Using smbclient and mount.cifs with SPN in Keytab

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Using smbclient and mount.cifs with SPN in Keytab

Samba - General mailing list
Hi,

for a static cifs mount (automount from fstab) I would like to use
kerberos with a SPN. The share is accessed from a http service, so I use
HTTP/www.samdom.example.com with the username
http-www.samdom.example.com. Unfortunately I can not get it to work.

The keytab is generated as described on [1].

# klist -kt /etc/http.keytab
Keytab name: FILE:/etc/http.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   5 04/28/17 10:55:09 HTTP/[hidden email]
   5 04/28/17 10:55:09 HTTP/[hidden email]
   5 04/28/17 10:55:09 HTTP/[hidden email]

I use this keytab with mod_auth_kerb where everything works well.

-%<------
# kinit -kt /etc/http.keytab HTTP/www.samdom.example.com
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[hidden email]

Valid starting     Expires            Service principal
05/10/17 13:35:59  05/10/17 23:35:59
krbtgt/[hidden email]
        renew until 05/11/17 13:35:59

# smbclient -k //ad/netlogon
gss_init_sec_context failed with [ Miscellaneous failure (see text):
Client (HTTP/[hidden email]) unknown]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR
-%<------

When logging in with the username "http-www.samdom.example.com" and the
temporarily assigned user password and with a Keytab including the
principal [hidden email] it works.
mount.cifs shows the same behaviour.

Is it not possible to use a SPN in this scenario?

Thanks,
Christian

[1] https://wiki.samba.org/index.php/Generating_Keytabs

--
ifu Hamburg - material flows and software
"We enable sustainable production."

ifu Hamburg GmbH
Max-Brauer-Allee 50 - 22765 Hamburg - Germany
fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: [hidden email]

Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
www.ifu.com - www.umberto.de - www.e-sankey.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using smbclient and mount.cifs with SPN in Keytab

Samba - General mailing list
Does it work if you test like this.

kinit [hidden email]
mount -t cifs -o sec=krb5 //server.example.com/export /mnt/cifs

Have a look here :
https://runops.wordpress.com/2015/03/05/setup-linux-cifs-autofs-automount-using-kerberos-authentication/ 

I cant tell much about automount, i use it but through systemd for my nfsv4 mounts.

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Christian Haase via samba
> Verzonden: woensdag 10 mei 2017 13:46
> Aan: [hidden email]
> Onderwerp: [Samba] Using smbclient and mount.cifs with SPN in Keytab
>
> Hi,
>
> for a static cifs mount (automount from fstab) I would like
> to use kerberos with a SPN. The share is accessed from a http
> service, so I use HTTP/www.samdom.example.com with the
> username http-www.samdom.example.com. Unfortunately I can not
> get it to work.
>
> The keytab is generated as described on [1].
>
> # klist -kt /etc/http.keytab
> Keytab name: FILE:/etc/http.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    5 04/28/17 10:55:09 HTTP/[hidden email]
>    5 04/28/17 10:55:09 HTTP/[hidden email]
>    5 04/28/17 10:55:09 HTTP/[hidden email]
>
> I use this keytab with mod_auth_kerb where everything works well.
>
> -%<------
> # kinit -kt /etc/http.keytab HTTP/www.samdom.example.com #
> klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal:
> HTTP/[hidden email]
>
> Valid starting     Expires            Service principal
> 05/10/17 13:35:59  05/10/17 23:35:59
> krbtgt/[hidden email]
> renew until 05/11/17 13:35:59
>
> # smbclient -k //ad/netlogon
> gss_init_sec_context failed with [ Miscellaneous failure (see text):
> Client (HTTP/[hidden email]) unknown]
> SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
> NT_STATUS_INTERNAL_ERROR session setup failed:
> NT_STATUS_INTERNAL_ERROR
> -%<------
>
> When logging in with the username
> "http-www.samdom.example.com" and the temporarily assigned
> user password and with a Keytab including the principal
> [hidden email] it works.
> mount.cifs shows the same behaviour.
>
> Is it not possible to use a SPN in this scenario?
>
> Thanks,
> Christian
>
> [1] https://wiki.samba.org/index.php/Generating_Keytabs
>
> --
> ifu Hamburg - material flows and software "We enable
> sustainable production."
>
> ifu Hamburg GmbH
> Max-Brauer-Allee 50 - 22765 Hamburg - Germany
> fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: [hidden email]
>
> Managing Director: Jan Hedemann - Commercial Register:
> Hamburg, HRB 52629 www.ifu.com - www.umberto.de - www.e-sankey.com
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using smbclient and mount.cifs with SPN in Keytab

Samba - General mailing list
Hi,

L.P.H. van Belle via samba schrieb:
> Does it work if you test like this.
>
> kinit [hidden email]
> mount -t cifs -o sec=krb5 //server.example.com/export /mnt/cifs
yep, this works. Only when I use a SPN it does not, but this is what I
try to do.

> I cant tell much about automount, i use it but through systemd for my nfsv4 mounts.
The automount-part will be no problem for me, if the mount itself works
(with spn), e.g. mount -t cifs -o krb5 //ad/netlogon /mnt

Cheers,
Christian

--
ifu Hamburg - material flows and software
"We enable sustainable production."

ifu Hamburg GmbH
Max-Brauer-Allee 50 - 22765 Hamburg - Germany
fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: [hidden email]

Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
www.ifu.com - www.umberto.de - www.e-sankey.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using smbclient and mount.cifs with SPN in Keytab

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi again,

after reading [1] I revoke my question, I had a completely wrong
understanding of the SPN.

Cheers,
Christian

[1] http://web.mit.edu/kerberos/www/dialogue.html

--
ifu Hamburg - material flows and software
"We enable sustainable production."

ifu Hamburg GmbH
Max-Brauer-Allee 50 - 22765 Hamburg - Germany
fon: +49 40 480009-0 - fax: +49 40 480009-22 - email: [hidden email]

Managing Director: Jan Hedemann - Commercial Register: Hamburg, HRB 52629
www.ifu.com - www.umberto.de - www.e-sankey.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba