Has anyone successfully enabled kerberos authentication to a samba share on an SL7 server? This works fine when the samba share is on an SL6 server, but on SL7 samba looks for a KEYRING cache that doesn’t exist (even if the system is configured to use a FILE cache).
sec=ntlmv2 and sec=ntlmssp both work, but we’d like to also support sec=krb5 Here’s what the server logs: ——— [2018/09/15 09:47:01.942550, 1] ../source3/librpc/crypto/gse.c:226(gse_context_init) Failed to resolve credential cache 'KEYRING:session:0_16696'! (Key has been revoked) [2018/09/15 09:47:01.942660, 1] ../auth/gensec/gensec_start.c:756(gensec_start_mech) Failed to start GENSEC server mech gse_krb5: NT_STATUS_NO_MEMORY ——— And here’s a mount attempt from the client: ——— mount -t cifs -o sec=krb5 //server/test /mnt/tmp mount error(95): Operation not supported Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) ——— Here’s the smb.conf ——— workgroup = WORKGROUP server string = server netbios name = server log file = /hac/services/server/var/log/samba/%m.log max log size = 50000 security = ads realm = REALM private dir = /mnt/test/var/lib/samba/private username map = /hac/services/server/etc/samba/users.map preferred master = no domain master = no log level = 1 kernel oplocks = no oplocks = False level2 oplocks = False max protocol = SMB2 raw NTLMv2 auth = yes ntlm auth = No pid directory = /hac/services/server/var/run dedicated keytab file = FILE:/hac/services/server/etc/keytab kerberos method = dedicated keytab [test] comment = Draft path = /mnt/test writable = yes printable = no fake oplocks = yes strict locking = no directory mask = 775 create mask = 775 ——— And finally, the dedicated keytab works fine, and contains cifs/server . Any suggestions would be greatly appreciated. Thanks! Devin
