Missing domain user tickets with winbind

Shyam Prasad N nspmangalore at gmail.com
Wed Apr 1 11:09:37 UTC 2020


My name is Shyam Prasad. I work at Microsoft in the Azure Files team.
For the past few days, I've been working on getting the Azure Linux VMs to
join the AD domain in Azure, login as domain users, and mount Azure file
shares over SMB3.

Most things work fine. Except that I need perform a few Kerberos related
tasks manually, for the SMB3 mount to work with domain user credentials.
I did some debugging of the issue, and looks like cifs.upcall (the
userspace helper program for cifs.ko) is unable to find the krb5 TGT for
the domain user in the cred-cache. If the cred-cache is missing, it looks
for it in the system krb5.keytab.

Since winbind is configured with kerberos method "secrets and keytab", I
would expect either the secrets.tdb or the krb5.keytab to have an entry for
the domain user lxsmbadmin. Even with the domain user already logged in
through ssh, I'm unable to get those in both those places. cred-cache file
is not created in the first place.

With the domain user already logged in through ssh, I expected that the
kerberos TGT would already have been retrieved and stored locally.
Where does winbind store its Kerberos tickets, so that I can point
cifs.upcall to look there for tickets instead?

The mount only works when I use kinit to populate the cred-cache with the
domain user.

Any help in troubleshooting this issue is appreciated.

Also, I'm interested to know, how can I enable the debug logs in the
libkrb5 shared libraries that are built from the samba source code? I don't
see the debug logs in that code being logged, even if log level is set to
maximum in smb.conf.


Details of my setup:
I'm using an Ubuntu 19.10 server VM.
I'm mounting as the local root user, however, I'm using a domain user
credentials for mounting the using sec=krb5.
Below are my mount options:

The VM is already joined to the AD domain aaddomain.example.com using
This is what my smb.conf looks like for winbind:
localadmin at lxsmb-canvm13:~$ cat /etc/samba/smb.conf
   workgroup = AADDOMAIN
   security = ADS

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   winbind use default domain = Yes

   load printers = No
   printing = bsd
   printcap name = /dev/null
   disable spoolss = Yes

   log file = /var/log/samba/log.%m
   log level = 10

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999

   idmap config AADDOMAIN : backend = rid
   idmap config AADDOMAIN : range = 10000-999999

   template shell = /bin/bash
   template homedir = /home/%U

localadmin at lxsmb-canvm13:~$ cat /etc/krb5.conf
        default_realm = AADDOMAIN.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

Initially, I tried to use the ubuntu apt packages to install winbind and
related packages.
After going through a bit of code, I wanted to be able to print the debug
So I decided to install winbind from the latest source:
master branch on git://git.samba.org/samba.git

Here is the configure I used to build it:
./configure --with-systemd --bindir=/usr/bin --sbindir=/usr/sbin
--libdir=/usr/lib/x86_64-linux-gnu/samba --sysconfdir=/etc/samba
--localstatedir=/run/samba --includedir=/usr/include/
--datadir=/usr/share/samba --mandir /usr/share/man --enable-debug
--enable-developer --systemd-install-services
--with-privatedir=/var/lib/samba/private --with-systemd --with-pam

After tweaking a few config files here and there, I've now reached the same
state as when I was running winbind from Ubuntu packages.
I'm now able to ssh/su as the domain user to this system.

However, I do not see the cred-cache populated.
localadmin at lxsmb-canvm13:~/samba$ sudo klist
klist: No ticket file: /tmp/krb5cc_0
localadmin at lxsmb-canvm13:~/samba$ ls /tmp/krb*
ls: cannot access '/tmp/krb*': No such file or directory

After a bit of code reading of cifs.upcall, it looks to me like the
expectation is that cred-cache would be populated for the domain user.
If in case the cred-cache is missing, then it creates a new cred-cache from
the keytab at /etc/krb5.keytab

So clearly, the expectation is that atleast the keytab is already

The kerberos method that I've chosen in smb.conf is "secrets and keytab".
So I expect either the secrets.tdb or the krb5.keytab to have an entry for
the domain user lxsmbadmin.
However, I do not see those entries in either of them:

localadmin at lxsmb-canvm13:~$ sudo tdbdump
/var/lib/samba/private/secrets.tdb|grep -i lxsmbadmin
localadmin at lxsmb-canvm13:~$

localadmin at lxsmb-canvm13:~$ sudo ktutil list|grep -i lxsmbadmin
localadmin at lxsmb-canvm13:~$

With the domain user already logged in through ssh, I expected that the
kerberos TGT would already have been retrieved and stored locally.
Where would I find that?

Do note that if I populate the cred-cache manually with the kinit utility
like so:
localadmin at lxsmb-canvm13:~$ sudo kinit lxsmbadmin at aaddomain.example.com
lxsmbadmin at aaddomain.example.com's Password:
localadmin at lxsmb-canvm13:~$

The cred-cache does get populated and I'm then able to mount the file share

With the log level set to 10 in smb.conf, the logging in /var/log/samba/ is
pretty verbose. I can share those if needed for further debugging.


More information about the samba-technical mailing list