Hi list, I joined a workstation (Debian 10, Samba from distribution) to our AD domain (Windows 2012 Server). The domain ends by ".local" (yes I know, not my fault). However, after a domain user logged to the machine, I can't mount a share that exists on the AD server using user's kerberos ticket: it fails with error "Required key not available". Mounting using password works. The user ticket exists and is valid. DNS A record exists, but the AD does not contain a reverse zone (and I can't create one). Here is the daemon.log (sorry for the poor formatting): Mar 9 15:06:23 testlinux cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10.73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=0x121c Mar 9 15:06:23 testlinux cifs.upcall: ver=2 Mar 9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL Mar 9 15:06:23 testlinux cifs.upcall: ip=10.73.23.27 Mar 9 15:06:23 testlinux cifs.upcall: sec=1 Mar 9 15:06:23 testlinux cifs.upcall: uid=0 Mar 9 15:06:23 testlinux cifs.upcall: creduid=11275 Mar 9 15:06:23 testlinux cifs.upcall: user=yvan.masson Mar 9 15:06:23 testlinux cifs.upcall: pid=4636 Mar 9 15:06:23 testlinux cifs.upcall: get_cachename_from_process_env: pathname=/proc/4636/environ Mar 9 15:06:23 testlinux cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_11275 Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: getting service ticket for ad.foo.bar.local Mar 9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req: unable to get credentials for ad.foo.bar.local Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) Mar 9 15:06:23 testlinux cifs.upcall: Unable to obtain service ticket Mar 9 15:06:23 testlinux cifs.upcall: Exit status -1765328377 My smb.conf: [global] workgroup = FOO security = ADS realm = FOO.BAR.LOCAL winbind refresh tickets = Yes winbind use default domain = yes idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config FOO : backend = rid idmap config FOO : range = 10000-19999 template shell = /bin/bash My krb5.conf: [libdefaults] default_realm = FOO.BAR.LOCAL dns_lookup_realm = false dns_lookup_kdc = true I already tried some suggestions found on the web and on this list: - adding "-t" option to /etc/request-key.d/cifs.spnego.conf and added the AD server to /etc/hosts - adding the following lines to /etc/krb5.conf: default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 Any suggestion would be very welcome. Regards, Yvan
Did you "deleated the computer object" to allow kerberos services. And did you add the CIFS/spn to the computer and keytab ? https://wiki.samba.org/index.php/Generating_Keytabs If its a member, which i assume. kinit Administrator net ads keytab add cifs/$(hostname -f) -k net ads keytab add_update_ads -k Add these and it should work. You might need to restart or reboot., sometimes its needed. Dont know why. Cifs and NFS (kerberized) work in debian without any changing any files if you setup correctly. All you need is above. If you not having a "regular" setup, you might need to change/add things in /etc/idmap.conf and /etc/krb5.conf Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan > Masson via samba > Verzonden: maandag 9 maart 2020 15:20 > Aan: samba at lists.samba.org > Onderwerp: [Samba] mount share using kerberos ticket fails > > Hi list, > > I joined a workstation (Debian 10, Samba from distribution) to our AD > domain (Windows 2012 Server). The domain ends by ".local" > (yes I know, > not my fault). > However, after a domain user logged to the machine, I can't mount a > share that exists on the AD server using user's kerberos ticket: it > fails with error "Required key not available". > Mounting using password works. The user ticket exists and is > valid. DNS > A record exists, but the AD does not contain a reverse zone > (and I can't > create one). > > Here is the daemon.log (sorry for the poor formatting): > > Mar 9 15:06:23 testlinux cifs.upcall: key description: > cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10.73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c> Mar 9 15:06:23 testlinux cifs.upcall: ver=2 > Mar 9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL > Mar 9 15:06:23 testlinux cifs.upcall: ip=10.73.23.27 > Mar 9 15:06:23 testlinux cifs.upcall: sec=1 > Mar 9 15:06:23 testlinux cifs.upcall: uid=0 > Mar 9 15:06:23 testlinux cifs.upcall: creduid=11275 > Mar 9 15:06:23 testlinux cifs.upcall: user=yvan.masson > Mar 9 15:06:23 testlinux cifs.upcall: pid=4636 > Mar 9 15:06:23 testlinux cifs.upcall: > get_cachename_from_process_env: > pathname=/proc/4636/environ > Mar 9 15:06:23 testlinux cifs.upcall: get_existing_cc: > default ccache > is FILE:/tmp/krb5cc_11275 > Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: > getting service > ticket for ad.foo.bar.local > Mar 9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req: > unable to get > credentials for ad.foo.bar.local > Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: failed to > obtain service ticket (-1765328377) > Mar 9 15:06:23 testlinux cifs.upcall: Unable to obtain service ticket > Mar 9 15:06:23 testlinux cifs.upcall: Exit status -1765328377 > > > My smb.conf: > > [global] > workgroup = FOO > security = ADS > realm = FOO.BAR.LOCAL > winbind refresh tickets = Yes > winbind use default domain = yes > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config FOO : backend = rid > idmap config FOO : range = 10000-19999 > template shell = /bin/bash > > My krb5.conf: > > [libdefaults] > default_realm = FOO.BAR.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > > I already tried some suggestions found on the web and on this list: > - adding "-t" option to /etc/request-key.d/cifs.spnego.conf and added > the AD server to /etc/hosts > - adding the following lines to /etc/krb5.conf: > default_tgs_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5 > default_tkt_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5 > permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 > rc4-hmac des-cbc-crc des-cbc-md5 > > Any suggestion would be very welcome. > > Regards, > Yvan > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Thanks for your help! Le 09/03/2020 ? 15:39, L.P.H. van Belle via samba a ?crit?:> Did you "deleated the computer object" to allow kerberos services. > And did you add the CIFS/spn to the computer and keytab ? >I am sorry, I don't really understand the above: mount requires a keytab AND a user ticket?> https://wiki.samba.org/index.php/Generating_Keytabs > > If its a member, which i assume.Yes, the workstation is a domain member.> kinit Administrator > net ads keytab add cifs/$(hostname -f) -k > net ads keytab add_update_ads -k > > Add these and it should work. > You might need to restart or reboot., sometimes its needed. > Dont know why. > > Cifs and NFS (kerberized) work in debian without any changing any files if you setup correctly. > All you need is above. > If you not having a "regular" setup, you might need to change/add things in > /etc/idmap.conf and /etc/krb5.confI believe I have a regular setup. I tried your commands but could not get it working (note that I used another AD administrator account, not "Administrator"). I suppose from what you said that my error was to add the computer to the domain without the following lines in smb.conf: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab So I left the domain, added the above lines, and joined again. But it keeps failing?> > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan >> Masson via samba >> Verzonden: maandag 9 maart 2020 15:20 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] mount share using kerberos ticket fails >> >> Hi list, >> >> I joined a workstation (Debian 10, Samba from distribution) to our AD >> domain (Windows 2012 Server). The domain ends by ".local" >> (yes I know, >> not my fault). >> However, after a domain user logged to the machine, I can't mount a >> share that exists on the AD server using user's kerberos ticket: it >> fails with error "Required key not available". >> Mounting using password works. The user ticket exists and is >> valid. DNS >> A record exists, but the AD does not contain a reverse zone >> (and I can't >> create one). >> >> Here is the daemon.log (sorry for the poor formatting): >> >> Mar 9 15:06:23 testlinux cifs.upcall: key description: >> cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10. > 73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c >> Mar 9 15:06:23 testlinux cifs.upcall: ver=2 >> Mar 9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL >> Mar 9 15:06:23 testlinux cifs.upcall: ip=10.73.23.27 >> Mar 9 15:06:23 testlinux cifs.upcall: sec=1 >> Mar 9 15:06:23 testlinux cifs.upcall: uid=0 >> Mar 9 15:06:23 testlinux cifs.upcall: creduid=11275 >> Mar 9 15:06:23 testlinux cifs.upcall: user=yvan.masson >> Mar 9 15:06:23 testlinux cifs.upcall: pid=4636 >> Mar 9 15:06:23 testlinux cifs.upcall: >> get_cachename_from_process_env: >> pathname=/proc/4636/environ >> Mar 9 15:06:23 testlinux cifs.upcall: get_existing_cc: >> default ccache >> is FILE:/tmp/krb5cc_11275 >> Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: >> getting service >> ticket for ad.foo.bar.local >> Mar 9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req: >> unable to get >> credentials for ad.foo.bar.local >> Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: failed to >> obtain service ticket (-1765328377) >> Mar 9 15:06:23 testlinux cifs.upcall: Unable to obtain service ticket >> Mar 9 15:06:23 testlinux cifs.upcall: Exit status -1765328377 >> >> >> My smb.conf: >> >> [global] >> workgroup = FOO >> security = ADS >> realm = FOO.BAR.LOCAL >> winbind refresh tickets = Yes >> winbind use default domain = yes >> idmap config * : backend = tdb >> idmap config * : range = 3000-7999 >> idmap config FOO : backend = rid >> idmap config FOO : range = 10000-19999 >> template shell = /bin/bash >> >> My krb5.conf: >> >> [libdefaults] >> default_realm = FOO.BAR.LOCAL >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> >> I already tried some suggestions found on the web and on this list: >> - adding "-t" option to /etc/request-key.d/cifs.spnego.conf and added >> the AD server to /etc/hosts >> - adding the following lines to /etc/krb5.conf: >> default_tgs_enctypes = aes128-cts-hmac-sha1-96 >> aes256-cts-hmac-sha1-96 >> rc4-hmac des-cbc-crc des-cbc-md5 >> default_tkt_enctypes = aes128-cts-hmac-sha1-96 >> aes256-cts-hmac-sha1-96 >> rc4-hmac des-cbc-crc des-cbc-md5 >> permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 >> rc4-hmac des-cbc-crc des-cbc-md5 >> >> Any suggestion would be very welcome. >> >> Regards, >> Yvan >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > >
After re-join kinit Administrator net ads keytab add cifs/$(hostname -f) -k net ads keytab add_update_ads -k samba-tool delegation for-any-service COMPUTERNAME$ on ( or use : delegation add-service accountname principal [options] ) Reboot Should work now. ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan > Masson via samba > Verzonden: maandag 9 maart 2020 16:18 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] mount share using kerberos ticket fails > > Thanks for your help! > > Le 09/03/2020 ? 15:39, L.P.H. van Belle via samba a ?crit?: > > Did you "deleated the computer object" to allow kerberos services. > > And did you add the CIFS/spn to the computer and keytab ? > > > I am sorry, I don't really understand the above: mount > requires a keytab > AND a user ticket? > > > https://wiki.samba.org/index.php/Generating_Keytabs > > > > If its a member, which i assume. > Yes, the workstation is a domain member. > > > kinit Administrator > > net ads keytab add cifs/$(hostname -f) -k > > net ads keytab add_update_ads -k > > > > Add these and it should work. > > You might need to restart or reboot., sometimes its needed. > > Dont know why. > > > > Cifs and NFS (kerberized) work in debian without any > changing any files if you setup correctly. > > All you need is above. > > If you not having a "regular" setup, you might need to > change/add things in > > /etc/idmap.conf