[Samba] mount cifs with sec=krb5

Mon Jan 7 16:34:03 UTC 2019

Hi,

I am trying to mount fileserver (samba, 10.20.30.16) shares on a linux 
domain member server, where I logged on via ssh using AD my credentials.

I am unable to get past the "mount error(126): Required key not 
available" error message. I have read and googled a lot, and could use 
some help.

See this:

> domainuser at memberserver-45:~$ sudo tail -f /var/log/debug &
> [1] 2178
> domainuser at memberserver-45:~$ id -u
> 2028
> domainuser at memberserver-45:~$ id -g
> 513
> domainuser at memberserver-45:~$ klist
> Ticket cache: FILE:/tmp/krb5cc_2028
> Default principal: domainuser at SAMBA.COMPANY.COM
> 
> Valid starting       Expires              Service principal
> 01/07/2019 17:01:12  01/08/2019 03:01:12  krbtgt/SAMBA.COMPANY.COM at SAMBA.COMPANY.COM
>         renew until 01/14/2019 17:01:12
> 01/07/2019 17:01:12  01/08/2019 03:01:12  MEMBERSERVER-45$@SAMBA.COMPANY.COM
> domainuser at memberserver-45:~$ sudo mount -t cifs //sambaserver/domainuser /mnt -osec=krb5,cruid=2028,uid=2028,gid=513
> 
> Jan  7 17:11:36 memberserver-45 cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=sambaserver;ip4=10.20.30.16;sec=krb5;uid=0x3f6;creduid=0x3f6;user=root;pid=0x872
> Jan  7 17:11:36 memberserver-45 cifs.upcall: ver=2
> Jan  7 17:11:36 memberserver-45 cifs.upcall: host=sambaserver
> Jan  7 17:11:36 memberserver-45 cifs.upcall: ip=10.20.30.16
> Jan  7 17:11:36 memberserver-45 cifs.upcall: sec=1
> Jan  7 17:11:36 memberserver-45 cifs.upcall: uid=2028
> Jan  7 17:11:36 memberserver-45 cifs.upcall: creduid=2028
> Jan  7 17:11:36 memberserver-45 cifs.upcall: user=root
> Jan  7 17:11:36 memberserver-45 cifs.upcall: pid=2162
> Jan  7 17:11:36 memberserver-45 cifs.upcall: get_cachename_from_process_env: pathname=/proc/2162/environ
> Jan  7 17:11:36 memberserver-45 cifs.upcall: get_cachename_from_process_env: cachename = FILE:/tmp/krb5cc_2028
> Jan  7 17:11:36 memberserver-45 cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_2028
> Jan  7 17:11:36 memberserver-45 cifs.upcall: handle_krb5_mech: getting service ticket for sambaserver
> Jan  7 17:11:36 memberserver-45 cifs.upcall: cifs_krb5_get_req: unable to get credentials for sambaserver
> Jan  7 17:11:36 memberserver-45 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
> Jan  7 17:11:36 memberserver-45 cifs.upcall: handle_krb5_mech: getting service ticket for sambaserver.company.com
> Jan  7 17:11:36 memberserver-45 cifs.upcall: cifs_krb5_get_req: unable to get credentials for sambaserver.company.com
> mount error(126): Required key not available
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> Jan  7 17:11:36 memberserver-45 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
> Jan  7 17:11:36 memberserver-45 cifs.upcall: Unable to obtain service ticket
> Jan  7 17:11:36 memberserver-45 cifs.upcall: Exit status -1765328377
> domainuser at memberserver-45:~$

This is on debian 9.6, and /etc/krb5.conf is as recommended on the samba 
wiki.

Suggestions would be very much appreciated. :-)

Best regards,
MJ