[Samba] mount share using kerberos ticket fails

L.P.H. van Belle belle at bazuin.nl
Tue Mar 10 10:16:23 UTC 2020 

Because your base setup is just not correct. 

Who is allowed to mount in name of the user? 

Thats your question.. 
Add the UPN in the computer object in the AD. ( of that server ) 
And your done. 

Use cifs/hostname.fqdn or root/hostname.fqdn


I'll see if i can find some time to write out how i do this with NFS
Because for CIFS the setup is 90% the same. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan 
> Masson via samba
> Verzonden: dinsdag 10 maart 2020 11:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] mount share using kerberos ticket fails
> 
> Le 10/03/2020 à 10:37, Rowland penny via samba a écrit :
> > On 10/03/2020 09:18, Yvan Masson via samba wrote:
> >> If think I did not properly explain my setup, sorry for 
> that: Samba 
> >> here is not sharing anything. It is just used for joining 
> a Windows 
> >> domain, so that users can sit on a chair in front of this Debian 
> >> computer, use their domain credentials in LightDM, and then access 
> >> theirs personal and shared data (that are shared by the 
> Windows DC, 
> >> mounted locally by pam_mount).
> > Yes, telling us that would have helped.
> I used the word "workstation" in my initial post, thinking it was 
> sufficient.
> >>
> >> So, my understanding is that my setup does not require 
> creating an UPN 
> >> and a corresponding keytab to put on this Linux client. I 
> am probably 
> >> not completely wrong as mounting a Windows share on the Debian 
> >> computer using Kerberos now works :-).
> > No, it should work without manually creating any UPN's, 
> SPN's or keytabs
> >>
> >> I permit myself this question again: in this setup, is it 
> useful to 
> >> have /etc/krb5.keytab or not?
> > 
> > No, you do not need the keytab, you just need the correct 
> setup that 
> > uses the users kerberos ticket via PAM at login.
> > 
> > Rowland
> > 
> OK thanks. Any idea why mounting a share worked using one servers' 
> hostname and not the other? They both resolve to the same IP.
> 
> Yvan
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list