Le 10/03/2020 ? 11:21, Rowland penny via samba a ?crit?:> On 10/03/2020 10:10, Yvan Masson via samba wrote: >> Le 10/03/2020 ? 10:37, Rowland penny via samba a ?crit?: >>> On 10/03/2020 09:18, Yvan Masson via samba wrote: >>>> If think I did not properly explain my setup, sorry for that: Samba >>>> here is not sharing anything. It is just used for joining a Windows >>>> domain, so that users can sit on a chair in front of this Debian >>>> computer, use their domain credentials in LightDM, and then access >>>> theirs personal and shared data (that are shared by the Windows DC, >>>> mounted locally by pam_mount). >>> Yes, telling us that would have helped. >> I used the word "workstation" in my initial post, thinking it was >> sufficient. >>>> >>>> So, my understanding is that my setup does not require creating an >>>> UPN and a corresponding keytab to put on this Linux client. I am >>>> probably not completely wrong as mounting a Windows share on the >>>> Debian computer using Kerberos now works :-). >>> No, it should work without manually creating any UPN's, SPN's or keytabs >>>> >>>> I permit myself this question again: in this setup, is it useful to >>>> have /etc/krb5.keytab or not? >>> >>> No, you do not need the keytab, you just need the correct setup that >>> uses the users kerberos ticket via PAM at login. >>> >>> Rowland >>> >> OK thanks. Any idea why mounting a share worked using one servers' >> hostname and not the other? They both resolve to the same IP. > > Because if you are using pam-mount, you should be using the users > kerberos ticket via PAM at login.That is what I did. But it fails even when mounting manually: 1. Connect on the desktop using domain user "yvan.masson" (either graphically / TTY / SSH). Kerberos ticket is properly created. 2. Running "sudo mount -t cifs //ad.FOO.BAR.LOCAL/Echange /mnt -o user=yvan.masson,cruid=yvan.masson,sec=krb5" fails with "Required key not available". 3. Running "sudo mount -t cifs //foo-ad.FOO.BAR.LOCAL/Echange /mnt -o user=yvan.masson,cruid=yvan.masson,sec=krb5" works. This seems strange to me since "foo-ad" and "ad" refer to the same IP address. But, as I said, I found a workaround so this question is not important?> > RowlandYvan
On 10/03/2020 10:47, Yvan Masson via samba wrote:> Le 10/03/2020 ? 11:21, Rowland penny via samba a ?crit?: >> On 10/03/2020 10:10, Yvan Masson via samba wrote: >>> Le 10/03/2020 ? 10:37, Rowland penny via samba a ?crit?: >>>> On 10/03/2020 09:18, Yvan Masson via samba wrote: >>>>> If think I did not properly explain my setup, sorry for that: >>>>> Samba here is not sharing anything. It is just used for joining a >>>>> Windows domain, so that users can sit on a chair in front of this >>>>> Debian computer, use their domain credentials in LightDM, and then >>>>> access theirs personal and shared data (that are shared by the >>>>> Windows DC, mounted locally by pam_mount). >>>> Yes, telling us that would have helped. >>> I used the word "workstation" in my initial post, thinking it was >>> sufficient. >>>>> >>>>> So, my understanding is that my setup does not require creating an >>>>> UPN and a corresponding keytab to put on this Linux client. I am >>>>> probably not completely wrong as mounting a Windows share on the >>>>> Debian computer using Kerberos now works :-). >>>> No, it should work without manually creating any UPN's, SPN's or >>>> keytabs >>>>> >>>>> I permit myself this question again: in this setup, is it useful >>>>> to have /etc/krb5.keytab or not? >>>> >>>> No, you do not need the keytab, you just need the correct setup >>>> that uses the users kerberos ticket via PAM at login. >>>> >>>> Rowland >>>> >>> OK thanks. Any idea why mounting a share worked using one servers' >>> hostname and not the other? They both resolve to the same IP. >> >> Because if you are using pam-mount, you should be using the users >> kerberos ticket via PAM at login. > > That