Hi Samba community, Here is a problem I could not solve. I would like to mount a cifs share to my local Linux machine, which is bound to a windows domain using winbind. The share needs to be mounted by the linux machine's computer account. Here is what I do: # su - DOMAIN\\computer$ [DOMAIN\computercomputer ~]$ <<< i think there is a problem with the bash prompt, skip it for now >>> [DOMAIN\computercomputer ~]$ whoami DOMAIN\computer$ [DOMAIN\computercomputer ~]$ sudo mount -o user=DOMAIN\\computer$,sec=krb5 //remotehost/remoteshare /mnt/localmount mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [DOMAIN\computercomputer ~]$ klist -5 klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_16777222) [DOMAIN\computercomputer ~]$ kinit -5 computer\$@domain.com Password for computer$@domain.com: As you know, computer account passwords are not supposed to be entered by users under normal circumstances. How can I obtain a krb5 ticket for the computer account? Thanks in advance.. Regards, Mustafa
> > [DOMAIN\computercomputer ~]$ klist -5 > klist: No credentials cache found (ticket cache > FILE:/tmp/krb5cc_16777222) > > [DOMAIN\computercomputer ~]$ kinit -5 computer\$@domain.com > Password for computer$@domain.com: > > As you know, computer account passwords are not supposed to be entered > by > users under normal circumstances. > How can I obtain a krb5 ticket for the computer account? >Hi Mustafa, To be able to check out a ticket in that way you need to set userprincipialname on the computeraccount. I do that when I join with: # net ads join createupn="host/hostname.domain.tld at DOMAIN.TLD" I then create a keytab file: # net ads keytab create You don't need a userprincipialname to have a keytab but you have to have upn set if you want to check out a ticket from a keytab to a ccache. There are some options in smb.conf about kerberos keytab that I guess you want to use. Regards, Andreas Larsson
> > How can I obtain a krb5 ticket for the computer account? > > > > Hi Mustafa, > > To be able to check out a ticket in that way you need to set > userprincipialname on the computeraccount. I do that when I join with: > > # net ads join createupn="host/hostname.domain.tld at DOMAIN.TLD" > > I then create a keytab file: > > # net ads keytab create > >Andreas, thanks, this helped me get a Kerberos ticket. In specific, added use kerberos keytab = yes into /etc/smb.conf and restarted winbind. However, "mount" is still not aware of the ticket. Here is the output: [DOMAIN\computercomputer ~]$ sudo kinit -V -5 -k -t /etc/krb5.keytab COMPUTER\$@DOMAIN.COM Authenticated to Kerberos v5 [DOMAIN\computercomputer ~]$ sudo klist -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: COMPUTER\$@DOMAIN.COM Valid starting Expires Service principal 11/11/10 14:10:42 11/12/10 00:08:44 krbtgt/DOMAIN.COM at DOMAIN.COM renew until 11/12/10 14:10:42 [DOMAIN\computercomputer ~]$ sudo mount -t cifs -o user=DOMAIN\\COMPUTER\$,sec=krb5 //remotehost/remoteshare /mnt/localmount mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [DOMAIN\computercomputer ~]$ sudo mount -t cifs -o sec=krb5 //remotehost/remoteshare /mnt/localmount mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Any ideas on how to debug this further? Regards, Mustafa
On 11/11/2010 12:18, Mustafa Kuscu wrote:> [DOMAIN\computercomputer ~]$ sudo mount -t cifs -o sec=krb5 > //remotehost/remoteshare /mnt/localmount > mount error(126): Required key not available > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) > > Any ideas on how to debug this further?I think you need to define KRB5CCNAME to point to your ticket cache file (/tmp/krb5cc_0) or have a /tmp/krb5cc_UUUU file where UUUU is the UID of the sudo user. -- Liam Gretton liam.gretton at le.ac.uk HPC Architect http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University Of Leicester, University Road Leicestershire LE1 7RH, United Kingdom
> Any ideas on how to debug this further? >> > > I think you need to define KRB5CCNAME to point to your ticket cache file > (/tmp/krb5cc_0) or have a /tmp/krb5cc_UUUU file where UUUU is the UID of the > sudo user. > >Did not work. still getting the message: mount error(126): Required key not available Found out that smbclient -k //remotehost/remoteshare works with my kerberos setup. I will go with it for now. Here is the related thread: http://lists.samba.org/archive/samba/2010-May/155517.html Regards, -- Mustafa