I have a local setup here with an Active Directory running on Windows Server 2019, and I fired up a Focal VM and tried to reproduce the steps you mentioned above. In a nutshell, here's what I did:
- realm join mydomain --membership-software=adcli
- Installed krb5-user and made sure everything was working correctly
- Installed smbclient et al and made sure everything was also working correctly
- Installed keyutils
Then, I acquired a krb5 ticket (using "kinit user", but without resorting to a separate keytab, as you did above):
Valid starting Expires Service principal
10/27/2020 22:23:04 10/28/2020 08:23:04 <email address hidden>
renew until 10/28/2020 22:23:01
Finally, I tried mounting a SMB share from the Windows Server machine:
# mount //ad1.ad1.example.com/windows /mnt/ -o sec=krb5,multiuser,file_mode=0660,dir_mode=0770,nounix,noserverino
And everything worked correctly. I'm able to list the contents of the share, and if I switch to another user I see that the multiuser option kicks in and I see the files' owner/group is changed accordingly.
Unless I'm missing some step from your configuration, it seems I can't reproduce the bug. The only way I can reproduce the same error you had is when I kdestroy my credentials and try to mount the share again.
I will try setting up a samba share on another machine in the realm and then try to reproduce the issue, but initially I don't see how this could make a difference. I'll get back when I have something.
Thanks for the bug report, Alexander!
I have a local setup here with an Active Directory running on Windows Server 2019, and I fired up a Focal VM and tried to reproduce the steps you mentioned above. In a nutshell, here's what I did:
- realm join mydomain --membership- software= adcli
- Installed krb5-user and made sure everything was working correctly
- Installed smbclient et al and made sure everything was also working correctly
- Installed keyutils
Then, I acquired a krb5 ticket (using "kinit user", but without resorting to a separate keytab, as you did above):
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <email address hidden>
Valid starting Expires Service principal
10/27/2020 22:23:04 10/28/2020 08:23:04 <email address hidden>
renew until 10/28/2020 22:23:01
Finally, I tried mounting a SMB share from the Windows Server machine:
# mount //ad1.ad1. example. com/windows /mnt/ -o sec=krb5, multiuser, file_mode= 0660,dir_ mode=0770, nounix, noserverino
And everything worked correctly. I'm able to list the contents of the share, and if I switch to another user I see that the multiuser option kicks in and I see the files' owner/group is changed accordingly.
Here's the version of everything I'm using:
cifs-utils: 6+dfsg- 0ubuntu1. 5
Installed: 2:6.9-1ubuntu0.1
sssd:
Installed: 2.2.3-3
smbclient:
Installed: 2:4.11.
Unless I'm missing some step from your configuration, it seems I can't reproduce the bug. The only way I can reproduce the same error you had is when I kdestroy my credentials and try to mount the share again.
I will try setting up a samba share on another machine in the realm and then try to reproduce the issue, but initially I don't see how this could make a difference. I'll get back when I have something.