[Samba] mount share using kerberos ticket fails
yvan at masson-informatique.fr
Tue Mar 10 09:18:11 UTC 2020
Le 09/03/2020 à 16:43, Rowland penny via samba a écrit :
> On 09/03/2020 15:18, Yvan Masson via samba wrote:
>> Thanks for your help!
>> Le 09/03/2020 à 15:39, L.P.H. van Belle via samba a écrit :
>>> Did you "deleated the computer object" to allow kerberos services.
>>> And did you add the CIFS/spn to the computer and keytab ?
>> I am sorry, I don't really understand the above: mount requires a
>> keytab AND a user ticket?
> No, what he is saying is that the computer object should have a UPN
> containing cifs/<the computers FQDN>@<UPPERCASE DOMAIN NAME
> You also need the keytab >
>> I tried your commands but could not get it working (note that I used
>> another AD administrator account, not "Administrator").
> You need to add the UPN on the DC, then export the keytab, the copy it
> to the required machines.
If think I did not properly explain my setup, sorry for that: Samba here
is not sharing anything. It is just used for joining a Windows domain,
so that users can sit on a chair in front of this Debian computer, use
their domain credentials in LightDM, and then access theirs personal and
shared data (that are shared by the Windows DC, mounted locally by
So, my understanding is that my setup does not require creating an UPN
and a corresponding keytab to put on this Linux client. I am probably
not completely wrong as mounting a Windows share on the Debian computer
using Kerberos now works :-).
I permit myself this question again: in this setup, is it useful to have
/etc/krb5.keytab or not?
More information about the samba