is what I did. But it fails even when mounting manually: > 1. Connect on the desktop using domain user "yvan.masson" (either > graphically / TTY / SSH). Kerberos ticket is properly created. > 2. Running "sudo mount -t cifs //ad.FOO.BAR.LOCAL/Echange /mnt -o > user=yvan.masson,cruid=yvan.masson,sec=krb5" fails with "Required key > not available". > 3. Running "sudo mount -t cifs //foo-ad.FOO.BAR.LOCAL/Echange /mnt -o > user=yvan.masson,cruid=yvan.masson,sec=krb5" works. > > This seems strange to me since "foo-ad" and "ad" refer to the same IP > address. But, as I said, I found a workaround so this question is not > important?Kerberos does not use ipadresses and if you are using a machines ticket, then the machine must have the relevant SPN. Also, a computer cannot have two hostnames, but it can have a hostname and a CNAME. You can mount a share with a users kerberos ticket at login via PAM, not sure if you can do this via SSH. Rowland
Le 10/03/2020 ? 12:22, Rowland penny via samba a ?crit?:> On 10/03/2020 10:47, Yvan Masson via samba wrote: >> Le 10/03/2020 ? 11:21, Rowland penny via samba a ?crit?: >>> On 10/03/2020 10:10, Yvan Masson via samba wrote: >>>> Le 10/03/2020 ? 10:37, Rowland penny via samba a ?crit?: >>>>> On 10/03/2020 09:18, Yvan Masson via samba wrote: >>>>>> If think I did not properly explain my setup, sorry for that: >>>>>> Samba here is not sharing anything. It is just used for joining a >>>>>> Windows domain, so that users can sit on a chair in front of this >>>>>> Debian computer, use their domain credentials in LightDM, and then >>>>>> access theirs personal and shared data (that are shared by the >>>>>> Windows DC, mounted locally by pam_mount). >>>>> Yes, telling us that would have helped. >>>> I used the word "workstation" in my initial post, thinking it was >>>> sufficient. >>>>>> >>>>>> So, my understanding is that my setup does not require creating an >>>>>> UPN and a corresponding keytab to put on this Linux client. I am >>>>>> probably not completely wrong as mounting a Windows share on the >>>>>> Debian computer using Kerberos now works :-). >>>>> No, it should work without manually creating any UPN's, SPN's or >>>>> keytabs >>>>>> >>>>>> I permit myself this question again: in this setup, is it useful >>>>>> to have /etc/krb5.keytab or not? >>>>> >>>>> No, you do not need the keytab, you just need the correct setup >>>>> that uses the users kerberos ticket via PAM at login. >>>>> >>>>> Rowland >>>>> >>>> OK thanks. Any idea why mounting a share worked using one servers' >>>> hostname and not the other? They both resolve to the same IP. >>> >>> Because if you are using pam-mount, you should be using the users >>> kerberos ticket via PAM at login. >> >> That is what I did. But it fails even when mounting manually: >> 1. Connect on the desktop using domain user "yvan.masson" (either >> graphically / TTY / SSH). Kerberos ticket is properly created. >> 2. Running "sudo mount -t cifs //ad.FOO.BAR.LOCAL/Echange /mnt -o >> user=yvan.masson,cruid=yvan.masson,sec=krb5" fails with "Required key >> not available". >> 3. Running "sudo mount -t cifs //foo-ad.FOO.BAR.LOCAL/Echange /mnt -o >> user=yvan.masson,cruid=yvan.masson,sec=krb5" works. >> >> This seems strange to me since "foo-ad" and "ad" refer to the same IP >> address. But, as I said, I found a workaround so this question is not >> important? > > Kerberos does not use ipadresses and if you are using a machines ticket, > then the machine must have the relevant SPN. Also, a computer cannot > have two hostnames, but it can have a hostname and a CNAME.You are right, the Windows DC/fileserver doesn't have two hostnames, but in DNS two names are pointing to its IP (both are A records, there is no CNAME).> > You can mount a share with a users kerberos ticket at login via PAM, not > sure if you can do this via SSH.Indeed, I did not tested this.> > Rowland >Regards, Yvan