I'm trying to mount a cifs folder on a ubuntu server with multiuser support from a windows DC.
I can get user kerberos tickets as root on the server and mount the directory with kerberos without any problems. But I don't want to mount the directory as a user, it should be mounted as multiuser and accessible for all users on the server.
Maybe this is just a general question about understanding, maybe you can correct me whats wrong here.
- The multiuser mounting server needs a keytab from the DC (ktpass export for cifs/samba.domain)
- Samba uses this keytab to mount the DC share multiuser
- Winbind / kerberos authenticates the users against the DC and issues a ticket
- The user can access the share with his ticket
I exported a keytab file on the DC and put it as the global keytab file /etc/krb5.keytab
root@remote:/etc# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 cifs/[email protected] (des-cbc-md5)
But I still cannot mount the directory because the key is not available mount error(126): Required key not available
syslog shows me this:
May 17 11:37:22 remote cifs.upcall: key description: cifs.spnego;0;0;3f000000;ver=0x2;host=nina.mbeya.domain.org;ip4=10.10.10.17;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x599b
May 17 11:37:22 remote cifs.upcall: ver=2
May 17 11:37:22 remote cifs.upcall: host=nina.mbeya.domain.org
May 17 11:37:22 remote cifs.upcall: ip=10.10.10.17
May 17 11:37:22 remote cifs.upcall: sec=1
May 17 11:37:22 remote cifs.upcall: uid=0
May 17 11:37:22 remote cifs.upcall: creduid=0
May 17 11:37:22 remote cifs.upcall: user=root
May 17 11:37:22 remote cifs.upcall: pid=22939
May 17 11:37:22 remote cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_1000
May 17 11:37:22 remote cifs.upcall: find_krb5_cc: /tmp/krb5cc_1000 is owned by 1000, not 0
May 17 11:37:22 remote cifs.upcall: krb5_get_init_creds_keytab: -1765328378
May 17 11:37:22 remote cifs.upcall: handle_krb5_mech: getting service ticket for cifs/nina.mbeya.domain.org
May 17 11:37:22 remote cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to ccache
May 17 11:37:22 remote cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328245)
May 17 11:37:22 remote cifs.upcall: handle_krb5_mech: getting service ticket for host/nina.mbeya.domain.org
May 17 11:37:22 remote cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to ccache
May 17 11:37:22 remote cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328245)
I appreciate any input on this.
Thanks
You noted that you can get "user Kerberos tickets as root" but you have a "key is not available" error.
This error means mount.cifs does not have access to the Kerberos ticket because is not owned by root (userid: 0), which calls mount.cifs. I would assume that the Kerberos tickets root obtained with a user's password were designated for use only by that user.
Now why does mount want the ticket to be owned by root? This part of first line:
may be the reason. Mount.cifs is being carried out as root. You might want to try changing uid and creduid to the useruid of the user.
I don't know where you're calling mount.cifs from, so I'm sorry if that's a little vague. Could you please give the mount.cifs command you're running and its options?
As for the share being "accessible for all users on the server": I have pam_mount run after a user logs in and mount a share with their username, password and their Kerberos ticket, so I'm not using a keytab. This is the mount command I'm calling:
Add the authorized users to a single group. Also set file_mode= and dir_mode= to the correct permissions for the group to have read/write access to the file, something like 770.