[Samba] Mounting Samba shares with Kerberos

Stefan Kania stefan at kania-online.de
Tue Jan 16 12:51:43 UTC 2024


If you want to get the shares mouted during login, try libpam-mount.

Am 15.01.24 um 14:33 schrieb Pluess, Tobias via samba:
> Good day,
> 
> I have installed a couple of Linux machines where I want to mount various
> Samba shares.
> So far, I (and various other users) do this using a credentials file,
> because nobody has ever been able to properly configure everything needed
> such that the shares can be mounted using the login credentials.
> However, from time to time, I try again to set things up properly. So here
> it goes:
> 
> people login to the computer using their Active Directory credentials and
> PAM. This works perfectly. The server where one can log in is joined to the
> Active Directory, and therefore, upon login, Kerberos tickets are created:
> 
> $ klist
> Ticket cache: FILE:/tmp/krb5cc_5486
> Default principal: <MY USERNAME>@<THE DOMAIN>
> 
> Valid starting     Expires            Service principal
> 01/15/24 13:24:20  01/15/24 23:24:20  krbtgt/<THE DOMAIN>@<THE DOMAIN>
> renew until 01/22/24 13:24:20
> 01/15/24 13:24:20  01/15/24 23:24:20  <HOSTNAME>$@<THE DOMAIN>
> renew until 01/22/24 13:24:20
> 
> So it appears that 2 Kerberos tickets are generated, which looks good to me.
> Now. How shall I proceed when I want to use them for mounting a Samba share?
> 
> I try to mount manually:
> 
> $ sudo mount -t cifs -o sec=krb5 //<servername>/<sharename>/
> mount error(126): Required key not available
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log
> messages (dmesg)
> 
> This does not work. Even though I have authenticated successfully
> (otherwise I could not have logged in....) and there are definitely some
> Kerberos tickets around.
> I do not understand what is missing, but I find throughout the internet
> lots of people having the same problem, but no solution. Is it true that
> this is not possible, or should it work?
> 
> I would highly prefer to get rid of the credentials files, as it is not
> very good to have a cleartext file with a password in it.
> 
> Thanks
> best
> Tobias



More information about the samba mailing list