[Samba] krb ticket for the computer account
Hi Samba community, Here is a problem I could not solve. I would like to mount a cifs share to my local Linux machine, which is bound to a windows domain using winbind. The share needs to be mounted by the linux machine's computer account. Here is what I do: # su - DOMAIN\\computer$ [DOMAIN\computercomputer ~]$ i think there is a problem with the bash prompt, skip it for now [DOMAIN\computercomputer ~]$ whoami DOMAIN\computer$ [DOMAIN\computercomputer ~]$ sudo mount -o user=DOMAIN\\computer$,sec=krb5 //remotehost/remoteshare /mnt/localmount mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [DOMAIN\computercomputer ~]$ klist -5 klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_16777222) [DOMAIN\computercomputer ~]$ kinit -5 compute...@domain.com Password for comput...@domain.com: As you know, computer account passwords are not supposed to be entered by users under normal circumstances. How can I obtain a krb5 ticket for the computer account? Thanks in advance.. Regards, Mustafa -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] krb ticket for the computer account
How can I obtain a krb5 ticket for the computer account? Hi Mustafa, To be able to check out a ticket in that way you need to set userprincipialname on the computeraccount. I do that when I join with: # net ads join createupn=host/hostname.domain@domain.tld I then create a keytab file: # net ads keytab create Andreas, thanks, this helped me get a Kerberos ticket. In specific, added use kerberos keytab = yes into /etc/smb.conf and restarted winbind. However, mount is still not aware of the ticket. Here is the output: [DOMAIN\computercomputer ~]$ sudo kinit -V -5 -k -t /etc/krb5.keytab compute...@domain.com Authenticated to Kerberos v5 [DOMAIN\computercomputer ~]$ sudo klist -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: compute...@domain.com Valid starting ExpiresService principal 11/11/10 14:10:42 11/12/10 00:08:44 krbtgt/domain@domain.com renew until 11/12/10 14:10:42 [DOMAIN\computercomputer ~]$ sudo mount -t cifs -o user=DOMAIN\\COMPUTER\$,sec=krb5 //remotehost/remoteshare /mnt/localmount mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [DOMAIN\computercomputer ~]$ sudo mount -t cifs -o sec=krb5 //remotehost/remoteshare /mnt/localmount mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Any ideas on how to debug this further? Regards, Mustafa -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] krb ticket for the computer account
Any ideas on how to debug this further? I think you need to define KRB5CCNAME to point to your ticket cache file (/tmp/krb5cc_0) or have a /tmp/krb5cc_ file where is the UID of the sudo user. Did not work. still getting the message: mount error(126): Required key not available Found out that smbclient -k //remotehost/remoteshare works with my kerberos setup. I will go with it for now. Here is the related thread: http://lists.samba.org/archive/samba/2010-May/155517.html Regards, -- Mustafa -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba