Thanks, It was exactly that, a problem of fileserver URL.
Kerberos only work with the fileserver url and not the domain url.
Le mercredi 10 avril 2019 à 17:07 +0200, Sumit Bose a écrit :
> On Wed, Apr 10, 2019 at 04:13:07PM +0200, rey-coyrehourcq wrote:Hi sssd users,
> Currently i have a working installation of SSSDwith ubuntu 18.10 using
> sssd,pam-sssd and kerberos authentification on AD directory of my university.
> Now, before i'm trying to install the plugin automount/autofs for sssd,
> i'mtrying to mount manually a cifs, and the problem begin.
> After opening a domain session, veryfying using KList that kerberos ticket
> isok, i'm running this command :
> sudo mount -v -t cifs -o
> user=${USER},cruid=${USER},sec=krb5,uid=${UID}//mydomain/myshare
> /home/mydomain/myshare
> This command return a : Mount error(126) : Required Key not available.
> When i check on journalctl -xe, i see that cifs.upcall :
> - get_existing_cc:default ccache FILE:/tmp/krb5cc_1735128554-
> handle_krb5_mech:getting service ticket for mydomain- cifs_krb5_get_req :
> unable to get credentials for mydomain ...
> Veryfing with klist -kte i have 3 type of key : - myhostname@mydomain-
> host/myhostname@mydomain- restrictedKrbHost@mydomain
> But if i use this session, this is because the key exist ... so i'm starting
> tostrace cifs.upcall binary to see what happens in details :
> - The /var/lib/sss/pubconf/kdcinfo.mydomain is correctly found and read by
> cifs - The /var/lib/sss/pubconf/kpasswdinfo.mydomain return a no such file
> ordirectory
> Program end with unable to get credential for mydomain...
> What is this problem with kpasswdinfo which do not exist ? Any idea ?I'm using
> ubuntu 18.10 with sssd 1.16.3
> Hi,
> it's ok that kpasswdinfo is missing, in this case the IP address fromthe
> kdcinfo is used. The kpasswdinfo will only be created if there aree.g.
> different servers for "normal" Kerberos operation like kinit andother servers
> for password changes. Since AD DCs typically can do all ofthis the kpasswdinfo
> is not created if the AD provider is used.
> sudo mount -v -t cifs -o
> user=${USER},cruid=${USER},sec=krb5,uid=${UID}//mydomain/myshare
> /home/mydomain/myshare
> Please do not use the domain name 'mydomain' here but a dedicated servername,
> otherwise Kerberos authentication won't work.
> HTH
> bye,Sumit
>
> Best regards,SR
>
>
>
>
>
>
>
>
>
>
> --
>
> Sébastien Rey-CoyrehourcqResearch Engineer UMR IDEES02.35.14.69.30
> {Stronger security for your email, follow EFF tutorial : https://ssd.eff.org/}
>
>
>
>
> _______________________________________________sssd-users mailing list --
> [email protected] unsubscribe send an email to sssd-users-
> [email protected] Code of Conduct:
> https://getfedora.org/code-of-conduct.htmlList Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]_______________________________________________sssd-users
> mailing list -- [email protected] unsubscribe send an email
> to [email protected] Code of Conduct:
> https://getfedora.org/code-of-conduct.htmlList Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
