[Samba] mount share using kerberos ticket fails

Yvan Masson yvan at masson-informatique.fr
Mon Mar 9 14:19:30 UTC 2020


Hi list,

I joined a workstation (Debian 10, Samba from distribution) to our AD 
domain (Windows 2012 Server). The domain ends by ".local" (yes I know, 
not my fault).
However, after a domain user logged to the machine, I can't mount a 
share that exists on the AD server using user's kerberos ticket: it 
fails with error "Required key not available".
Mounting using password works. The user ticket exists and is valid. DNS 
A record exists, but the AD does not contain a reverse zone (and I can't 
create one).

Here is the daemon.log (sorry for the poor formatting):

Mar  9 15:06:23 testlinux cifs.upcall: key description: 
cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10.73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=0x121c
Mar  9 15:06:23 testlinux cifs.upcall: ver=2
Mar  9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL
Mar  9 15:06:23 testlinux cifs.upcall: ip=10.73.23.27
Mar  9 15:06:23 testlinux cifs.upcall: sec=1
Mar  9 15:06:23 testlinux cifs.upcall: uid=0
Mar  9 15:06:23 testlinux cifs.upcall: creduid=11275
Mar  9 15:06:23 testlinux cifs.upcall: user=yvan.masson
Mar  9 15:06:23 testlinux cifs.upcall: pid=4636
Mar  9 15:06:23 testlinux cifs.upcall: get_cachename_from_process_env: 
pathname=/proc/4636/environ
Mar  9 15:06:23 testlinux cifs.upcall: get_existing_cc: default ccache 
is FILE:/tmp/krb5cc_11275
Mar  9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: getting service 
ticket for ad.foo.bar.local
Mar  9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req: unable to get 
credentials for ad.foo.bar.local
Mar  9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: failed to 
obtain service ticket (-1765328377)
Mar  9 15:06:23 testlinux cifs.upcall: Unable to obtain service ticket
Mar  9 15:06:23 testlinux cifs.upcall: Exit status -1765328377


My smb.conf:

[global]
  workgroup = FOO
  security = ADS
  realm = FOO.BAR.LOCAL
  winbind refresh tickets = Yes
  winbind use default domain = yes
  idmap config * : backend = tdb
  idmap config * : range = 3000-7999
  idmap config FOO : backend = rid
  idmap config FOO : range = 10000-19999
  template shell = /bin/bash

My krb5.conf:

[libdefaults]
default_realm = FOO.BAR.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true


I already tried some suggestions found on the web and on this list:
- adding "-t" option to /etc/request-key.d/cifs.spnego.conf and added 
the AD server to /etc/hosts
- adding the following lines to /etc/krb5.conf:
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 
rc4-hmac des-cbc-crc des-cbc-md5

Any suggestion would be very welcome.

Regards,
Yvan



More information about the samba mailing list