similar to: mount cifs with sec=krb5

Hai Mourik-Jan, Beste wensen he ;-) Lets start here.. A and PTR record exists for both servers? Does CIFS/spn and root/spn exist in the AD? In krb5.conf, set these : ; not used for nfs4 but cifs might need it. ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac

Hi list, I joined a workstation (Debian 10, Samba from distribution) to our AD domain (Windows 2012 Server). The domain ends by ".local" (yes I know, not my fault). However, after a domain user logged to the machine, I can't mount a share that exists on the AD server using user's kerberos ticket: it fails with error "Required key not available". Mounting using

After re-join kinit Administrator net ads keytab add cifs/$(hostname -f) -k net ads keytab add_update_ads -k samba-tool delegation for-any-service COMPUTERNAME$ on ( or use : delegation add-service accountname principal [options] ) Reboot Should work now. ;-) Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Yvan

Hi samba --version Version 4.0.6-GIT-4bebda4 smb.conf: [users] path = /home/users read only = No Working on the DC which is also the fileserver user steve2 can write to his folder at /home/users/steve2 But if we now mount the share: sudo mount -t cifs //doloresdc/users /mnt -osec=krb5,multiuser he can't write to the mounted share at /mnt/users/steve2 He gets 'Permission denied'.

Hello, On Debian 9 (stretch prerelease) I am able to mount with the following command with root using the following command: mount -t cifs //smb.physics.wisc.edu/smb /smb -osec=krb5,multiuser,username=smbadmin at PHYSICS.WISC.EDU --verbose root can also access files as expected However, when cifs-utils 6.6-5 is installed, a different user cannot access as expected: ls /smb ls: cannot

On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba <samba at lists.samba.org> wrote: > I am getting a permission denied when trying to ls as a domain user a > samba mount with windows ACLs (sigh I thought I had this figured > out). I tried to include self descriptive server names and include > them in the info below (fs1: file server, nc: addc, u2gui: ubuntu >

Did you "deleated the computer object" to allow kerberos services. And did you add the CIFS/spn to the computer and keytab ? https://wiki.samba.org/index.php/Generating_Keytabs If its a member, which i assume. kinit Administrator net ads keytab add cifs/$(hostname -f) -k net ads keytab add_update_ads -k Add these and it should work. You might need to restart or reboot., sometimes

Thanks for your help! Le 09/03/2020 ? 15:39, L.P.H. van Belle via samba a ?crit?: > Did you "deleated the computer object" to allow kerberos services. > And did you add the CIFS/spn to the computer and keytab ? > I am sorry, I don't really understand the above: mount requires a keytab AND a user ticket? > https://wiki.samba.org/index.php/Generating_Keytabs > >

On 1/26/24 02:35, Rowland Penny via samba wrote: > On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba > <samba at lists.samba.org> wrote: >> The share mounts and I am a member of the correct groups >> CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test /mnt/test >> cifs credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0 > I think

Chad William Seys via samba <samba at lists.samba.org> writes: > But when cifs-utils 6.4-1 is installed (from jessie) the different > user can access as expect. AFAIK there are no other differences besides > the cifs-utils version. Not counting any distro-specific patches it seems cifs.upcall only had 5 commits affecting it between these 2 releases: $ git log

Hi I have a s3 fileserver joined to a s4 DC Here is smb.conf on the fileserver: [global] workgroup = HH3 realm = HH3.SITE security = ADS kerberos method = system keytab winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config HH3:backend = ad idmap config HH3:range = 20000-40000000 idmap config HH3:schema_mode = rfc2307 winbind

On 1/29/24 13:08, Rowland Penny via samba wrote: > On Mon, 29 Jan 2024 12:51:37 -0800 > Peter Carlson via samba<samba at lists.samba.org> wrote: > > >> Just did a quick test, the big T comes after setting permissions in >> windows >> >> root at fs1:/var/log# cd /data >> root at fs1:/data# mkdir -m 1777 test2 > No it doesn't, you are setting

Chad reported that he was seeing a regression in cifs-utils-6.6. Prior to that, cifs.upcall was able to find credcaches in non-default FILE: locations, but with the rework of that code, that ability was lost. Unfortunately, the krb5 library design doesn't really take into account the fact that we might need to find a credcache in a process that isn't descended from the session. When the

Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert

Hello, Trying to compile Samba 3.2.15 on a RHEL AS 4u2 (i686) and I'm getting the following result from 'sh makerpms.sh': > Provides: samba-doc = 3.2.15-1 > Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(VersionedDependencies) <= 3.0.3-1 > > > RPM build errors: > File not found:

On Thu, 2017-02-09 at 14:45 -0600, Chad William Seys wrote: > Hi Jeff, > Could you look at the following mailing list posting? > > https://lists.samba.org/archive/samba/2017-February/206468.html > > It looks like cifs.upcall has changed its behavior. As described in > that post, I can mount with root / kerberos, but then cannot access with > another user who has

Small respin of the patches that I posted a few days ago. The main difference is the reordering of the series to make it do the group and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of

On Fri, 2017-02-10 at 11:15 -0600, Chad William Seys wrote: > Hi Jeff, > > > So we have a default credcache for the user for whom we are operating > > as, but we can't get the default principal name from it. My guess is > > that it's not finding the > > This mount is run by root UID=0 and seems to be find that credential > cache without problem (earlier

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================== "Minds are like parachutes. They only function when they are open." Sir James Dewar =============================================================== Release Announcements ===================== This is a bug fix release of the Samba 3.0 series.