Cannot mount CIFS althought kinit return me a ticket

Question

I'm using Ubuntu 22.04 to mount a remote SMB share :

$ kinit [email protected]
Password for [email protected]:
$ sudo mount.cifs "//x.y.z.t1/Extension_2" /mnt/remoteShare/ --verbose -r -o [email protected],vers=3,sec=krb5i
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\x.y.z.t1\Extension_2,vers=3,sec=krb5i,[email protected],pass=********
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\x.y.z.t1\Extension_2,vers=3,sec=krb5i,cruid=1000,[email protected],pass=********
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ echo $?
32

dmesg says :

$ dmesg | tail
[10715718.454076] CIFS: VFS: \\x.y.z.t1 Send error in SessSetup = -126
[10715718.454446] CIFS: VFS: cifs_mount failed w/return code = -126
[10715928.839157] CIFS: Attempting to mount \\x.y.z.t1\Extension_2
[10715928.897209] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
[10715928.897613] CIFS: VFS: \\x.y.z.t1 Send error in SessSetup = -126
[10715928.897992] CIFS: VFS: cifs_mount failed w/return code = -126
[10715928.898812] CIFS: Attempting to mount \\x.y.z.t1\Extension_2
[10715928.988054] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
[10715928.988433] CIFS: VFS: \\x.y.z.t1 Send error in SessSetup = -126
[10715928.988872] CIFS: VFS: cifs_mount failed w/return code = -126
$

My user has a krb5 ticket and that keyutils is indeed installed :

$ klist -fea
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting       Expires              Service principal
04/09/2024 11:40:35  04/09/2024 15:40:35  krbtgt/[email protected]
        renew until 04/09/2024 15:40:35, Flags: RIA
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
        Addresses: (none)
$ dpkg -l keyutils
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version        Architecture Description
+++-==============-==============-============-=================================
ii  keyutils       1.6.1-2ubuntu3 amd64        Linux Key Management Utilities
$

EDIT0 : Listed SPNs for the SMB myRemoteServer for a windows AD member :

PS C:\> (Get-ADComputer myRemoteServer -Properties ServicePrincipalNames).ServicePrincipalNames | sort
HOST/myRemoteServer
HOST/myRemoteServer.myDOMAIN.lan
RestrictedKrbHost/myRemoteServer
RestrictedKrbHost/myRemoteServer.myDOMAIN.lan
PS C:\> 

EDIT1: Tried smbclient :

$ smbclient -U [email protected] //x.y.z.t1/Extension_2
session setup failed: NT_STATUS_ACCOUNT_RESTRICTION
$ echo $?
1
$

EDIT2 : If I use the hostname instead of the IP address I get a mount error(13): Permission denied error :

$ sudo mount.cifs "//myRemoteServer.myDOMAIN.lan/Extension_2" /mnt/remoteShare/ --verbose -r -o [email protected],vers=3,sec=krb5i
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\myRemoteServer.myDOMAIN.lan\Extension_2,vers=3,sec=krb5i,[email protected],pass=********
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\myRemoteServer.myDOMAIN.lan\Extension_2,vers=3,sec=krb5i,cruid=1000,[email protected],pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ echo $?
32
$ dmesg -T | tail
[Tue Apr  9 19:10:02 2024] CIFS: VFS: \\myRemoteServer.myDOMAIN.lan Send error in SessSetup = -13
[Tue Apr  9 19:10:02 2024] CIFS: VFS: cifs_mount failed w/return code = -13
[Tue Apr  9 19:10:20 2024] CIFS: Attempting to mount \\myRemoteServer.myDOMAIN.lan\Extension_2
[Tue Apr  9 19:10:20 2024] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
[Tue Apr  9 19:10:20 2024] CIFS: VFS: \\myRemoteServer.myDOMAIN.lan Send error in SessSetup = -126
[Tue Apr  9 19:10:20 2024] CIFS: VFS: cifs_mount failed w/return code = -126
[Tue Apr  9 19:10:20 2024] CIFS: Attempting to mount \\myRemoteServer.myDOMAIN.lan\Extension_2
[Tue Apr  9 19:10:20 2024] CIFS: Status code returned 0xc000006d STATUS_LOGON_FAILURE
[Tue Apr  9 19:10:20 2024] CIFS: VFS: \\myRemoteServer.myDOMAIN.lan Send error in SessSetup = -13
[Tue Apr  9 19:10:20 2024] CIFS: VFS: cifs_mount failed w/return code = -13
$

EDIT3 : Tried with smbclient -k :

$ smbclient -k -U [email protected] //myRemoteServer.myDOMAIN.lan/Extension_2
WARNING: The option -k|--kerberos is deprecated!
session setup failed: NT_STATUS_ACCESS_DENIED
$

EDIT4 : Tried in debug mode with smbclient -k -d 15 :