and /etc/krb5.conf > I believe I have a regular setup.I think also. ;-)> > I tried your commands but could not get it working (note that I used > another AD administrator account, not "Administrator").All commands like these, i always use Administrator (Just because it avoids possible bugs. )> > I suppose from what you said that my error was to add the computer to > the domain without the following lines in smb.conf: > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > So I left the domain, added the above lines, and joined again. But it > keeps failing? > > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan > >> Masson via samba > >> Verzonden: maandag 9 maart 2020 15:20 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] mount share using kerberos ticket fails > >> > >> Hi list, > >> > >> I joined a workstation (Debian 10, Samba from > distribution) to our AD > >> domain (Windows 2012 Server). The domain ends by ".local" > >> (yes I know, > >> not my fault). > >> However, after a domain user logged to the machine, I can't mount a > >> share that exists on the AD server using user's kerberos ticket: it > >> fails with error "Required key not available". > >> Mounting using password works. The user ticket exists and is > >> valid. DNS > >> A record exists, but the AD does not contain a reverse zone > >> (and I can't > >> create one). > >> > >> Here is the daemon.log (sorry for the poor formatting): > >> > >> Mar 9 15:06:23 testlinux cifs.upcall: key description: > >> cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10. > > > 73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c > >> Mar 9 15:06:23 testlinux cifs.upcall: ver=2 > >> Mar 9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL > >> Mar 9 15:06:23 testlinux cifs.upcall: ip=10.73.23.27 > >> Mar 9 15:06:23 testlinux cifs.upcall: sec=1 > >> Mar 9 15:06:23 testlinux cifs.upcall: uid=0 > >> Mar 9 15:06:23 testlinux cifs.upcall: creduid=11275 > >> Mar 9 15:06:23 testlinux cifs.upcall: user=yvan.masson > >> Mar 9 15:06:23 testlinux cifs.upcall: pid=4636 > >> Mar 9 15:06:23 testlinux cifs.upcall: > >> get_cachename_from_process_env: > >> pathname=/proc/4636/environ > >> Mar 9 15:06:23 testlinux cifs.upcall: get_existing_cc: > >> default ccache > >> is FILE:/tmp/krb5cc_11275 > >> Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: > >> getting service > >> ticket for ad.foo.bar.local > >> Mar 9 15:06:23 testlinux cifs.upcall: cifs_krb5_get_req: > >> unable to get > >> credentials for ad.foo.bar.local > >> Mar 9 15:06:23 testlinux cifs.upcall: handle_krb5_mech: failed to > >> obtain service ticket (-1765328377) > >> Mar 9 15:06:23 testlinux cifs.upcall: Unable to obtain > service ticket > >> Mar 9 15:06:23 testlinux cifs.upcall: Exit status -1765328377 > >> > >> > >> My smb.conf: > >> > >> [global] > >> workgroup = FOO > >> security = ADS > >> realm = FOO.BAR.LOCAL > >> winbind refresh tickets = Yes > >> winbind use default domain = yes > >> idmap config * : backend = tdb > >> idmap config * : range = 3000-7999 > >> idmap config FOO : backend = rid > >> idmap config FOO : range = 10000-19999 > >> template shell = /bin/bash > >> > >> My krb5.conf: > >> > >> [libdefaults] > >> default_realm = FOO.BAR.LOCAL > >> dns_lookup_realm = false > >> dns_lookup_kdc = true > >> > >> > >> I already tried some suggestions found on the web and on this list: > >> - adding "-t" option to > /etc/request-key.d/cifs.spnego.conf and added > >> the AD server to /etc/hosts > >> - adding the following lines to /etc/krb5.conf: > >> default_tgs_enctypes = aes128-cts-hmac-sha1-96 > >> aes256-cts-hmac-sha1-96 > >> rc4-hmac des-cbc-crc des-cbc-md5 > >> default_tkt_enctypes = aes128-cts-hmac-sha1-96 > >> aes256-cts-hmac-sha1-96 > >> rc4-hmac des-cbc-crc des-cbc-md5 > >> permitted_enctypes = aes128-cts-hmac-sha1-96 > aes256-cts-hmac-sha1-96 > >> rc4-hmac des-cbc-crc des-cbc-md5 > >> > >> Any suggestion would be very welcome. > >> > >> Regards, > >> Yvan > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >