[Samba] mount share using kerberos ticket fails

Yvan Masson yvan at masson-informatique.fr
Tue Mar 10 10:47:13 UTC 2020

Le 10/03/2020 à 11:21, Rowland penny via samba a écrit :
> On 10/03/2020 10:10, Yvan Masson via samba wrote:
>> Le 10/03/2020 à 10:37, Rowland penny via samba a écrit :
>>> On 10/03/2020 09:18, Yvan Masson via samba wrote:
>>>> If think I did not properly explain my setup, sorry for that: Samba 
>>>> here is not sharing anything. It is just used for joining a Windows 
>>>> domain, so that users can sit on a chair in front of this Debian 
>>>> computer, use their domain credentials in LightDM, and then access 
>>>> theirs personal and shared data (that are shared by the Windows DC, 
>>>> mounted locally by pam_mount).
>>> Yes, telling us that would have helped.
>> I used the word "workstation" in my initial post, thinking it was 
>> sufficient.
>>>> So, my understanding is that my setup does not require creating an 
>>>> UPN and a corresponding keytab to put on this Linux client. I am 
>>>> probably not completely wrong as mounting a Windows share on the 
>>>> Debian computer using Kerberos now works :-).
>>> No, it should work without manually creating any UPN's, SPN's or keytabs
>>>> I permit myself this question again: in this setup, is it useful to 
>>>> have /etc/krb5.keytab or not?
>>> No, you do not need the keytab, you just need the correct setup that 
>>> uses the users kerberos ticket via PAM at login.
>>> Rowland
>> OK thanks. Any idea why mounting a share worked using one servers' 
>> hostname and not the other? They both resolve to the same IP.
> Because if you are using pam-mount, you should be using the users 
> kerberos ticket via PAM at login.

That is what I did. But it fails even when mounting manually:
1. Connect on the desktop using domain user "yvan.masson" (either 
graphically / TTY / SSH). Kerberos ticket is properly created.
2. Running "sudo mount -t cifs //ad.FOO.BAR.LOCAL/Echange /mnt -o 
user=yvan.masson,cruid=yvan.masson,sec=krb5" fails with "Required key 
not available".
3. Running "sudo mount -t cifs //foo-ad.FOO.BAR.LOCAL/Echange /mnt -o 
user=yvan.masson,cruid=yvan.masson,sec=krb5" works.

This seems strange to me since "foo-ad" and "ad" refer to the same IP 
address. But, as I said, I found a workaround so this question is not 
> Rowland


More information about the samba mailing list