[Samba] mount share using kerberos ticket fails
L.P.H. van Belle
belle at bazuin.nl
Mon Mar 9 15:47:02 UTC 2020
After re-join
kinit Administrator
net ads keytab add cifs/$(hostname -f) -k
net ads keytab add_update_ads -k
samba-tool delegation for-any-service COMPUTERNAME$ on
( or use : delegation add-service accountname principal [options] )
Reboot
Should work now. ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan
> Masson via samba
> Verzonden: maandag 9 maart 2020 16:18
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] mount share using kerberos ticket fails
>
> Thanks for your help!
>
> Le 09/03/2020 à 15:39, L.P.H. van Belle via samba a écrit :
> > Did you "deleated the computer object" to allow kerberos services.
> > And did you add the CIFS/spn to the computer and keytab ?
> >
> I am sorry, I don't really understand the above: mount
> requires a keytab
> AND a user ticket?
>
> > https://wiki.samba.org/index.php/Generating_Keytabs
> >
> > If its a member, which i assume.
> Yes, the workstation is a domain member.
>
> > kinit Administrator
> > net ads keytab add cifs/$(hostname -f) -k
> > net ads keytab add_update_ads -k
> >
> > Add these and it should work.
> > You might need to restart or reboot., sometimes its needed.
> > Dont know why.
> >
> > Cifs and NFS (kerberized) work in debian without any
> changing any files if you setup correctly.
> > All you need is above.
> > If you not having a "regular" setup, you might need to
> change/add things in
> > /etc/idmap.conf and /etc/krb5.conf
> I believe I have a regular setup.
I think also. ;-)
>
> I tried your commands but could not get it working (note that I used
> another AD administrator account, not "Administrator").
All commands like these, i always use Administrator
(Just because it avoids possible bugs. )
>
> I suppose from what you said that my error was to add the computer to
> the domain without the following lines in smb.conf:
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> So I left the domain, added the above lines, and joined again. But it
> keeps failing?
>
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan
> >> Masson via samba
> >> Verzonden: maandag 9 maart 2020 15:20
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] mount share using kerberos ticket fails
> >>
> >> Hi list,
> >>
> >> I joined a workstation (Debian 10, Samba from
> distribution) to our AD
> >> domain (Windows 2012 Server). The domain ends by ".local"
> >> (yes I know,
> >> not my fault).
> >> However, after a domain user logged to the machine, I can't mount a
> >> share that exists on the AD server using user's kerberos ticket: it
> >> fails with error "Required key not available".
> >> Mounting using password works. The user ticket exists and is
> >> valid. DNS
> >> A record exists, but the AD does not contain a reverse zone
> >> (and I can't
> >> create one).
> >>
> >> Here is the daemon.log (sorry for the poor formatting):
> >>
> >> Mar 9 15:06:23 testlinux cifs.upcall: key description:
> >> cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10.
> >
> 73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c
> >> Mar 9 15:06:23 testlinux cifs.upcall: ver=2
> >> Mar 9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL
> >> Mar 9 15:06:23 testlinux cifs.upcall: ip=10.73.23.27
> >> Mar 9 15:06:23 testlinux cifs.upcall: sec=1
> >> Mar 9 15:06:23 testlinux cifs.upcall: uid=0
> >> Mar 9 15:06:23 testlinux cifs.upcall: creduid=11275
> >> Mar 9 15:06:23 testlinux cifs.upcall: user=yvan.masson
> >> Mar 9 15:06:23 testlinux cifs.upcall: pid=4636
> >> Mar 9 15:06:23 testlinux cifs.upcall:
> >> get_cachename_from_process_env:
> >> pathname=/proc/4636/environ
> >> Mar 9 15:06:23 testlinux cifs.upcall: get_existing_cc:
> >> default ccache
> >> is FILE:/tmp/krb5cc_11275
> >> Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech:
> >> getting service
> >> ticket for ad.foo.bar.local
> >> Mar 9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req:
> >> unable to get
> >> credentials for ad.foo.bar.local
> >> Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: failed to
> >> obtain service ticket (-1765328377)
> >> Mar 9 15:06:23 testlinux cifs.upcall: Unable to obtain
> service ticket
> >> Mar 9 15:06:23 testlinux cifs.upcall: Exit status -1765328377
> >>
> >>
> >> My smb.conf:
> >>
> >> [global]
> >> workgroup = FOO
> >> security = ADS
> >> realm = FOO.BAR.LOCAL
> >> winbind refresh tickets = Yes
> >> winbind use default domain = yes
> >> idmap config * : backend = tdb
> >> idmap config * : range = 3000-7999
> >> idmap config FOO : backend = rid
> >> idmap config FOO : range = 10000-19999
> >> template shell = /bin/bash
> >>
> >> My krb5.conf:
> >>
> >> [libdefaults]
> >> default_realm = FOO.BAR.LOCAL
> >> dns_lookup_realm = false
> >> dns_lookup_kdc = true
> >>
> >>
> >> I already tried some suggestions found on the web and on this list:
> >> - adding "-t" option to
> /etc/request-key.d/cifs.spnego.conf and added
> >> the AD server to /etc/hosts
> >> - adding the following lines to /etc/krb5.conf:
> >> default_tgs_enctypes = aes128-cts-hmac-sha1-96
> >> aes256-cts-hmac-sha1-96
> >> rc4-hmac des-cbc-crc des-cbc-md5
> >> default_tkt_enctypes = aes128-cts-hmac-sha1-96
> >> aes256-cts-hmac-sha1-96
> >> rc4-hmac des-cbc-crc des-cbc-md5
> >> permitted_enctypes = aes128-cts-hmac-sha1-96
> aes256-cts-hmac-sha1-96
> >> rc4-hmac des-cbc-crc des-cbc-md5
> >>
> >> Any suggestion would be very welcome.
> >>
> >> Regards,
> >> Yvan
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list