we want to mount shares through autofs. Nothing special we thought. But: this must be done in some complex active directory circumstances. What we have: integrated Ubuntu 14.04 workstations on which users can login with their windows credentials. The most work is done using sssd, which also creates an kerberos-ticket at login-time.
Now: we want to use this ticket to authenticate for network shares.
The complex circumstances are: the AD is based on many location nameconventions. Following configs are anonymized. THE PROBLEM:
The mounting attempt fails with:
cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_594111_644IQv
cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_594111_644IQv is valid ccache
cifs.upcall: handle_krb5_mech: getting service ticket for shareserver.sub.example.org
cifs.upcall: cifs_krb5_get_req: unable to get credentials for shareserver.sub.example.org
cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
cifs.upcall: Unable to obtain service ticket
So the kerberos-ticket is for USERNAME@EXAMPLE.COM generated. But we want to connect to SHARESERVER.SUB.EXAMPLE.ORG
Is our kerberos ticket not valid to connect to the server or is this a misconfigured kerberos-system, which doesnt link from sub.example.com to example.com.
Krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[login]
krb4_convert = true
krb4_get_tickets = false
