Hello, I'm trying to configure a linux client (Unubtu 18.04.3) to mount a DFS share from a windows server 2019. Both machines are joined in the same Active Directory domain. I joined the linux client using the "realm" command and it works fine: for example I can login with ssh using AD credentials. The package cifs-utils is version 6.8. I start by saying that I have a little konwledge of the windows world and in particular of SMB, hence my question could by silly but I searched for days without find any solution. I found the following entries in the krb5.conf file (I suppose added by "realm" coomand): 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (des-cbc-crc) 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (des-cbc-md5) 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (arcfour-hmac) 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (aes128-cts-hmac- sha1-96) 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (aes256-cts-hmac- sha1-96) 3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (des-cbc-crc) 3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (des-cbc-md5) 3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (arcfour-hmac) 3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (aes128-cts-hmac- sha1-96) 3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (aes256-cts-hmac- sha1-96) I created on the Domain Controller a user principal "linuxclientuser- cifs" and associated to it an SPN "cifs/linuxclient.fqdn@AD.DOMAIN". I exported the keytab file and added it in krb5.keytab where I have now the followind entries: 3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (des-cbc-crc) 3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (des-cbc-md5) 3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (arcfour-hmac) 3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (aes256-cts- hmac-sha1-96) 3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (aes128-cts- hmac-sha1-96) I use the following command to mount the share: sudo mount --verbose --types cifs //winsrv/CifsShare /mnt/cifs -- options sec=krb5,multiuser,vers=3,user=cifs/linuxclient.fqdn,domain=AD.DOMAIN and the response is: "mount error(13): Permission denied" Looking at logs I find: Nov 27 13:07:18 linuxclient cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=winsrv;ip4=XXX.XXX.XXX.XXX;sec=kr b5;uid=0x0;creduid=0x0;user=cifs/linuxclient.fqdn;pid=0x6ac Nov 27 13:07:18 linuxclient cifs.upcall: ver=2 Nov 27 13:07:18 linuxclient cifs.upcall: host=winsrv Nov 27 13:07:18 linuxclient cifs.upcall: ip=XXX.XXX.XXX.XXX Nov 27 13:07:18 linuxclient cifs.upcall: sec=1 Nov 27 13:07:18 linuxclient cifs.upcall: uid=0 Nov 27 13:07:18 linuxclient cifs.upcall: creduid=0 Nov 27 13:07:18 linuxclient cifs.upcall: user=cifs/linuxclient.fqdn Nov 27 13:07:18 linuxclient cifs.upcall: pid=1708 Nov 27 13:07:18 linuxclient cifs.upcall: get_cachename_from_process_env: pid == 0 Nov 27 13:07:18 linuxclient cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 Nov 27 13:07:18 linuxclient cifs.upcall: get_tgt_time: unable to get principal Nov 27 13:07:18 linuxclient cifs.upcall: handle_krb5_mech: getting service ticket for winsrv Nov 27 13:07:18 linuxclient cifs.upcall: handle_krb5_mech: obtained service ticket Nov 27 13:07:18 linuxclient cifs.upcall: Exit status 0 where it says that it get the service ticket (I can see it sniffing packets with wireshark) but it is "unable to get principal". Which principal? On the server side I have the following error: A process has requested access to an object, but has not been granted those access rights. (0xC0000022) SPN: session setup failed before the SPN could be queried SPN Validation Policy: SPN optional / no validation What I'm doing wrong? Any suggest is welcome. Best regards Alberto
