samba - Jul 2025 - Trouble with ticket requests after ticket timeout (Automounter/CIFS/Kerberos)

Dear all,

I want to have a setup on my Linux host such that users can access the
automounted location /mnt/cifs/$FQDN/$SHARE/$FOLDER1/... to MS Windows
File server at $FQDN and access $FOLDER1 etc. on exported share
$SHARE. The windows file server and AD are maintained by the
"upstream" corporate IT department and this is out of my control.

Here is what I have got working so far

- I have an Ubuntu 24.04 Linux host joined into AD
- I have a working setup on that host as a Kerberos client with
sssd/realmd where users and groups come from corporate Microsoft AD
and things like id/getent return users, users can do kinit and get a
valid kerberos ticket with klist
- I have a functionally working automounting setup that allows users
to do an "ls /mnt/cifs/...", for example, to get access to files on
the server once they have a valid Kerberos ticket via kinit.

So far, so good. Also see the config I added below for the workings.
Essentially, my automounting script will look for a valid Kerberos
ticket in the parent processes and use it for mounting. This way, I
don't have the need for a service user for mounting and root does not
need to have a Kerberos ticket.

Now, to the problem.

Of course, at some point, the Kerberos tickets time out and the mounts
stop working on the Linux host. That is to be expected. Also, *and
here comes the problem*, the upstream IT department gets records in
their SIEM system.

Once the user's Kerberos ticket times out, they get a message in their
SIEM monitoring with

- root trying to obtain a Ticket Granting Ticket aka "<EventID>4768
(A
Kerberos authentication ticket (TGT) was requested)" and
- status 0x6 aka "Client not found in Kerberos database/Bad user name,
or new computer/user account has not replicated to DC yet"
- with service name "krbtgt/EXAMPLE.COM"

This is troubling them so it is troubling me now ;-).

What options do I have to solve this or work around it?

Best wishes,
Manuel

More info:

I also see the following (to be expected) dmesg output that is not troubling me.

CIFS: VFS: \\fs1.example.com Send error in SessSetup = -126
CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed

- I have vanilla Ubuntu packages installed: cifs-utils
"2:7.0-2build1", krb5-user "1.20.1-6ubuntu2.5", keyutils
"1.6.3-3build1", smbclient "2:4.19.5+dfsg-4ubuntu9", autofs
"5.1.9-1ubuntu4.1".
- Possibly relevant Kerberos and automounter configuration is shown below.

# cat /etc/krb5.conf
[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    proxiable = true
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
    EXAMPLE.COM = {
        kdc = dc1.example.com
        kdc = dc2.example.com
        admin_server = dc1.example.com
        default_domain = dc1.example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[appdefaults]
    pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
    }

# cat /etc/auto.master
# ...
/mnt/cifs /etc/auto.cifs --timeout=60 --ghost

# cat /etc/auto.cifs
#!/bin/bash

# Try to determine the real user who triggered the mount
get_real_user() {
    # Method 1: Check environment variables
    if [ -n "$SUDO_USER" ] && [ "$SUDO_USER" !=
"root" ]; then
        # Verify the user actually exists and has valid credentials
        if id "$SUDO_USER" >/dev/null 2>&1; then
            local user_uid=$(id -u "$SUDO_USER")
            if klist -s -c "KEYRING:persistent:$user_uid"
2>/dev/null; then
                echo "$SUDO_USER"
                return 0
            fi
        fi
    fi

    # Method 2: Check currently logged in users and try their credentials
    who | awk '{print $1}' | sort -u | while read user; do
        if [ "$user" != "root" ]; then
            local user_uid=$(id -u "$user" 2>/dev/null)
            if [ -n "$user_uid" ]; then
                # Check if this user has valid kerberos credentials
                if klist -s -c "KEYRING:persistent:$user_uid"
2>/dev/null; then
                    echo "$user"
                    return 0
                fi
            fi
        fi
    done

    # If no valid user found, return failure
    return 1
}

get_krb5_cache() {
    cache    uid=${MOUNT_UID}  # Use our custom variable instead of $UID

    keyring_cache="KEYRING:persistent:$uid"
    if klist -s -c "$keyring_cache" 2>/dev/null; then
        cache="$keyring_cache"
        return
    fi
    for x in $(ls -d /run/user/$uid/krb5cc_* 2>/dev/null); do
        if [ -d "$x" ] && klist -s DIR:"$x"; then
            cache=DIR:$x
            return
        fi
    done
    if [ -f /tmp/krb5cc_$uid ] && klist -s /tmp/krb5cc_$uid; then
            cache=/tmp/krb5cc_$uid
            return
    fi
}

key="$1"
opts="-fstype=cifs,ro"

