Le 09/03/2020 ? 16:43, Rowland penny via samba a ?crit?:> On 09/03/2020 15:18, Yvan Masson via samba wrote: >> Thanks for your help! >> >> Le 09/03/2020 ? 15:39, L.P.H. van Belle via samba a ?crit?: >>> Did you "deleated the computer object" to allow kerberos services. >>> And did you add the CIFS/spn to the computer and keytab ? >>> >> I am sorry, I don't really understand the above: mount requires a >> keytab AND a user ticket? > > No, what he is saying is that the computer object should have a UPN > containing cifs/<the computers FQDN>@<UPPERCASE DOMAIN NAME > > You also need the keytab > >> >> I tried your commands but could not get it working (note that I used >> another AD administrator account, not "Administrator"). > You need to add the UPN on the DC, then export the keytab, the copy it > to the required machines. > > RowlandIf think I did not properly explain my setup, sorry for that: Samba here is not sharing anything. It is just used for joining a Windows domain, so that users can sit on a chair in front of this Debian computer, use their domain credentials in LightDM, and then access theirs personal and shared data (that are shared by the Windows DC, mounted locally by pam_mount). So, my understanding is that my setup does not require creating an UPN and a corresponding keytab to put on this Linux client. I am probably not completely wrong as mounting a Windows share on the Debian computer using Kerberos now works :-). I permit myself this question again: in this setup, is it useful to have /etc/krb5.keytab or not? Yvan> > > >
On 10/03/2020 09:18, Yvan Masson via samba wrote:> If think I did not properly explain my setup, sorry for that: Samba > here is not sharing anything. It is just used for joining a Windows > domain, so that users can sit on a chair in front of this Debian > computer, use their domain credentials in LightDM, and then access > theirs personal and shared data (that are shared by the Windows DC, > mounted locally by pam_mount).Yes, telling us that would have helped.> > So, my understanding is that my setup does not require creating an UPN > and a corresponding keytab to put on this Linux client. I am probably > not completely wrong as mounting a Windows share on the Debian > computer using Kerberos now works :-).No, it should work without manually creating any UPN's, SPN's or keytabs> > I permit myself this question again: in this setup, is it useful to > have /etc/krb5.keytab or not?No, you do not need the keytab, you just need the correct setup that uses the users kerberos ticket via PAM at login. Rowland
Le 10/03/2020 ? 10:37, Rowland penny via samba a ?crit?:> On 10/03/2020 09:18, Yvan Masson via samba wrote: >> If think I did not properly explain my setup, sorry for that: Samba >> here is not sharing anything. It is just used for joining a Windows >> domain, so that users can sit on a chair in front of this Debian >> computer, use their domain credentials in LightDM, and then access >> theirs personal and shared data (that are shared by the Windows DC, >> mounted locally by pam_mount). > Yes, telling us that would have helped.I used the word "workstation" in my initial post, thinking it was sufficient.>> >> So, my understanding is that my setup does not require creating an UPN >> and a corresponding keytab to put on this Linux client. I am probably >> not completely wrong as mounting a Windows share on the Debian >> computer using Kerberos now works :-). > No, it should work without manually creating any UPN's, SPN's or keytabs >> >> I permit myself this question again: in this setup, is it useful to >> have /etc/krb5.keytab or not? > > No, you do not need the keytab, you just need the correct setup that > uses the users kerberos ticket via PAM at login. > > Rowland >OK thanks. Any idea why mounting a share worked using one servers' hostname and not the other? They both resolve to the same IP. Yvan
Because your base setup is just not correct. Who is allowed to mount in name of the user? Thats your question.. Add the UPN in the computer object in the AD. ( of that server ) And your done. Use cifs/hostname.fqdn or root/hostname.fqdn I'll see if i can find some time to write out how i do this with NFS Because for CIFS the setup is 90% the same. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan > Masson via samba > Verzonden: dinsdag 10 maart 2020 11:10 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] mount share using kerberos ticket fails > > Le 10/03/2020 ? 10:37, Rowland penny via samba a ?crit?: > > On 10/03/2020 09:18, Yvan Masson via samba wrote: > >> If think I did not properly explain my setup, sorry for > that: Samba > >> here is not sharing anything. It is just used for joining > a Windows > >> domain, so that users can sit on a chair in front of this Debian > >> computer, use their domain credentials in LightDM, and then access > >> theirs personal and shared data (that are shared by the > Windows DC, > >> mounted locally by pam_mount). > > Yes, telling us that would have helped. > I used the word "workstation" in my initial post, thinking it was > sufficient. > >> > >> So, my understanding is that my setup does not require > creating an UPN > >> and a corresponding keytab to put on this Linux client. I > am probably > >> not completely wrong as mounting a Windows share on the Debian > >> computer using Kerberos now works :-). > > No, it should work without manually creating any UPN's, > SPN's or keytabs > >> > >> I permit myself this question again: in this setup, is it > useful to > >> have /etc/krb5.keytab or not? > > > > No, you do not need the keytab, you just need the correct > setup that > > uses the users kerberos ticket via PAM at login. > > > > Rowland > > > OK thanks. Any idea why mounting a share worked using one servers' > hostname and not the other? They both resolve to the same IP. > > Yvan > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >