Rowland Penny
2024-Feb-28 15:01 UTC
[Samba] Samba, Kerberos, Autofs: Shares get disconnected
On Wed, 28 Feb 2024 14:22:49 +0100 "Pluess, Tobias via samba" <samba at lists.samba.org> wrote:> Hi Rowland > > yes sure I know who user '0' is ;-) > so where should the ticket be then? > I just rebooted the PC and logged in via SSH as root. There is no > ticket for the machine :-(There is, you just cannot see it, mainly because it is in memory.> > even though, the Active Directory join seems to be OK, as "net ads > testjoin" says so.If you start a computer that is joined to AD, then you get a kerberos ticket for the computer in memory, you do not get a physical ticket.> > I am still a bit lost on how I should proceed. > To have this all working more or less, I just mounted the shares with > the credentials file, this is fine as it works reliably but has the > drawback that the access permissions are not per-user. > But maybe I will stick to that anyways as it seems I am not able to > get the other option to work, obviously something is missing but I > have absolutely no idea which part I missed.Try running this on one of your Samba AD DCs, it should dump your entire AD: sudo ldbsearch -H "ldap://$(hostname -f)" -P Make sure that you do not have a ticket for root or the user running the command in /tmp I hope this shows that you do not need a physical kerberos ticket in /tmp to use the machines ticket. If you want, I could post how I set up the two machines for testing. Rowland
Pluess, Tobias
2024-Feb-28 15:32 UTC
[Samba] Samba, Kerberos, Autofs: Shares get disconnected
Hi Rowland, unfortunately, the DCs in use are Windows Servers, and furthermore, I don't have access rights. I just have the right to join computers. So therefore, I cannot run code on them, unfortunately! :-( Maybe this is the reason why it does not work properly for me? because the Windows AD DC is not working as expected? Thanks, best Tobias On Wed, Feb 28, 2024 at 4:02?PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 28 Feb 2024 14:22:49 +0100 > "Pluess, Tobias via samba" <samba at lists.samba.org> wrote: > > > Hi Rowland > > > > yes sure I know who user '0' is ;-) > > so where should the ticket be then? > > I just rebooted the PC and logged in via SSH as root. There is no > > ticket for the machine :-( > > There is, you just cannot see it, mainly because it is in memory. > > > > > even though, the Active Directory join seems to be OK, as "net ads > > testjoin" says so. > > If you start a computer that is joined to AD, then you get a kerberos > ticket for the computer in memory, you do not get a physical ticket. > > > > > I am still a bit lost on how I should proceed. > > To have this all working more or less, I just mounted the shares with > > the credentials file, this is fine as it works reliably but has the > > drawback that the access permissions are not per-user. > > But maybe I will stick to that anyways as it seems I am not able to > > get the other option to work, obviously something is missing but I > > have absolutely no idea which part I missed. > > Try running this on one of your Samba AD DCs, it should dump your > entire AD: > > sudo ldbsearch -H "ldap://$(hostname -f)" -P > > Make sure that you do not have a ticket for root or the user running > the command in /tmp > > I hope this shows that you do not need a physical kerberos ticket in > /tmp to use the machines ticket. > > If you want, I could post how I set up the two machines for testing. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >