[Samba] Using smbclient and mount.cifs with SPN in Keytab

L.P.H. van Belle belle at bazuin.nl
Wed May 10 12:12:35 UTC 2017 

Does it work if you test like this. 

kinit testuser at EXAMPLE.COM
mount -t cifs -o sec=krb5 //server.example.com/export /mnt/cifs

Have a look here : 
https://runops.wordpress.com/2015/03/05/setup-linux-cifs-autofs-automount-using-kerberos-authentication/ 

I cant tell much about automount, i use it but through systemd for my nfsv4 mounts. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian Haase via samba
> Verzonden: woensdag 10 mei 2017 13:46
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Using smbclient and mount.cifs with SPN in Keytab
> 
> Hi,
> 
> for a static cifs mount (automount from fstab) I would like 
> to use kerberos with a SPN. The share is accessed from a http 
> service, so I use HTTP/www.samdom.example.com with the 
> username http-www.samdom.example.com. Unfortunately I can not 
> get it to work.
> 
> The keytab is generated as described on [1].
> 
> # klist -kt /etc/http.keytab
> Keytab name: FILE:/etc/http.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
>    5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
>    5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
> 
> I use this keytab with mod_auth_kerb where everything works well.
> 
> -%<------
> # kinit -kt /etc/http.keytab HTTP/www.samdom.example.com # 
> klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: 
> HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 05/10/17 13:35:59  05/10/17 23:35:59
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> 	renew until 05/11/17 13:35:59
> 
> # smbclient -k //ad/netlogon
> gss_init_sec_context failed with [ Miscellaneous failure (see text):
> Client (HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM) unknown]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
> NT_STATUS_INTERNAL_ERROR session setup failed: 
> NT_STATUS_INTERNAL_ERROR
> -%<------
> 
> When logging in with the username 
> "http-www.samdom.example.com" and the temporarily assigned 
> user password and with a Keytab including the principal 
> http-www.samdom.example.com at SAMDOM.EXAMPLE.COM it works.
> mount.cifs shows the same behaviour.
> 
> Is it not possible to use a SPN in this scenario?
> 
> Thanks,
> Christian
> 
> [1] https://wiki.samba.org/index.php/Generating_Keytabs
> 
> --
> ifu Hamburg - material flows and software "We enable 
> sustainable production."
> 
> ifu Hamburg GmbH
> Max-Brauer-Allee 50 - 22765 Hamburg - Germany
> fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com
> 
> Managing Director: Jan Hedemann - Commercial Register: 
> Hamburg, HRB 52629 www.ifu.com - www.umberto.de - www.e-sankey.com
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list