On Wed, Apr 10, 2019 at 04:13:07PM +0200, rey-coyrehourcq wrote:
> Hi sssd users,
>
> Currently i have a working installation of SSSDwith ubuntu 18.10 using sssd,
> pam-sssd and kerberos authentification on AD directory of my university.
>
> Now, before i'm trying to install the plugin automount/autofs for sssd, i'm
> trying to mount manually a cifs, and the problem begin.
>
> After opening a domain session, veryfying using KList that kerberos ticket is
> ok, i'm running this command :
>
> sudo mount -v -t cifs -o user=${USER},cruid=${USER},sec=krb5,uid=${UID}
> //mydomain/myshare /home/mydomain/myshare
>
> This command return a :
> Mount error(126) : Required Key not available.
>
> When i check on journalctl -xe, i see that cifs.upcall :
>
> - get_existing_cc:default ccache FILE:/tmp/krb5cc_1735128554
> - handle_krb5_mech:getting service ticket for mydomain
> - cifs_krb5_get_req : unable to get credentials for mydomain ...
>
> Veryfing with klist -kte i have 3 type of key :
> - myhostname@mydomain
> - host/myhostname@mydomain
> - restrictedKrbHost@mydomain
>
> But if i use this session, this is because the key exist ... so i'm starting
> to
> strace cifs.upcall binary to see what happens in details :
>
> - The /var/lib/sss/pubconf/kdcinfo.mydomain is correctly found and read by
> cifs
> - The /var/lib/sss/pubconf/kpasswdinfo.mydomain return a no such file or
> directory
>
> Program end with unable to get credential for mydomain...
>
> What is this problem with kpasswdinfo which do not exist ? Any idea ?
> I'm using ubuntu 18.10 with sssd 1.16.3
Hi,
it's ok that kpasswdinfo is missing, in this case the IP address from
the kdcinfo is used. The kpasswdinfo will only be created if there are
e.g. different servers for "normal" Kerberos operation like kinit and
other servers for password changes. Since AD DCs typically can do all of
this the kpasswdinfo is not created if the AD provider is used.
> sudo mount -v -t cifs -o user=${USER},cruid=${USER},sec=krb5,uid=${UID}
> //mydomain/myshare /home/mydomain/myshare
Please do not use the domain name 'mydomain' here but a dedicated server
name, otherwise Kerberos authentication won't work.
HTH
bye,
Sumit
>
> Best regards,
> SR
>
>
>
>
>
>
>
>
>
>
>
> --
>
>
> Sébastien Rey-Coyrehourcq
> Research Engineer UMR IDEES
> 02.35.14.69.30
>
> {Stronger security for your email, follow EFF tutorial : https://ssd.eff.org/}
>
>
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
