[Samba] mount cifs with sec=krb5

Tue Jan 8 08:27:46 UTC 2019

Hai Mourik-Jan, 

Beste wensen he ;-) 

Lets start here.. 

A and PTR record exists for both servers? 
Does CIFS/spn and root/spn exist in the AD? 

In krb5.conf, set these : 
; not used for nfs4 but cifs might need it. 
; for Windows 2003
;    default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;    permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5

; for Windows 2008 with AES, (cifs and nfs4)
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

This make sure the correct enctyption types are used.  ( needed in server and client. ) 

Need google search help? my first google search.
https://www.google.nl/search?ei=J140XNfPF6eQlwTx6bKABg&q=handle_krb5_mech%3A+failed+to+obtain+service+ticket+1765328377&oq=handle_krb5_mech%3A+failed+to+obtain+service+ticket+1765328377&gs_l=psy-ab.3...2999.7364..7693...0.0..0.73.246.4......0....1..gws-wiz.pig_Dh_EF9I 

Check first 3 results links ;-) 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> lists via samba
> Verzonden: maandag 7 januari 2019 17:34
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] mount cifs with sec=krb5
> 
> Hi,
> 
> I am trying to mount fileserver (samba, 10.20.30.16) shares 
> on a linux 
> domain member server, where I logged on via ssh using AD my 
> credentials.
> 
> I am unable to get past the "mount error(126): Required key not 
> available" error message. I have read and googled a lot, and 
> could use 
> some help.
> 
> See this:
> 
> > domainuser at memberserver-45:~$ sudo tail -f /var/log/debug &
> > [1] 2178
> > domainuser at memberserver-45:~$ id -u
> > 2028
> > domainuser at memberserver-45:~$ id -g
> > 513
> > domainuser at memberserver-45:~$ klist
> > Ticket cache: FILE:/tmp/krb5cc_2028
> > Default principal: domainuser at SAMBA.COMPANY.COM
> > 
> > Valid starting       Expires              Service principal
> > 01/07/2019 17:01:12  01/08/2019 03:01:12  
> krbtgt/SAMBA.COMPANY.COM at SAMBA.COMPANY.COM
> >         renew until 01/14/2019 17:01:12
> > 01/07/2019 17:01:12  01/08/2019 03:01:12  
> MEMBERSERVER-45$@SAMBA.COMPANY.COM
> > domainuser at memberserver-45:~$ sudo mount -t cifs 
> //sambaserver/domainuser /mnt -osec=krb5,cruid=2028,uid=2028,gid=513
> > 
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: key 
> description: 
> cifs.spnego;0;0;39010000;ver=0x2;host=sambaserver;ip4=10.20.30
> .16;sec=krb5;uid=0x3f6;creduid=0x3f6;user=root;pid=0x872
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: ver=2
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: host=sambaserver
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: ip=10.20.30.16
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: sec=1
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: uid=2028
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: creduid=2028
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: user=root
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: pid=2162
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: 
> get_cachename_from_process_env: pathname=/proc/2162/environ
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: 
> get_cachename_from_process_env: cachename = FILE:/tmp/krb5cc_2028
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: 
> get_existing_cc: default ccache is FILE:/tmp/krb5cc_2028
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: 
> handle_krb5_mech: getting service ticket for sambaserver
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: 
> cifs_krb5_get_req: unable to get credentials for sambaserver
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: 
> handle_krb5_mech: failed to obtain service ticket (-1765328377)
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: 
> handle_krb5_mech: getting service ticket for sambaserver.company.com
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: 
> cifs_krb5_get_req: unable to get credentials for 
> sambaserver.company.com
> > mount error(126): Required key not available
> > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: 
> handle_krb5_mech: failed to obtain service ticket (-1765328377)
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: Unable to 
> obtain service ticket
> > Jan  7 17:11:36 memberserver-45 cifs.upcall: Exit status -1765328377
> > domainuser at memberserver-45:~$
> 
> This is on debian 9.6, and /etc/krb5.conf is as recommended 
> on the samba 
> wiki.
> 
> Suggestions would be very much appreciated. :-)
> 
> Best regards,
> MJ
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 