smbclient (and other samba utilities) do not refer to krb5.conf when figuring out the kerberos realm.
you will have to put to your krb5.conf on both client and server: [domain_realms] cifs.example.com = realm.example.com Otherwise it will just try to use example.com as the realm. On 6/6/08, Derek Taylor <[EMAIL PROTECTED]> wrote: > On Tue, 03 Jun 2008, Atte Peltomki wrote: >>You will have to adjust your krb5.conf to map a given domain or hostname >>to a kerberos realm, if you are doing cross-realm authentication. See MIT >>kerberos admin guide for details. > > I'm pretty sure it's set up ok. I can use smbclient -k just fine: > $ kinit > [EMAIL PROTECTED]'s Password: > kinit: NOTICE: ticket renewable lifetime is 1 week > $ klist > Credentials cache: FILE:/tmp/krb5cc_1001 > Principal: [EMAIL PROTECTED] > > Issued Expires Principal > Jun 6 15:08:47 Jun 7 01:08:47 krbtgt/[EMAIL PROTECTED] > $ smbclient -k -U det135 //cifs.example.com/dir1 > OS=[Unix] Server=[Samba 3.0.30] > smb: \> ls > . D 0 Thu Feb 14 14:46:42 2008 > .. D 0 Fri Jun 6 10:16:29 2008 > [ other files/directories here ] > > smb: \> quit > $ cd ~/mount/smbbeta.pass.psu.edu/pass > $ ls > ls: .: Permission denied > $ klist > Credentials cache: FILE:/tmp/krb5cc_1001 > Principal: [EMAIL PROTECTED] > > Issued Expires Principal > Jun 6 15:08:47 Jun 7 01:08:47 krbtgt/[EMAIL PROTECTED] > Jun 6 15:09:17 Jun 7 01:08:47 cifs/[EMAIL PROTECTED] > $ > > -Derek. > >>On 6/3/08, Derek Taylor <[EMAIL PROTECTED]> wrote: >>> On Tue, 03 Jun 2008, Harti Brandt wrote: >>>>On Tue, 3 Jun 2008, Derek Taylor wrote: >>>> >>>>DT>On Thu, 22 May 2008, Hartmut Brandt wrote: >>>>DT>>Derek Taylor wrote: >>>>DT>>> This question was previously posed of the freebsd-questions list, >>>> but >>>>DT>>> with no response for a week, I'd like to try my luck here. If >>>> there's >>>>DT>>> any more information I should include, please speak up: I would be >>>> glad >>>>DT>>> to oblige. >>>>DT>>> >>>>DT>>> I would like to use smb/cifs with kerberos auth, but mount_smbfs >>>> doesn't >>>>DT>>> seem to support this. >>>>DT>>> >>>>DT>>> Is anyone aware of an alternate means of performing a mount via >>>> smb/cifs >>>>DT>>> or any patches to provide such functionality? >>>>DT>>> >>>>DT>>> I already have smbclient working with -k, but I am also interested >>>> in >>>> a >>>>DT>>> mount. >>>>DT>> >>>>DT>>Try smbnetfs from ports. It's fuse based and seems to work very nice. >>>> If >>>>DT>>you have a large amount of shares floating in your network you want >>>> to >>>>DT>>restrict it to mount only the needed shares via the config file. >>>>DT>>Otherwise it will mount what it can find... >>>>DT>> >>>>DT>>It plays nicely with kerberors. When your ticket expires you >>>> immediately >>>>DT>>loose access; when you renew it you gain access again. All without >>>> the >>>>DT>>need to unmount/mount. Just call smbnetfs once you have your ticket. >>>> You >>>>DT>>may even do this from your .profile. >>>>DT>> >>>>DT>>harti >>>>DT> >>>>DT>Sorry for not replying sooner. >>>>DT> >>>>DT>Initial tests here are promising (I can see some mount paths being >>>>DT>exported from the server), but it's not fully working (I don't see all >>>>DT>of the mount paths that *should* be exported and I get permission >>>> denied >>>>DT>errors). My thoughts are leaning towards an issue in negotiating auth >>>>DT>with the server -- perhaps my krb creds aren't being used? >>>> >>>>You can test this easily: if your ticket expires you get permission >>>> denied >>>>errors when you try to look into the mounted directories. As soon as you >>>>renew the ticket you get access again. All without restarting smbnetfs. >>>> >>>>harti >>> >>> I replaced all server names below with "example.com" (and derivatives) >>> where appropriate: >>> >>> From my FreeBSD machine, using smbnetfs: >>> >>> $ klist >>> klist: No ticket file: /tmp/krb5cc_1001 >>> $ kinit det135 >>> [EMAIL PROTECTED]'s Password: >>> kinit: NOTICE: ticket renewable lifetime is 1 week >>> $ klist >>> Credentials cache: FILE:/tmp/krb5cc_1001 >>> Principal: [EMAIL PROTECTED] >>> >>> Issued Expires Principal >>> Jun 3 11:51:20 Jun 3 21:51:04 >>> krbtgt/[EMAIL PROTECTED] >>> $ cd ~/mount/cifs.example.com/dir1 >>> $ ls >>> ls: .: Permission denied >>> $ cd .. >>> $ ls >>> dir1 dir2 >>> $ klist >>> Credentials cache: FILE:/tmp/krb5cc_1001 >>> Principal: [EMAIL PROTECTED] >>> >>> Issued Expires Principal >>> Jun 3 11:51:20 Jun 3 21:51:04 >>> krbtgt/[EMAIL PROTECTED] >>> >>> >>> From my Mac, using (from Finder) >>> Go -> Connect to Server -> cifs://cifs.example.com/dir1 >>> >>> $ klist >>> klist: No Kerberos 5 tickets in credentials cache >>> $ kinit det135 >>> Please enter the password for [EMAIL PROTECTED]: >>> $ klist >>> Kerberos 5 ticket cache: 'API:Initial default ccache' >>> Default principal: [EMAIL PROTECTED] >>> >>> Valid Starting Expires Service Principal >>> 06/03/08 11:59:41 06/03/08 21:59:41 >>> krbtgt/[EMAIL PROTECTED] >>> renew until 06/10/08 11:59:41 >>> >>> #### Here I mount via Finder before continuing with the commands below >>> >>> $ cd /Volumes/dir1/ >>> $ ls >>> subdir1 subdir2 file1 file2 >>> $ klist >>> Kerberos 5 ticket cache: 'API:Initial default ccache' >>> Default principal: [EMAIL PROTECTED] >>> >>> Valid Starting Expires Service Principal >>> 06/03/08 11:59:41 06/03/08 21:59:41 >>> krbtgt/[EMAIL PROTECTED] >>> renew until 06/10/08 11:59:41 >>> 06/03/08 12:00:31 06/03/08 21:59:41 >>> cifs/[EMAIL PROTECTED] >>> renew until 06/10/08 11:59:41 >>> >>> >>> It looks like my creds aren't being used on the FreeBSD machine. >>> >>> -Derek. >>> _______________________________________________ >>> freebsd-hackers@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>> To unsubscribe, send any mail to >>> "[EMAIL PROTECTED]" >>> >> > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"