[Samba] mount share using kerberos ticket fails

L.P.H. van Belle belle at bazuin.nl
Mon Mar 9 14:39:31 UTC 2020


Did you "deleated the computer object" to allow kerberos services. 
And did you add the CIFS/spn to the computer and keytab ? 

https://wiki.samba.org/index.php/Generating_Keytabs

If its a member, which i assume. 
kinit Administrator
net ads keytab add cifs/$(hostname -f) -k 
net ads keytab add_update_ads -k

Add these and it should work. 
You might need to restart or reboot., sometimes its needed.
Dont know why. 

Cifs and NFS (kerberized) work in debian without any changing any files if you setup correctly. 
All you need is above. 
If you not having a "regular" setup, you might need to change/add things in 
/etc/idmap.conf and /etc/krb5.conf 


Greetz, 

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan 
> Masson via samba
> Verzonden: maandag 9 maart 2020 15:20
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] mount share using kerberos ticket fails
> 
> Hi list,
> 
> I joined a workstation (Debian 10, Samba from distribution) to our AD 
> domain (Windows 2012 Server). The domain ends by ".local" 
> (yes I know, 
> not my fault).
> However, after a domain user logged to the machine, I can't mount a 
> share that exists on the AD server using user's kerberos ticket: it 
> fails with error "Required key not available".
> Mounting using password works. The user ticket exists and is 
> valid. DNS 
> A record exists, but the AD does not contain a reverse zone 
> (and I can't 
> create one).
> 
> Here is the daemon.log (sorry for the poor formatting):
> 
> Mar  9 15:06:23 testlinux cifs.upcall: key description: 
> cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10.
73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c
> Mar  9 15:06:23 testlinux cifs.upcall: ver=2
> Mar  9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL
> Mar  9 15:06:23 testlinux cifs.upcall: ip=10.73.23.27
> Mar  9 15:06:23 testlinux cifs.upcall: sec=1
> Mar  9 15:06:23 testlinux cifs.upcall: uid=0
> Mar  9 15:06:23 testlinux cifs.upcall: creduid=11275
> Mar  9 15:06:23 testlinux cifs.upcall: user=yvan.masson
> Mar  9 15:06:23 testlinux cifs.upcall: pid=4636
> Mar  9 15:06:23 testlinux cifs.upcall: 
> get_cachename_from_process_env: 
> pathname=/proc/4636/environ
> Mar  9 15:06:23 testlinux cifs.upcall: get_existing_cc: 
> default ccache 
> is FILE:/tmp/krb5cc_11275
> Mar  9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: 
> getting service 
> ticket for ad.foo.bar.local
> Mar  9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req: 
> unable to get 
> credentials for ad.foo.bar.local
> Mar  9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: failed to 
> obtain service ticket (-1765328377)
> Mar  9 15:06:23 testlinux cifs.upcall: Unable to obtain service ticket
> Mar  9 15:06:23 testlinux cifs.upcall: Exit status -1765328377
> 
> 
> My smb.conf:
> 
> [global]
>   workgroup = FOO
>   security = ADS
>   realm = FOO.BAR.LOCAL
>   winbind refresh tickets = Yes
>   winbind use default domain = yes
>   idmap config * : backend = tdb
>   idmap config * : range = 3000-7999
>   idmap config FOO : backend = rid
>   idmap config FOO : range = 10000-19999
>   template shell = /bin/bash
> 
> My krb5.conf:
> 
> [libdefaults]
> default_realm = FOO.BAR.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
> 
> I already tried some suggestions found on the web and on this list:
> - adding "-t" option to /etc/request-key.d/cifs.spnego.conf and added 
> the AD server to /etc/hosts
> - adding the following lines to /etc/krb5.conf:
> default_tgs_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 
> rc4-hmac des-cbc-crc des-cbc-md5
> default_tkt_enctypes = aes128-cts-hmac-sha1-96 
> aes256-cts-hmac-sha1-96 
> rc4-hmac des-cbc-crc des-cbc-md5
> permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 
> rc4-hmac des-cbc-crc des-cbc-md5
> 
> Any suggestion would be very welcome.
> 
> Regards,
> Yvan
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list