thr3ads.net - samba - [Samba] mount share using kerberos ticket fails [Mar 2020]

If this information is useful, please help other people find it:
Share via:

Yvan Masson

2020-Mar-09 15:18 UTC

[Samba] mount share using kerberos ticket fails

Thanks for your help!

Le 09/03/2020 ? 15:39, L.P.H. van Belle via samba a
?crit?:> Did you "deleated the computer object" to allow kerberos
services.
> And did you add the CIFS/spn to the computer and keytab ?
> I am sorry, I don't really understand the above: mount requires a keytab 
AND a user ticket?
> https://wiki.samba.org/index.php/Generating_Keytabs
> 
> If its a member, which i assume.Yes, the workstation is a domain member.
> kinit Administrator
> net ads keytab add cifs/$(hostname -f) -k
> net ads keytab add_update_ads -k
> 
> Add these and it should work.
> You might need to restart or reboot., sometimes its needed.
> Dont know why.
> 
> Cifs and NFS (kerberized) work in debian without any changing any files if
you setup correctly.
> All you need is above.
> If you not having a "regular" setup, you might need to change/add
things in
> /etc/idmap.conf and /etc/krb5.confI believe I have a regular setup.

I tried your commands but could not get it working (note that I used 
another AD administrator account, not "Administrator").

I suppose from what you said that my error was to add the computer to 
the domain without the following lines in smb.conf:
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

So I left the domain, added the above lines, and joined again. But it 
keeps failing?
> 
> 
> Greetz,
> 
> Louis
>   
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan
>> Masson via samba
>> Verzonden: maandag 9 maart 2020 15:20
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] mount share using kerberos ticket fails
>>
>> Hi list,
>>
>> I joined a workstation (Debian 10, Samba from distribution) to our AD
>> domain (Windows 2012 Server). The domain ends by ".local"
>> (yes I know,
>> not my fault).
>> However, after a domain user logged to the machine, I can't mount a
>> share that exists on the AD server using user's kerberos ticket: it
>> fails with error "Required key not available".
>> Mounting using password works. The user ticket exists and is
>> valid. DNS
>> A record exists, but the AD does not contain a reverse zone
>> (and I can't
>> create one).
>>
>> Here is the daemon.log (sorry for the poor formatting):
>>
>> Mar  9 15:06:23 testlinux cifs.upcall: key description:
>> cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10.
> 73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c
>> Mar  9 15:06:23 testlinux cifs.upcall: ver=2
>> Mar  9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL
>> Mar  9 15:06:23 testlinux cifs.upcall: ip=10.73.23.27
>> Mar  9 15:06:23 testlinux cifs.upcall: sec=1
>> Mar  9 15:06:23 testlinux cifs.upcall: uid=0
>> Mar  9 15:06:23 testlinux cifs.upcall: creduid=11275
>> Mar  9 15:06:23 testlinux cifs.upcall: user=yvan.masson
>> Mar  9 15:06:23 testlinux cifs.upcall: pid=4636
>> Mar  9 15:06:23 testlinux cifs.upcall:
>> get_cachename_from_process_env:
>> pathname=/proc/4636/environ
>> Mar  9 15:06:23 testlinux cifs.upcall: get_existing_cc:
>> default ccache
>> is FILE:/tmp/krb5cc_11275
>> Mar  9 15:06:23 testlinux cifs.upcall: handle_krb5_mech:
>> getting service
>> ticket for ad.foo.bar.local
>> Mar  9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req:
>> unable to get
>> credentials for ad.foo.bar.local
>> Mar  9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: failed to
>> obtain service ticket (-1765328377)
>> Mar  9 15:06:23 testlinux cifs.upcall: Unable to obtain service ticket
>> Mar  9 15:06:23 testlinux cifs.upcall: Exit status -1765328377
>>
>>
>> My smb.conf:
>>
>> [global]
>>    workgroup = FOO
>>    security = ADS
>>    realm = FOO.BAR.LOCAL
>>    winbind refresh tickets = Yes
>>    winbind use default domain = yes
>>    idmap config * : backend = tdb
>>    idmap config * : range = 3000-7999
>>    idmap config FOO : backend = rid
>>    idmap config FOO : range = 10000-19999
>>    template shell = /bin/bash
>>
>> My krb5.conf:
>>
>> [libdefaults]
>> default_realm = FOO.BAR.LOCAL
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>>
>> I already tried some suggestions found on the web and on this list:
>> - adding "-t" option to /etc/request-key.d/cifs.spnego.conf
and added
>> the AD server to /etc/hosts
>> - adding the following lines to /etc/krb5.conf:
>> default_tgs_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96
>> rc4-hmac des-cbc-crc des-cbc-md5
>> default_tkt_enctypes = aes128-cts-hmac-sha1-96
>> aes256-cts-hmac-sha1-96
>> rc4-hmac des-cbc-crc des-cbc-md5
>> permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
>> rc4-hmac des-cbc-crc des-cbc-md5
>>
>> Any suggestion would be very welcome.
>>
>> Regards,
>> Yvan
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
> 
>

