[Samba] mount cifs with sec=krb5
L.P.H. van Belle
belle at bazuin.nl
Tue Jan 8 08:27:46 UTC 2019
Hai Mourik-Jan,
Beste wensen he ;-)
Lets start here..
A and PTR record exists for both servers?
Does CIFS/spn and root/spn exist in the AD?
In krb5.conf, set these :
; not used for nfs4 but cifs might need it.
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; for Windows 2008 with AES, (cifs and nfs4)
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
This make sure the correct enctyption types are used. ( needed in server and client. )
Need google search help? my first google search.
https://www.google.nl/search?ei=J140XNfPF6eQlwTx6bKABg&q=handle_krb5_mech%3A+failed+to+obtain+service+ticket+1765328377&oq=handle_krb5_mech%3A+failed+to+obtain+service+ticket+1765328377&gs_l=psy-ab.3...2999.7364..7693...0.0..0.73.246.4......0....1..gws-wiz.pig_Dh_EF9I
Check first 3 results links ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> lists via samba
> Verzonden: maandag 7 januari 2019 17:34
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] mount cifs with sec=krb5
>
> Hi,
>
> I am trying to mount fileserver (samba, 10.20.30.16) shares
> on a linux
> domain member server, where I logged on via ssh using AD my
> credentials.
>
> I am unable to get past the "mount error(126): Required key not
> available" error message. I have read and googled a lot, and
> could use
> some help.
>
> See this:
>
> > domainuser at memberserver-45:~$ sudo tail -f /var/log/debug &
> > [1] 2178
> > domainuser at memberserver-45:~$ id -u
> > 2028
> > domainuser at memberserver-45:~$ id -g
> > 513
> > domainuser at memberserver-45:~$ klist
> > Ticket cache: FILE:/tmp/krb5cc_2028
> > Default principal: domainuser at SAMBA.COMPANY.COM
> >
> > Valid starting Expires Service principal
> > 01/07/2019 17:01:12 01/08/2019 03:01:12
> krbtgt/SAMBA.COMPANY.COM at SAMBA.COMPANY.COM
> > renew until 01/14/2019 17:01:12
> > 01/07/2019 17:01:12 01/08/2019 03:01:12
> MEMBERSERVER-45$@SAMBA.COMPANY.COM
> > domainuser at memberserver-45:~$ sudo mount -t cifs
> //sambaserver/domainuser /mnt -osec=krb5,cruid=2028,uid=2028,gid=513
> >
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: key
> description:
> cifs.spnego;0;0;39010000;ver=0x2;host=sambaserver;ip4=10.20.30
> .16;sec=krb5;uid=0x3f6;creduid=0x3f6;user=root;pid=0x872
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: ver=2
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: host=sambaserver
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: ip=10.20.30.16
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: sec=1
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: uid=2028
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: creduid=2028
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: user=root
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: pid=2162
> > Jan 7 17:11:36 memberserver-45 cifs.upcall:
> get_cachename_from_process_env: pathname=/proc/2162/environ
> > Jan 7 17:11:36 memberserver-45 cifs.upcall:
> get_cachename_from_process_env: cachename = FILE:/tmp/krb5cc_2028
> > Jan 7 17:11:36 memberserver-45 cifs.upcall:
> get_existing_cc: default ccache is FILE:/tmp/krb5cc_2028
> > Jan 7 17:11:36 memberserver-45 cifs.upcall:
> handle_krb5_mech: getting service ticket for sambaserver
> > Jan 7 17:11:36 memberserver-45 cifs.upcall:
> cifs_krb5_get_req: unable to get credentials for sambaserver
> > Jan 7 17:11:36 memberserver-45 cifs.upcall:
> handle_krb5_mech: failed to obtain service ticket (-1765328377)
> > Jan 7 17:11:36 memberserver-45 cifs.upcall:
> handle_krb5_mech: getting service ticket for sambaserver.company.com
> > Jan 7 17:11:36 memberserver-45 cifs.upcall:
> cifs_krb5_get_req: unable to get credentials for
> sambaserver.company.com
> > mount error(126): Required key not available
> > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> > Jan 7 17:11:36 memberserver-45 cifs.upcall:
> handle_krb5_mech: failed to obtain service ticket (-1765328377)
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: Unable to
> obtain service ticket
> > Jan 7 17:11:36 memberserver-45 cifs.upcall: Exit status -1765328377
> > domainuser at memberserver-45:~$
>
> This is on debian 9.6, and /etc/krb5.conf is as recommended
> on the samba
> wiki.
>
> Suggestions would be very much appreciated. :-)
>
> Best regards,
> MJ
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list