Le 10/03/2020 ? 10:37, Rowland penny via samba a ?crit?:> On 10/03/2020 09:18, Yvan Masson via samba wrote: >> If think I did not properly explain my setup, sorry for that: Samba >> here is not sharing anything. It is just used for joining a Windows >> domain, so that users can sit on a chair in front of this Debian >> computer, use their domain credentials in LightDM, and then access >> theirs personal and shared data (that are shared by the Windows DC, >> mounted locally by pam_mount). > Yes, telling us that would have helped.I used the word "workstation" in my initial post, thinking it was sufficient.>> >> So, my understanding is that my setup does not require creating an UPN >> and a corresponding keytab to put on this Linux client. I am probably >> not completely wrong as mounting a Windows share on the Debian >> computer using Kerberos now works :-). > No, it should work without manually creating any UPN's, SPN's or keytabs >> >> I permit myself this question again: in this setup, is it useful to >> have /etc/krb5.keytab or not? > > No, you do not need the keytab, you just need the correct setup that > uses the users kerberos ticket via PAM at login. > > Rowland >OK thanks. Any idea why mounting a share worked using one servers' hostname and not the other? They both resolve to the same IP. Yvan
On 10/03/2020 10:10, Yvan Masson via samba wrote:> Le 10/03/2020 ? 10:37, Rowland penny via samba a ?crit?: >> On 10/03/2020 09:18, Yvan Masson via samba wrote: >>> If think I did not properly explain my setup, sorry for that: Samba >>> here is not sharing anything. It is just used for joining a Windows >>> domain, so that users can sit on a chair in front of this Debian >>> computer, use their domain credentials in LightDM, and then access >>> theirs personal and shared data (that are shared by the Windows DC, >>> mounted locally by pam_mount). >> Yes, telling us that would have helped. > I used the word "workstation" in my initial post, thinking it was > sufficient. >>> >>> So, my understanding is that my setup does not require creating an >>> UPN and a corresponding keytab to put on this Linux client. I am >>> probably not completely wrong as mounting a Windows share on the >>> Debian computer using Kerberos now works :-). >> No, it should work without manually creating any UPN's, SPN's or keytabs >>> >>> I permit myself this question again: in this setup, is it useful to >>> have /etc/krb5.keytab or not? >> >> No, you do not need the keytab, you just need the correct setup that >> uses the users kerberos ticket via PAM at login. >> >> Rowland >> > OK thanks. Any idea why mounting a share worked using one servers' > hostname and not the other? They both resolve to the same IP.Because if you are using pam-mount, you should be using the users kerberos ticket via PAM at login. Rowland
Le 10/03/2020 ? 11:21, Rowland penny via samba a ?crit?:> On 10/03/2020 10:10, Yvan Masson via samba wrote: >> Le 10/03/2020 ? 10:37, Rowland penny via samba a ?crit?: >>> On 10/03/2020 09:18, Yvan Masson via samba wrote: >>>> If think I did not properly explain my setup, sorry for that: Samba >>>> here is not sharing anything. It is just used for joining a Windows >>>> domain, so that users can sit on a chair in front of this Debian >>>> computer, use their domain credentials in LightDM, and then access >>>> theirs personal and shared data (that are shared by the Windows DC, >>>> mounted locally by pam_mount). >>> Yes, telling us that would have helped. >> I used the word "workstation" in my initial post, thinking it was >> sufficient. >>>> >>>> So, my understanding is that my setup does not require creating an >>>> UPN and a corresponding keytab to put on this Linux client. I am >>>> probably not completely wrong as mounting a Windows share on the >>>> Debian computer using Kerberos now works :-). >>> No, it should work without manually creating any UPN's, SPN's or keytabs >>>> >>>> I permit myself this question again: in this setup, is it useful to >>>> have /etc/krb5.keytab or not? >>> >>> No, you do not need the keytab, you just need the correct setup that >>> uses the users kerberos ticket via PAM at login. >>> >>> Rowland >>> >> OK thanks. Any idea why mounting a share worked using one servers' >> hostname and not the other? They both resolve to the same IP. > > Because if you are using pam-mount, you should be using the users > kerberos ticket via PAM at login.That is what I did. But it fails even when mounting manually: 1. Connect on the desktop using domain user "yvan.masson" (either graphically / TTY / SSH). Kerberos ticket is properly created. 2. Running "sudo mount -t cifs //ad.FOO.BAR.LOCAL/Echange /mnt -o user=yvan.masson,cruid=yvan.masson,sec=krb5" fails with "Required key not available". 3. Running "sudo mount -t cifs //foo-ad.FOO.BAR.LOCAL/Echange /mnt -o user=yvan.masson,cruid=yvan.masson,sec=krb5" works. This seems strange to me since "foo-ad" and "ad" refer to the same IP address. But, as I said, I found a workaround so this question is not important?> > RowlandYvan
> That is what I did. But it fails even when mounting manually: > 1. Connect on the desktop using domain user "yvan.masson" (either > graphically / TTY / SSH). Kerberos ticket is properly created. > 2. Running "sudo mount -t cifs //ad.FOO.BAR.LOCAL/Echange /mnt -o > user=yvan.masson,cruid=yvan.masson,sec=krb5" fails with "Required key > not available".Offcourse, the user is not allowed to mount it. user=yvan.masson << You need to delegate the computer to do it for the user.> 3. Running "sudo mount -t cifs //foo-ad.FOO.BAR.LOCAL/Echange /mnt -o > user=yvan.masson,cruid=yvan.masson,sec=krb5" works.Offcourse, here root is allowed to mount it. You know what todo and how to fix it properly. Greetz, Louis