# Get real user instead of using root
REAL_USER=$(get_real_user)
# Check if we should prevent root Kerberos authentication
if [ -n "$REAL_USER" ] && [ "$REAL_USER" !=
"root" ]; then
    MOUNT_UID=$(id -u "$REAL_USER")
    MOUNT_GID=$(id -g "$REAL_USER")
    >&2 echo "Using UID: $MOUNT_UID, GID: $MOUNT_GID, User:
$REAL_USER"
else
    # Prevent root from using Kerberos to avoid SIEM alerts
    >&2 echo "Warning: Root mount detected, will use guest access to
prevent SIEM alerts"
    exit 1
fi

# Rest of your script...
for P in /bin /sbin /usr/bin /usr/sbin
do
        if [ -x $P/smbclient ]
        then
                SMBCLIENT=$P/smbclient
                break
        fi
done

[ -x $SMBCLIENT ] || exit 1

creds=/etc/creds/$key
if [ -f "$creds" ]; then
    opts="$opts,uid=$MOUNT_UID,gid=$MOUNT_GID,credentials=$creds"
    smbopts="-A $creds"
else
    get_krb5_cache
    if [ -n "$cache" ]; then
        opts="$opts,multiuser,cruid=$MOUNT_UID,sec=krb5i"
        smbopts="-k"
        export KRB5CCNAME=$cache
    else
        opts="$opts,guest"
        smbopts="-N"
    fi
fi

$SMBCLIENT $smbopts -gL "$key" 2>/dev/null| awk -v
"key=$key" -v
"opts=$opts" -F '|' -- '
        BEGIN   { ORS=""; first=1 }
        /Disk/  {
                  if (first)
                        print opts; first=0
                  dir = $2
                  loc = $2
                  # Enclose mount dir and location in quotes
                  print " \\\n\t \"/" dir "\"",
"\"://" key "/" loc "\""
                }
        END     { if (!first) print "\n"; else exit 1 }
        '

