[Samba] krb ticket for the computer account

Mustafa Kuscu mustafakuscu at gmail.com
Thu Nov 11 05:18:36 MST 2010


> > How can I obtain a krb5 ticket for the computer account?
> >
>
> Hi Mustafa,
>
> To be able to check out a ticket in that way you need to set
> userprincipialname on the computeraccount. I do that when I join with:
>
> # net ads join createupn="host/hostname.domain.tld at DOMAIN.TLD"
>
> I then create a keytab file:
>
> # net ads keytab create
>
>
Andreas, thanks, this helped me get a Kerberos ticket. In specific, added
   use kerberos keytab = yes
into /etc/smb.conf and restarted winbind.

However, "mount" is still not aware of the ticket. Here is the output:

[DOMAIN\computercomputer ~]$ sudo kinit -V -5  -k -t /etc/krb5.keytab
COMPUTER\$@DOMAIN.COM
Authenticated to Kerberos v5

[DOMAIN\computercomputer ~]$ sudo klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: COMPUTER\$@DOMAIN.COM

Valid starting     Expires            Service principal
11/11/10 14:10:42  11/12/10 00:08:44  krbtgt/DOMAIN.COM at DOMAIN.COM
        renew until 11/12/10 14:10:42

[DOMAIN\computercomputer ~]$ sudo mount -t cifs -o
user=DOMAIN\\COMPUTER\$,sec=krb5  //remotehost/remoteshare /mnt/localmount
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

[DOMAIN\computercomputer ~]$ sudo mount -t cifs -o sec=krb5
//remotehost/remoteshare /mnt/localmount
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Any ideas on how to debug this further?

Regards,
Mustafa


More information about the samba mailing list