[Samba] mount share using kerberos ticket fails

Yvan Masson yvan at masson-informatique.fr
Mon Mar 9 16:51:35 UTC 2020 

I will need to take time to understand both of your answers, because it 
is still not very clear (not because of your explanations but because 
Kerberos/AD internals are still complicated for me).

But it works now: I found that the server name "ad" was not the only A 
record for this file server (which is also a DC): I tried the other 
record (shown in the AD MMC with something like "equal to parent 
folder") and I can now mount.

Thanks for your help, you deserve a beer/chocolates/hugs :-)
Yvan

Le 09/03/2020 à 16:47, L.P.H. van Belle via samba a écrit :
> 
> After re-join
> 
> kinit Administrator
> net ads keytab add cifs/$(hostname -f) -k
> net ads keytab add_update_ads -k
> 
> samba-tool delegation for-any-service COMPUTERNAME$ on
> 
> ( or use : delegation add-service accountname principal [options] )
> 
> Reboot
> 
> Should work now. ;-)
> 
> 
> Greetz,
> 
> Louis
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan
>> Masson via samba
>> Verzonden: maandag 9 maart 2020 16:18
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] mount share using kerberos ticket fails
>>
>> Thanks for your help!
>>
>> Le 09/03/2020 à 15:39, L.P.H. van Belle via samba a écrit :
>>> Did you "deleated the computer object" to allow kerberos services.
>>> And did you add the CIFS/spn to the computer and keytab ?
>>>
>> I am sorry, I don't really understand the above: mount
>> requires a keytab
>> AND a user ticket?
>>
>>> https://wiki.samba.org/index.php/Generating_Keytabs
>>>
>>> If its a member, which i assume.
>> Yes, the workstation is a domain member.
>>
>>> kinit Administrator
>>> net ads keytab add cifs/$(hostname -f) -k
>>> net ads keytab add_update_ads -k
>>>
>>> Add these and it should work.
>>> You might need to restart or reboot., sometimes its needed.
>>> Dont know why.
>>>
>>> Cifs and NFS (kerberized) work in debian without any
>> changing any files if you setup correctly.
>>> All you need is above.
>>> If you not having a "regular" setup, you might need to
>> change/add things in
>>> /etc/idmap.conf and /etc/krb5.conf
>> I believe I have a regular setup.
> I think also. ;-)
> 
>>
>> I tried your commands but could not get it working (note that I used
>> another AD administrator account, not "Administrator").
> 
> All commands like these, i always use Administrator
> (Just because it avoids possible bugs. )
> 
> 
>>
>> I suppose from what you said that my error was to add the computer to
>> the domain without the following lines in smb.conf:
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>
>> So I left the domain, added the above lines, and joined again. But it
>> keeps failing?
>>
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>    
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan
>>>> Masson via samba
>>>> Verzonden: maandag 9 maart 2020 15:20
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] mount share using kerberos ticket fails
>>>>
>>>> Hi list,
>>>>
>>>> I joined a workstation (Debian 10, Samba from
>> distribution) to our AD
>>>> domain (Windows 2012 Server). The domain ends by ".local"
>>>> (yes I know,
>>>> not my fault).
>>>> However, after a domain user logged to the machine, I can't mount a
>>>> share that exists on the AD server using user's kerberos ticket: it
>>>> fails with error "Required key not available".
>>>> Mounting using password works. The user ticket exists and is
>>>> valid. DNS
>>>> A record exists, but the AD does not contain a reverse zone
>>>> (and I can't
>>>> create one).
>>>>
>>>> Here is the daemon.log (sorry for the poor formatting):
>>>>
>>>> Mar  9 15:06:23 testlinux cifs.upcall: key description:
>>>> cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10.
>>>
>> 73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c
>>>> Mar  9 15:06:23 testlinux cifs.upcall: ver=2
>>>> Mar  9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL
>>>> Mar  9 15:06:23 testlinux cifs.upcall: ip=10.73.23.27
>>>> Mar  9 15:06:23 testlinux cifs.upcall: sec=1
>>>> Mar  9 15:06:23 testlinux cifs.upcall: uid=0
>>>> Mar  9 15:06:23 testlinux cifs.upcall: creduid=11275
>>>> Mar  9 15:06:23 testlinux cifs.upcall: user=yvan.masson
>>>> Mar  9 15:06:23 testlinux cifs.upcall: pid=4636
>>>> Mar  9 15:06:23 testlinux cifs.upcall:
>>>> get_cachename_from_process_env:
>>>> pathname=/proc/4636/environ
>>>> Mar  9 15:06:23 testlinux cifs.upcall: get_existing_cc:
>>>> default ccache
>>>> is FILE:/tmp/krb5cc_11275
>>>> Mar  9 15:06:23 testlinux cifs.upcall: handle_krb5_mech:
>>>> getting service
>>>> ticket for ad.foo.bar.local
>>>> Mar  9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req:
>>>> unable to get
>>>> credentials for ad.foo.bar.local
>>>> Mar  9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: failed to
>>>> obtain service ticket (-1765328377)
>>>> Mar  9 15:06:23 testlinux cifs.upcall: Unable to obtain
>> service ticket
>>>> Mar  9 15:06:23 testlinux cifs.upcall: Exit status -1765328377
>>>>
>>>>
>>>> My smb.conf:
>>>>
>>>> [global]
>>>>     workgroup = FOO
>>>>     security = ADS
>>>>     realm = FOO.BAR.LOCAL
>>>>     winbind refresh tickets = Yes
>>>>     winbind use default domain = yes
>>>>     idmap config * : backend = tdb
>>>>     idmap config * : range = 3000-7999
>>>>     idmap config FOO : backend = rid
>>>>     idmap config FOO : range = 10000-19999
>>>>     template shell = /bin/bash
>>>>
>>>> My krb5.conf:
>>>>
>>>> [libdefaults]
>>>> default_realm = FOO.BAR.LOCAL
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>>>
>>>> I already tried some suggestions found on the web and on this list:
>>>> - adding "-t" option to
>> /etc/request-key.d/cifs.spnego.conf and added
>>>> the AD server to /etc/hosts
>>>> - adding the following lines to /etc/krb5.conf:
>>>> default_tgs_enctypes = aes128-cts-hmac-sha1-96
>>>> aes256-cts-hmac-sha1-96
>>>> rc4-hmac des-cbc-crc des-cbc-md5
>>>> default_tkt_enctypes = aes128-cts-hmac-sha1-96
>>>> aes256-cts-hmac-sha1-96
>>>> rc4-hmac des-cbc-crc des-cbc-md5
>>>> permitted_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96
>>>> rc4-hmac des-cbc-crc des-cbc-md5
>>>>
>>>> Any suggestion would be very welcome.
>>>>
>>>> Regards,
>>>> Yvan
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> 
>

More information about the samba mailing list