Good day, I have installed a couple of Linux machines where I want to mount various Samba shares. So far, I (and various other users) do this using a credentials file, because nobody has ever been able to properly configure everything needed such that the shares can be mounted using the login credentials. However, from time to time, I try again to set things up properly. So here it goes: people login to the computer using their Active Directory credentials and PAM. This works perfectly. The server where one can log in is joined to the Active Directory, and therefore, upon login, Kerberos tickets are created: $ klist Ticket cache: FILE:/tmp/krb5cc_5486 Default principal: <MY USERNAME>@<THE DOMAIN> Valid starting Expires Service principal 01/15/24 13:24:20 01/15/24 23:24:20 krbtgt/<THE DOMAIN>@<THE DOMAIN> renew until 01/22/24 13:24:20 01/15/24 13:24:20 01/15/24 23:24:20 <HOSTNAME>$@<THE DOMAIN> renew until 01/22/24 13:24:20 So it appears that 2 Kerberos tickets are generated, which looks good to me. Now. How shall I proceed when I want to use them for mounting a Samba share? I try to mount manually: $ sudo mount -t cifs -o sec=krb5 //<servername>/<sharename>/ mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) This does not work. Even though I have authenticated successfully (otherwise I could not have logged in....) and there are definitely some Kerberos tickets around. I do not understand what is missing, but I find throughout the internet lots of people having the same problem, but no solution. Is it true that this is not possible, or should it work? I would highly prefer to get rid of the credentials files, as it is not very good to have a cleartext file with a password in it. Thanks best Tobias
On Mon, 15 Jan 2024 14:33:36 +0100 "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:> Good day, > > I have installed a couple of Linux machines where I want to mount > various Samba shares. > So far, I (and various other users) do this using a credentials file, > because nobody has ever been able to properly configure everything > needed such that the shares can be mounted using the login > credentials. However, from time to time, I try again to set things up > properly. So here it goes: > > people login to the computer using their Active Directory credentials > and PAM. This works perfectly. The server where one can log in is > joined to the Active Directory, and therefore, upon login, Kerberos > tickets are created: > > I try to mount manually: > > $ sudo mount -t cifs -o sec=krb5 //<servername>/<sharename>/Try it like this: sudo mount -t cifs //<servername>/<sharename>/ /mount/point -o sec=krb5,cruid=$USER Rowland
If you want to get the shares mouted during login, try libpam-mount. Am 15.01.24 um 14:33 schrieb Pluess, Tobias via samba:> Good day, > > I have installed a couple of Linux machines where I want to mount various > Samba shares. > So far, I (and various other users) do this using a credentials file, > because nobody has ever been able to properly configure everything needed > such that the shares can be mounted using the login credentials. > However, from time to time, I try again to set things up properly. So here > it goes: > > people login to the computer using their Active Directory credentials and > PAM. This works perfectly. The server where one can log in is joined to the > Active Directory, and therefore, upon login, Kerberos tickets are created: > > $ klist > Ticket cache: FILE:/tmp/krb5cc_5486 > Default principal: <MY USERNAME>@<THE DOMAIN> > > Valid starting Expires Service principal > 01/15/24 13:24:20 01/15/24 23:24:20 krbtgt/<THE DOMAIN>@<THE DOMAIN> > renew until 01/22/24 13:24:20 > 01/15/24 13:24:20 01/15/24 23:24:20 <HOSTNAME>$@<THE DOMAIN> > renew until 01/22/24 13:24:20 > > So it appears that 2 Kerberos tickets are generated, which looks good to me. > Now. How shall I proceed when I want to use them for mounting a Samba share? > > I try to mount manually: > > $ sudo mount -t cifs -o sec=krb5 //<servername>/<sharename>/ > mount error(126): Required key not available > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log > messages (dmesg) > > This does not work. Even though I have authenticated successfully > (otherwise I could not have logged in....) and there are definitely some > Kerberos tickets around. > I do not understand what is missing, but I find throughout the internet > lots of people having the same problem, but no solution. Is it true that > this is not possible, or should it work? > > I would highly prefer to get rid of the credentials files, as it is not > very good to have a cleartext file with a password in it. > > Thanks > best > Tobias