[Samba] mount share using kerberos ticket fails

Yvan Masson yvan at masson-informatique.fr
Tue Mar 10 11:38:42 UTC 2020 

Le 10/03/2020 à 12:22, Rowland penny via samba a écrit :
> On 10/03/2020 10:47, Yvan Masson via samba wrote:
>> Le 10/03/2020 à 11:21, Rowland penny via samba a écrit :
>>> On 10/03/2020 10:10, Yvan Masson via samba wrote:
>>>> Le 10/03/2020 à 10:37, Rowland penny via samba a écrit :
>>>>> On 10/03/2020 09:18, Yvan Masson via samba wrote:
>>>>>> If think I did not properly explain my setup, sorry for that: 
>>>>>> Samba here is not sharing anything. It is just used for joining a 
>>>>>> Windows domain, so that users can sit on a chair in front of this 
>>>>>> Debian computer, use their domain credentials in LightDM, and then 
>>>>>> access theirs personal and shared data (that are shared by the 
>>>>>> Windows DC, mounted locally by pam_mount).
>>>>> Yes, telling us that would have helped.
>>>> I used the word "workstation" in my initial post, thinking it was 
>>>> sufficient.
>>>>>>
>>>>>> So, my understanding is that my setup does not require creating an 
>>>>>> UPN and a corresponding keytab to put on this Linux client. I am 
>>>>>> probably not completely wrong as mounting a Windows share on the 
>>>>>> Debian computer using Kerberos now works :-).
>>>>> No, it should work without manually creating any UPN's, SPN's or 
>>>>> keytabs
>>>>>>
>>>>>> I permit myself this question again: in this setup, is it useful 
>>>>>> to have /etc/krb5.keytab or not?
>>>>>
>>>>> No, you do not need the keytab, you just need the correct setup 
>>>>> that uses the users kerberos ticket via PAM at login.
>>>>>
>>>>> Rowland
>>>>>
>>>> OK thanks. Any idea why mounting a share worked using one servers' 
>>>> hostname and not the other? They both resolve to the same IP.
>>>
>>> Because if you are using pam-mount, you should be using the users 
>>> kerberos ticket via PAM at login.
>>
>> That is what I did. But it fails even when mounting manually:
>> 1. Connect on the desktop using domain user "yvan.masson" (either 
>> graphically / TTY / SSH). Kerberos ticket is properly created.
>> 2. Running "sudo mount -t cifs //ad.FOO.BAR.LOCAL/Echange /mnt -o 
>> user=yvan.masson,cruid=yvan.masson,sec=krb5" fails with "Required key 
>> not available".
>> 3. Running "sudo mount -t cifs //foo-ad.FOO.BAR.LOCAL/Echange /mnt -o 
>> user=yvan.masson,cruid=yvan.masson,sec=krb5" works.
>>
>> This seems strange to me since "foo-ad" and "ad" refer to the same IP 
>> address. But, as I said, I found a workaround so this question is not 
>> important…
> 
> Kerberos does not use ipadresses and if you are using a machines ticket, 
> then the machine must have the relevant SPN. Also, a computer cannot 
> have two hostnames, but it can have a hostname and a CNAME.

You are right, the Windows DC/fileserver doesn't have two hostnames, but 
in DNS two names are pointing to its IP (both are A records, there is no 
CNAME).

> 
> You can mount a share with a users kerberos ticket at login via PAM, not 
> sure if you can do this via SSH.

Indeed, I did not tested this.
> 
> Rowland
> 
Regards,
Yvan

More information about the samba mailing list