thr3ads.net - samba - [Samba] Using smbclient and mount.cifs with SPN in Keytab [May 2017]

If this information is useful, please help other people find it:
Share via:

Christian Haase

2017-May-10 11:45 UTC

[Samba] Using smbclient and mount.cifs with SPN in Keytab

Hi,

for a static cifs mount (automount from fstab) I would like to use
kerberos with a SPN. The share is accessed from a http service, so I use
HTTP/www.samdom.example.com with the username
http-www.samdom.example.com. Unfortunately I can not get it to work.

The keytab is generated as described on [1].

# klist -kt /etc/http.keytab
Keytab name: FILE:/etc/http.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
   5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
   5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM

I use this keytab with mod_auth_kerb where everything works well.

-%<------
# kinit -kt /etc/http.keytab HTTP/www.samdom.example.com
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM

Valid starting     Expires            Service principal
05/10/17 13:35:59  05/10/17 23:35:59
krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
	renew until 05/11/17 13:35:59

# smbclient -k //ad/netlogon
gss_init_sec_context failed with [ Miscellaneous failure (see text):
Client (HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM) unknown]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR
-%<------

When logging in with the username "http-www.samdom.example.com" and
the
temporarily assigned user password and with a Keytab including the
principal http-www.samdom.example.com at SAMDOM.EXAMPLE.COM it works.
mount.cifs shows the same behaviour.

Is it not possible to use a SPN in this scenario?

Thanks,
Christian

[1] https://wiki.samba.org/index.php/Generating_Keytabs

-- 
ifu Hamburg - material flows and software
"We enable sustainable production."

ifu Hamburg GmbH
Max-Brauer-Allee 50 - 22765 Hamburg - Germany
fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com

Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
www.ifu.com - www.umberto.de - www.e-sankey.com

L.P.H. van Belle

2017-May-10 12:12 UTC

head link

[Samba] Using smbclient and mount.cifs with SPN in Keytab

Does it work if you test like this. 

kinit testuser at EXAMPLE.COM
mount -t cifs -o sec=krb5 //server.example.com/export /mnt/cifs

Have a look here : 
https://runops.wordpress.com/2015/03/05/setup-linux-cifs-autofs-automount-using-kerberos-authentication/

I cant tell much about automount, i use it but through systemd for my nfsv4
mounts.

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Christian Haase via samba
> Verzonden: woensdag 10 mei 2017 13:46
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Using smbclient and mount.cifs with SPN in Keytab
> 
> Hi,
> 
> for a static cifs mount (automount from fstab) I would like 
> to use kerberos with a SPN. The share is accessed from a http 
> service, so I use HTTP/www.samdom.example.com with the 
> username http-www.samdom.example.com. Unfortunately I can not 
> get it to work.
> 
> The keytab is generated as described on [1].
> 
> # klist -kt /etc/http.keytab
> Keytab name: FILE:/etc/http.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
>    5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
>    5 04/28/17 10:55:09 HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
> 
> I use this keytab with mod_auth_kerb where everything works well.
> 
> -%<------
> # kinit -kt /etc/http.keytab HTTP/www.samdom.example.com # 
> klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: 
> HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 05/10/17 13:35:59  05/10/17 23:35:59
> krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM
> 	renew until 05/11/17 13:35:59
> 
> # smbclient -k //ad/netlogon
> gss_init_sec_context failed with [ Miscellaneous failure (see text):
> Client (HTTP/www.samdom.example.com at SAMDOM.EXAMPLE.COM) unknown]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: 
> NT_STATUS_INTERNAL_ERROR session setup failed: 
> NT_STATUS_INTERNAL_ERROR
> -%<------
> 
> When logging in with the username 
> "http-www.samdom.example.com" and the temporarily assigned 
> user password and with a Keytab including the principal 
> http-www.samdom.example.com at SAMDOM.EXAMPLE.COM it works.
> mount.cifs shows the same behaviour.
> 
> Is it not possible to use a SPN in this scenario?
> 
> Thanks,
> Christian
> 
> [1] https://wiki.samba.org/index.php/Generating_Keytabs
> 
> --
> ifu Hamburg - material flows and software "We enable 
> sustainable production."
> 
> ifu Hamburg GmbH
> Max-Brauer-Allee 50 - 22765 Hamburg - Germany
> fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com
> 
> Managing Director: Jan Hedemann - Commercial Register: 
> Hamburg, HRB 52629 www.ifu.com - www.umberto.de - www.e-sankey.com
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Christian Haase

2017-May-10 12:32 UTC

head link

[Samba] Using smbclient and mount.cifs with SPN in Keytab

Hi,

L.P.H. van Belle via samba schrieb:> Does it work if you test like this. 
> 
> kinit testuser at EXAMPLE.COM
> mount -t cifs -o sec=krb5 //server.example.com/export /mnt/cifsyep, this works. Only when I use a SPN it does not, but this is what I
try to do.
> I cant tell much about automount, i use it but through systemd for my nfsv4
mounts.The automount-part will be no problem for me, if the mount itself works
(with spn), e.g. mount -t cifs -o krb5 //ad/netlogon /mnt

Cheers,
Christian

-- 
ifu Hamburg - material flows and software
"We enable sustainable production."

ifu Hamburg GmbH
Max-Brauer-Allee 50 - 22765 Hamburg - Germany
fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com

Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
www.ifu.com - www.umberto.de - www.e-sankey.com

Christian Haase

2017-May-10 14:05 UTC

head link

[Samba] Using smbclient and mount.cifs with SPN in Keytab

Hi again,

after reading [1] I revoke my question, I had a completely wrong
understanding of the SPN.

Cheers,
Christian

[1] http://web.mit.edu/kerberos/www/dialogue.html

-- 
ifu Hamburg - material flows and software
"We enable sustainable production."

ifu Hamburg GmbH
Max-Brauer-Allee 50 - 22765 Hamburg - Germany
fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: info at ifu.com

Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
www.ifu.com - www.umberto.de - www.e-sankey.com

Seemingly Similar Threads

Search for more possibly parallel threads

samba - May 2017 - Using smbclient and mount.cifs with SPN in Keytab

[Samba] Using smbclient and mount.cifs with SPN in Keytab

[Samba] Using smbclient and mount.cifs with SPN in Keytab

[Samba] Using smbclient and mount.cifs with SPN in Keytab

[Samba] Using smbclient and mount.cifs with SPN in Keytab

Seemingly Similar Threads