On Mon, 7 Jul 2025 07:32:09 +0200
Manuel Holtgrewe via samba <samba at lists.samba.org> wrote:
> Dear all,
> 
> I want to have a setup on my Linux host such that users can access the
> automounted location /mnt/cifs/$FQDN/$SHARE/$FOLDER1/... to MS Windows
> File server at $FQDN and access $FOLDER1 etc. on exported share
> $SHARE. The windows file server and AD are maintained by the
> "upstream" corporate IT department and this is out of my control.
> 
> Here is what I have got working so far
> 
> - I have an Ubuntu 24.04 Linux host joined into AD
> - I have a working setup on that host as a Kerberos client with
> sssd/realmd where users and groups come from corporate Microsoft AD
> and things like id/getent return users, users can do kinit and get a
> valid kerberos ticket with klist
> - I have a functionally working automounting setup that allows users
> to do an "ls /mnt/cifs/...", for example, to get access to files
on
> the server once they have a valid Kerberos ticket via kinit.
> 
> So far, so good. Also see the config I added below for the workings.
> Essentially, my automounting script will look for a valid Kerberos
> ticket in the parent processes and use it for mounting. This way, I
> don't have the need for a service user for mounting and root does not
> need to have a Kerberos ticket.
> 
> Now, to the problem.
> 
> Of course, at some point, the Kerberos tickets time out and the mounts
> stop working on the Linux host. That is to be expected. Also, *and
> here comes the problem*, the upstream IT department gets records in
> their SIEM system.
> 
> Once the user's Kerberos ticket times out, they get a message in their
> SIEM monitoring with
> 
> - root trying to obtain a Ticket Granting Ticket aka
"<EventID>4768 (A
> Kerberos authentication ticket (TGT) was requested)" and
> - status 0x6 aka "Client not found in Kerberos database/Bad user name,
> or new computer/user account has not replicated to DC yet"
> - with service name "krbtgt/EXAMPLE.COM"
> 
> This is troubling them so it is troubling me now ;-).
> 
> What options do I have to solve this or work around it?
> 
> Best wishes,
> Manuel
> 
> More info:
> 
> I also see the following (to be expected) dmesg output that is not
> troubling me.
> 
> CIFS: VFS: \\fs1.example.com Send error in SessSetup = -126
> CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
> 
> - I have vanilla Ubuntu packages installed: cifs-utils
> "2:7.0-2build1", krb5-user "1.20.1-6ubuntu2.5",
keyutils
> "1.6.3-3build1", smbclient "2:4.19.5+dfsg-4ubuntu9",
autofs
> "5.1.9-1ubuntu4.1".
> - Possibly relevant Kerberos and automounter configuration is shown
> below.
> 
> # cat /etc/krb5.conf
> [libdefaults]
>     default_realm = EXAMPLE.COM
>     dns_lookup_realm = true
>     dns_lookup_kdc = true
>     ticket_lifetime = 24h
>     renew_lifetime = 7d
>     forwardable = true
>     proxiable = true
>     default_ccache_name = KEYRING:persistent:%{uid}
> 
> [realms]
>     EXAMPLE.COM = {
>         kdc = dc1.example.com
>         kdc = dc2.example.com
>         admin_server = dc1.example.com
>         default_domain = dc1.example.com
>     }
> 
> [domain_realm]
>     .example.com = EXAMPLE.COM
>     example.com = EXAMPLE.COM
> 
> [logging]
>     default = FILE:/var/log/krb5libs.log
>     kdc = FILE:/var/log/krb5kdc.log
>     admin_server = FILE:/var/log/kadmind.log
> 
> [appdefaults]
>     pam = {
>         debug = false
>         ticket_lifetime = 36000
>         renew_lifetime = 36000
>         forwardable = true
>         krb4_convert = false
>     }
> 
> # cat /etc/auto.master
> # ...
> /mnt/cifs /etc/auto.cifs --timeout=60 --ghost
> 
> # cat /etc/auto.cifs
> #!/bin/bash
> 
> # Try to determine the real user who triggered the mount
> get_real_user() {
>     # Method 1: Check environment variables
>     if [ -n "$SUDO_USER" ] && [ "$SUDO_USER" !=
"root" ]; then
>         # Verify the user actually exists and has valid credentials
>         if id "$SUDO_USER" >/dev/null 2>&1; then
>             local user_uid=$(id -u "$SUDO_USER")
>             if klist -s -c "KEYRING:persistent:$user_uid"
> 2>/dev/null; then echo "$SUDO_USER"
>                 return 0
>             fi
>         fi
>     fi
> 
>     # Method 2: Check currently logged in users and try their
> credentials who | awk '{print $1}' | sort -u | while read user; do
>         if [ "$user" != "root" ]; then
>             local user_uid=$(id -u "$user" 2>/dev/null)
>             if [ -n "$user_uid" ]; then
>                 # Check if this user has valid kerberos credentials
>                 if klist -s -c "KEYRING:persistent:$user_uid"
> 2>/dev/null; then echo "$user"
>                     return 0
>                 fi
>             fi
>         fi
>     done
> 
>     # If no valid user found, return failure
>     return 1
> }
> 
> get_krb5_cache() {
>     cache>     uid=${MOUNT_UID}  # Use our custom variable instead of
$UID
> 
>     keyring_cache="KEYRING:persistent:$uid"
>     if klist -s -c "$keyring_cache" 2>/dev/null; then
>         cache="$keyring_cache"
>         return
>     fi
>     for x in $(ls -d /run/user/$uid/krb5cc_* 2>/dev/null); do
>         if [ -d "$x" ] && klist -s DIR:"$x";
then
>             cache=DIR:$x
>             return
>         fi
>     done
>     if [ -f /tmp/krb5cc_$uid ] && klist -s /tmp/krb5cc_$uid; then
>             cache=/tmp/krb5cc_$uid
>             return
>     fi
> }
> 
> key="$1"
> opts="-fstype=cifs,ro"
> 
> # Get real user instead of using root
> REAL_USER=$(get_real_user)
> # Check if we should prevent root Kerberos authentication
> if [ -n "$REAL_USER" ] && [ "$REAL_USER" !=
"root" ]; then
>     MOUNT_UID=$(id -u "$REAL_USER")
>     MOUNT_GID=$(id -g "$REAL_USER")
>     >&2 echo "Using UID: $MOUNT_UID, GID: $MOUNT_GID, User:
>     >$REAL_USER"
> else
>     # Prevent root from using Kerberos to avoid SIEM alerts
>     >&2 echo "Warning: Root mount detected, will use guest
access to
> prevent SIEM alerts"
>     exit 1
> fi
> 
> # Rest of your script...
> for P in /bin /sbin /usr/bin /usr/sbin
> do
>         if [ -x $P/smbclient ]
>         then
>                 SMBCLIENT=$P/smbclient
>                 break
>         fi
> done
> 
> [ -x $SMBCLIENT ] || exit 1
> 
> creds=/etc/creds/$key
> if [ -f "$creds" ]; then
>     opts="$opts,uid=$MOUNT_UID,gid=$MOUNT_GID,credentials=$creds"
>     smbopts="-A $creds"
> else
>     get_krb5_cache
>     if [ -n "$cache" ]; then
>         opts="$opts,multiuser,cruid=$MOUNT_UID,sec=krb5i"
>         smbopts="-k"
>         export KRB5CCNAME=$cache
>     else
>         opts="$opts,guest"
>         smbopts="-N"
>     fi
> fi
> 
> $SMBCLIENT $smbopts -gL "$key" 2>/dev/null| awk -v
"key=$key" -v
> "opts=$opts" -F '|' -- '
>         BEGIN   { ORS=""; first=1 }
>         /Disk/  {
>                   if (first)
>                         print opts; first=0
>                   dir = $2
>                   loc = $2
>                   # Enclose mount dir and location in quotes
>                   print " \\\n\t \"/" dir
"\"", "\"://" key "/" loc
> "\"" }
>         END     { if (!first) print "\n"; else exit 1 }
>         '
> 
It appears that your problem has something to do with sssd and sssd has
nothing to do with Samba, your problem also seems to have nothing to do
with Samba.

I suggest you ask on either the Ubuntu mailing list or the sssd-users mailing
list.

Rowland