[Samba] mount share using kerberos ticket fails

Yvan Masson yvan at masson-informatique.fr
Mon Mar 9 15:18:03 UTC 2020 

Thanks for your help!

Le 09/03/2020 à 15:39, L.P.H. van Belle via samba a écrit :
> Did you "deleated the computer object" to allow kerberos services.
> And did you add the CIFS/spn to the computer and keytab ?
> 
I am sorry, I don't really understand the above: mount requires a keytab 
AND a user ticket?

> https://wiki.samba.org/index.php/Generating_Keytabs
> 
> If its a member, which i assume.
Yes, the workstation is a domain member.

> kinit Administrator
> net ads keytab add cifs/$(hostname -f) -k
> net ads keytab add_update_ads -k
> 
> Add these and it should work.
> You might need to restart or reboot., sometimes its needed.
> Dont know why.
> 
> Cifs and NFS (kerberized) work in debian without any changing any files if you setup correctly.
> All you need is above.
> If you not having a "regular" setup, you might need to change/add things in
> /etc/idmap.conf and /etc/krb5.conf
I believe I have a regular setup.

I tried your commands but could not get it working (note that I used 
another AD administrator account, not "Administrator").

I suppose from what you said that my error was to add the computer to 
the domain without the following lines in smb.conf:
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

So I left the domain, added the above lines, and joined again. But it 
keeps failing…

> 
> 
> Greetz,
> 
> Louis
>   
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan
>> Masson via samba
>> Verzonden: maandag 9 maart 2020 15:20
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] mount share using kerberos ticket fails
>>
>> Hi list,
>>
>> I joined a workstation (Debian 10, Samba from distribution) to our AD
>> domain (Windows 2012 Server). The domain ends by ".local"
>> (yes I know,
>> not my fault).
>> However, after a domain user logged to the machine, I can't mount a
>> share that exists on the AD server using user's kerberos ticket: it
>> fails with error "Required key not available".
>> Mounting using password works. The user ticket exists and is
>> valid. DNS
>> A record exists, but the AD does not contain a reverse zone
>> (and I can't
>> create one).
>>
>> Here is the daemon.log (sorry for the poor formatting):
>>
>> Mar  9 15:06:23 testlinux cifs.upcall: key description:
>> cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10.
> 73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c
>> Mar  9 15:06:23 testlinux cifs.upcall: ver=2
>> Mar  9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL
>> Mar  9 15:06:23 testlinux cifs.upcall: ip=10.73.23.27
>> Mar  9 15:06:23 testlinux cifs.upcall: sec=1
>> Mar  9 15:06:23 testlinux cifs.upcall: uid=0
>> Mar  9 15:06:23 testlinux cifs.upcall: creduid=11275
>> Mar  9 15:06:23 testlinux cifs.upcall: user=yvan.masson
>> Mar  9 15:06:23 testlinux cifs.upcall: pid=4636
>> Mar  9 15:06:23 testlinux cifs.upcall:
>> get_cachename_from_process_env:
>> pathname=/proc/4636/environ
>> Mar  9 15:06:23 testlinux cifs.upcall: get_existing_cc:
>> default ccache
>> is FILE:/tmp/krb5cc_11275
>> Mar  9 15:06:23 testlinux cifs.upcall: handle_krb5_mech:
>> getting service
>> ticket for ad.foo.bar.local
>> Mar  9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req:
>> unable to get
>> credentials for ad.foo.bar.local
>> Mar  9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: failed to
>> obtain service ticket (-1765328377)
>> Mar  9 15:06:23 testlinux cifs.upcall: Unable to obtain service ticket
>> Mar  9 15:06:23 testlinux cifs.upcall: Exit status -1765328377
>>
>>
>> My smb.conf:
>>
>> [global]
>>    workgroup = FOO
>>    security = ADS
>>    realm = FOO.BAR.LOCAL
>>    winbind refresh tickets = Yes
>>    winbind use default domain = yes
>>    idmap config * : backend = tdb
>>    idmap config * : range = 3000-7999
>>    idmap config FOO : backend = rid
>>    idmap config FOO : range = 10000-19999
>>    template shell = /bin/bash
>>
>> My krb5.conf:
>>
>> [libdefaults]
>> default_realm = FOO.BAR.LOCAL
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>>
>> I already tried some suggestions found on the web and on this list:
>> - adding "-t" option to /etc/request-key.d/cifs.spnego.conf and added
>> the AD server to /etc/hosts
>> - adding the following lines to /etc/krb5.conf:
>> default_tgs_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96
>> rc4-hmac des-cbc-crc des-cbc-md5
>> default_tkt_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96
>> rc4-hmac des-cbc-crc des-cbc-md5
>> permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
>> rc4-hmac des-cbc-crc des-cbc-md5
>>
>> Any suggestion would be very welcome.
>>
>> Regards,
>> Yvan
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> 
>

More information about the samba mailing list