[Samba] krb ticket for the computer account
Mustafa Kuscu
mustafakuscu at gmail.com
Thu Nov 11 05:18:36 MST 2010
> > How can I obtain a krb5 ticket for the computer account?
> >
>
> Hi Mustafa,
>
> To be able to check out a ticket in that way you need to set
> userprincipialname on the computeraccount. I do that when I join with:
>
> # net ads join createupn="host/hostname.domain.tld at DOMAIN.TLD"
>
> I then create a keytab file:
>
> # net ads keytab create
>
>
Andreas, thanks, this helped me get a Kerberos ticket. In specific, added
use kerberos keytab = yes
into /etc/smb.conf and restarted winbind.
However, "mount" is still not aware of the ticket. Here is the output:
[DOMAIN\computercomputer ~]$ sudo kinit -V -5 -k -t /etc/krb5.keytab
COMPUTER\$@DOMAIN.COM
Authenticated to Kerberos v5
[DOMAIN\computercomputer ~]$ sudo klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: COMPUTER\$@DOMAIN.COM
Valid starting Expires Service principal
11/11/10 14:10:42 11/12/10 00:08:44 krbtgt/DOMAIN.COM at DOMAIN.COM
renew until 11/12/10 14:10:42
[DOMAIN\computercomputer ~]$ sudo mount -t cifs -o
user=DOMAIN\\COMPUTER\$,sec=krb5 //remotehost/remoteshare /mnt/localmount
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
[DOMAIN\computercomputer ~]$ sudo mount -t cifs -o sec=krb5
//remotehost/remoteshare /mnt/localmount
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Any ideas on how to debug this further?
Regards,
Mustafa
More information about the samba
mailing list