[Samba] mount share using kerberos ticket fails

Yvan Masson yvan at masson-informatique.fr
Tue Mar 10 09:18:11 UTC 2020



Le 09/03/2020 à 16:43, Rowland penny via samba a écrit :
> On 09/03/2020 15:18, Yvan Masson via samba wrote:
>> Thanks for your help!
>>
>> Le 09/03/2020 à 15:39, L.P.H. van Belle via samba a écrit :
>>> Did you "deleated the computer object" to allow kerberos services.
>>> And did you add the CIFS/spn to the computer and keytab ?
>>>
>> I am sorry, I don't really understand the above: mount requires a 
>> keytab AND a user ticket?
> 
> No, what he is saying is that the computer object should have a UPN 
> containing cifs/<the computers FQDN>@<UPPERCASE DOMAIN NAME
> 
> You also need the keytab >
>>
>> I tried your commands but could not get it working (note that I used 
>> another AD administrator account, not "Administrator").
> You need to add the UPN on the DC, then export the keytab, the copy it 
> to the required machines.
> 
> Rowland


If think I did not properly explain my setup, sorry for that: Samba here 
is not sharing anything. It is just used for joining a Windows domain, 
so that users can sit on a chair in front of this Debian computer, use 
their domain credentials in LightDM, and then access theirs personal and 
shared data (that are shared by the Windows DC, mounted locally by 
pam_mount).

So, my understanding is that my setup does not require creating an UPN 
and a corresponding keytab to put on this Linux client. I am probably 
not completely wrong as mounting a Windows share on the Debian computer 
using Kerberos now works :-).

I permit myself this question again: in this setup, is it useful to have 
/etc/krb5.keytab or not?

Yvan
> 
> 
> 
> 



More information about the samba mailing list