> > and PAM. This works perfectly. The server where one can log in is
> > joined to the Active Directory, and therefore, upon login, Kerberos
> > tickets are created:
> >
> > I try to mount manually:
> >
> > $ sudo mount -t cifs -o sec=krb5 //<servername>/<sharename>/
>
> Try it like this:
>
> sudo mount -t cifs //<servername>/<sharename>/ /mount/point -o
> sec=krb5,cruid=$USER
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list