[Samba] mount share using kerberos ticket fails
Rowland penny
rpenny at samba.org
Tue Mar 10 11:22:57 UTC 2020
On 10/03/2020 10:47, Yvan Masson via samba wrote:
> Le 10/03/2020 à 11:21, Rowland penny via samba a écrit :
>> On 10/03/2020 10:10, Yvan Masson via samba wrote:
>>> Le 10/03/2020 à 10:37, Rowland penny via samba a écrit :
>>>> On 10/03/2020 09:18, Yvan Masson via samba wrote:
>>>>> If think I did not properly explain my setup, sorry for that:
>>>>> Samba here is not sharing anything. It is just used for joining a
>>>>> Windows domain, so that users can sit on a chair in front of this
>>>>> Debian computer, use their domain credentials in LightDM, and then
>>>>> access theirs personal and shared data (that are shared by the
>>>>> Windows DC, mounted locally by pam_mount).
>>>> Yes, telling us that would have helped.
>>> I used the word "workstation" in my initial post, thinking it was
>>> sufficient.
>>>>>
>>>>> So, my understanding is that my setup does not require creating an
>>>>> UPN and a corresponding keytab to put on this Linux client. I am
>>>>> probably not completely wrong as mounting a Windows share on the
>>>>> Debian computer using Kerberos now works :-).
>>>> No, it should work without manually creating any UPN's, SPN's or
>>>> keytabs
>>>>>
>>>>> I permit myself this question again: in this setup, is it useful
>>>>> to have /etc/krb5.keytab or not?
>>>>
>>>> No, you do not need the keytab, you just need the correct setup
>>>> that uses the users kerberos ticket via PAM at login.
>>>>
>>>> Rowland
>>>>
>>> OK thanks. Any idea why mounting a share worked using one servers'
>>> hostname and not the other? They both resolve to the same IP.
>>
>> Because if you are using pam-mount, you should be using the users
>> kerberos ticket via PAM at login.
>
> That is what I did. But it fails even when mounting manually:
> 1. Connect on the desktop using domain user "yvan.masson" (either
> graphically / TTY / SSH). Kerberos ticket is properly created.
> 2. Running "sudo mount -t cifs //ad.FOO.BAR.LOCAL/Echange /mnt -o
> user=yvan.masson,cruid=yvan.masson,sec=krb5" fails with "Required key
> not available".
> 3. Running "sudo mount -t cifs //foo-ad.FOO.BAR.LOCAL/Echange /mnt -o
> user=yvan.masson,cruid=yvan.masson,sec=krb5" works.
>
> This seems strange to me since "foo-ad" and "ad" refer to the same IP
> address. But, as I said, I found a workaround so this question is not
> important…
Kerberos does not use ipadresses and if you are using a machines ticket,
then the machine must have the relevant SPN. Also, a computer cannot
have two hostnames, but it can have a hostname and a CNAME.
You can mount a share with a users kerberos ticket at login via PAM, not
sure if you can do this via SSH.
Rowland
More information about the samba
mailing list