Rowland penny

2020-Mar-09 15:43 UTC

head link

[Samba] mount share using kerberos ticket fails

On 09/03/2020 15:18, Yvan Masson via samba wrote:> Thanks for your help!
>
> Le 09/03/2020 ? 15:39, L.P.H. van Belle via samba a ?crit?:
>> Did you "deleated the computer object" to allow kerberos
services.
>> And did you add the CIFS/spn to the computer and keytab ?
>>
> I am sorry, I don't really understand the above: mount requires a 
> keytab AND a user ticket?
No, what he is saying is that the computer object should have a UPN 
containing cifs/<the computers FQDN>@<UPPERCASE DOMAIN NAME

You also need the keytab.
>
> I tried your commands but could not get it working (note that I used 
> another AD administrator account, not "Administrator").You need to add the UPN on the DC, then export the keytab, the copy it 
to the required machines.

Rowland

Yvan Masson

2020-Mar-10 09:18 UTC

head link

[Samba] mount share using kerberos ticket fails

Le 09/03/2020 ? 16:43, Rowland penny via samba a ?crit?:> On 09/03/2020 15:18, Yvan Masson via samba wrote:
>> Thanks for your help!
>>
>> Le 09/03/2020 ? 15:39, L.P.H. van Belle via samba a ?crit?:
>>> Did you "deleated the computer object" to allow kerberos
services.
>>> And did you add the CIFS/spn to the computer and keytab ?
>>>
>> I am sorry, I don't really understand the above: mount requires a 
>> keytab AND a user ticket?
> 
> No, what he is saying is that the computer object should have a UPN 
> containing cifs/<the computers FQDN>@<UPPERCASE DOMAIN NAME
> 
> You also need the keytab >
>>
>> I tried your commands but could not get it working (note that I used 
>> another AD administrator account, not "Administrator").
> You need to add the UPN on the DC, then export the keytab, the copy it 
> to the required machines.
> 
> Rowland

If think I did not properly explain my setup, sorry for that: Samba here 
is not sharing anything. It is just used for joining a Windows domain, 
so that users can sit on a chair in front of this Debian computer, use 
their domain credentials in LightDM, and then access theirs personal and 
shared data (that are shared by the Windows DC, mounted locally by 
pam_mount).

So, my understanding is that my setup does not require creating an UPN 
and a corresponding keytab to put on this Linux client. I am probably 
not completely wrong as mounting a Windows share on the Debian computer 
using Kerberos now works :-).

I permit myself this question again: in this setup, is it useful to have 
/etc/krb5.keytab or not?

Yvan> 
> 
> 
>

Possibly Parallel Threads

Search for more reasonably related threads

samba - Mar 2020 - mount share using kerberos ticket fails

[Samba] mount share using kerberos ticket fails

[Samba] mount share using kerberos ticket fails

[Samba] mount share using kerberos ticket fails

Possibly Parallel Threads