[Samba] Using smbclient and mount.cifs with SPN in Keytab

Christian Haase c.haase at ifu.com
Wed May 10 11:45:53 UTC 2017 

Hi,

for a static cifs mount (automount from fstab) I would like to use
kerberos with a SPN. The share is accessed from a http service, so I use
HTTP/www.samdom.example.com with the username
http-www.samdom.example.com. Unfortunately I can not get it to work.

The keytab is generated as described on [1].

# klist -kt /etc/http.keytab
Keytab name: FILE:/etc/http.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
   5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
   5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM

I use this keytab with mod_auth_kerb where everything works well.

-%<------
# kinit -kt /etc/http.keytab HTTP/www.samdom.example.com
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
05/10/17 13:35:59  05/10/17 23:35:59
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
	renew until 05/11/17 13:35:59

# smbclient -k //ad/netlogon
gss_init_sec_context failed with [ Miscellaneous failure (see text):
Client (HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM) unknown]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR
-%<------

When logging in with the username "http-www.samdom.example.com" and the
temporarily assigned user password and with a Keytab including the
principal http-www.samdom.example.com at SAMDOM.EXAMPLE.COM it works.
mount.cifs shows the same behaviour.

Is it not possible to use a SPN in this scenario?

Thanks,
Christian

[1] https://wiki.samba.org/index.php/Generating_Keytabs

-- 
ifu Hamburg - material flows and software
"We enable sustainable production."

ifu Hamburg GmbH
Max-Brauer-Allee 50 - 22765 Hamburg - Germany
fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com

Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
www.ifu.com - www.umberto.de - www.e-sankey.com

More information about the samba mailing list