$ smbclient -k -d 15 -U [email protected] //myRemoteServer.myDOMAIN.lan/Extension_2
INFO: Current debug levels:
  all: 15
  tdb: 15
  printdrivers: 15
  lanman: 15
  smb: 15
  rpc_parse: 15
  rpc_srv: 15
  rpc_cli: 15
  passdb: 15
  sam: 15
  auth: 15
  winbind: 15
  vfs: 15
  idmap: 15
  quota: 15
  acls: 15
  locking: 15
  msdfs: 15
  dmapi: 15
  registry: 15
  scavenger: 15
  dns: 15
  ldb: 15
  tevent: 15
  auth_audit: 15
  auth_json_audit: 15
  kerberos: 15
  drs_repl: 15
  smb2: 15
  smb2_credits: 15
  dsdb_audit: 15
  dsdb_json_audit: 15
  dsdb_password_audit: 15
  dsdb_password_json_audit: 15
  dsdb_transaction_audit: 15
  dsdb_transaction_json_audit: 15
  dsdb_group_audit: 15
  dsdb_group_json_audit: 15
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 15
  tdb: 15
  printdrivers: 15
  lanman: 15
  smb: 15
  rpc_parse: 15
  rpc_srv: 15
  rpc_cli: 15
  passdb: 15
  sam: 15
  auth: 15
  winbind: 15
  vfs: 15
  idmap: 15
  quota: 15
  acls: 15
  locking: 15
  msdfs: 15
  dmapi: 15
  registry: 15
  scavenger: 15
  dns: 15
  ldb: 15
  tevent: 15
  auth_audit: 15
  auth_json_audit: 15
  kerberos: 15
  drs_repl: 15
  smb2: 15
  smb2_credits: 15
  dsdb_audit: 15
  dsdb_json_audit: 15
  dsdb_password_audit: 15
  dsdb_password_json_audit: 15
  dsdb_transaction_audit: 15
  dsdb_transaction_json_audit: 15
  dsdb_group_audit: 15
  dsdb_group_json_audit: 15
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter server string = %h server (Samba, Ubuntu)
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface ens160 ip=x.y.z.t bcast=x.y.z.255 netmask=255.255.255.0
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied
gencache_init: Opening user cache file /home/administrateur/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up myRemoteServer.myDOMAIN.lan#20 (sitename (null))
namecache_fetch: name myRemoteServer.myDOMAIN.lan#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to x.y.z.138 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
 session request ok
 negotiated dialect[SMB3_11] against server[myRemoteServer.myDOMAIN.lan]
cli_session_setup_spnego_send: Connect to myRemoteServer.myDOMAIN.lan as [email protected] using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x5618cd09cc80]: subreq: 0x5618cd07fe30
gensec_update_send: spnego[0x5618cd0966d0]: subreq: 0x5618cd09afa0
gensec_update_done: gse_krb5[0x5618cd09cc80]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5618cd07fe30/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)]  state[struct gensec_gse_update_state (0x5618cd07fff0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x5618cd0966d0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5618cd09afa0/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x5618cd09b160)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE
$

And without the -U .... :

$ smbclient -k -d 15 //myRemoteServer.myDOMAIN.lan/Extension_2
INFO: Current debug levels:
  all: 15
  tdb: 15
  printdrivers: 15
  lanman: 15
  smb: 15
  rpc_parse: 15
  rpc_srv: 15
  rpc_cli: 15
  passdb: 15
  sam: 15
  auth: 15
  winbind: 15
  vfs: 15
  idmap: 15
  quota: 15
  acls: 15
  locking: 15
  msdfs: 15
  dmapi: 15
  registry: 15
  scavenger: 15
  dns: 15
  ldb: 15
  tevent: 15
  auth_audit: 15
  auth_json_audit: 15
  kerberos: 15
  drs_repl: 15
  smb2: 15
  smb2_credits: 15
  dsdb_audit: 15
  dsdb_json_audit: 15
  dsdb_password_audit: 15
  dsdb_password_json_audit: 15
  dsdb_transaction_audit: 15
  dsdb_transaction_json_audit: 15
  dsdb_group_audit: 15
  dsdb_group_json_audit: 15
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 15
  tdb: 15
  printdrivers: 15
  lanman: 15
  smb: 15
  rpc_parse: 15
  rpc_srv: 15
  rpc_cli: 15
  passdb: 15
  sam: 15
  auth: 15
  winbind: 15
  vfs: 15
  idmap: 15
  quota: 15
  acls: 15
  locking: 15
  msdfs: 15
  dmapi: 15
  registry: 15
  scavenger: 15
  dns: 15
  ldb: 15
  tevent: 15
  auth_audit: 15
  auth_json_audit: 15
  kerberos: 15
  drs_repl: 15
  smb2: 15
  smb2_credits: 15
  dsdb_audit: 15
  dsdb_json_audit: 15
  dsdb_password_audit: 15
  dsdb_password_json_audit: 15
  dsdb_transaction_audit: 15
  dsdb_transaction_json_audit: 15
  dsdb_group_audit: 15
  dsdb_group_json_audit: 15
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter server string = %h server (Samba, Ubuntu)
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface ens160 ip=x.y.z.246 bcast=x.y.z.255 netmask=255.255.255.0
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied
gencache_init: Opening user cache file /home/administrateur/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up myRemoteServer.myDOMAIN.lan#20 (sitename (null))
namecache_fetch: name myRemoteServer.myDOMAIN.lan#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to x.y.z.t at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
 session request ok
 negotiated dialect[SMB3_11] against server[myRemoteServer.myDOMAIN.lan]
cli_session_setup_spnego_send: Connect to myRemoteServer.myDOMAIN.lan as [email protected] using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x55920886daf0]: subreq: 0x559208850e30
gensec_update_send: spnego[0x55920886a4f0]: subreq: 0x55920886be10
gensec_update_done: gse_krb5[0x55920886daf0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x559208850e30/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)]  state[struct gensec_gse_update_state (0x559208850ff0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x55920886a4f0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55920886be10/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x55920886bfd0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE
$

Answer 1

Kerberos, much like TLS, requires you to connect to a hostname that matches the server's configuration – an IP address will generally not work.

---

It doesn't end at "getting a ticket" in general – you also need to get a ticket for the specific service that you're authenticating to. Each service has its own key shared with the Kerberos KDC, identified by "service principal name" such as cifs/nas.example.com for an SMB file server or HTTP/blog for a webapp (or indeed krbtgt/EXAMPLE.COM for the "ticket issuance" service). When things go right, the 'mount' command will get the service ticket automatically and it'll show up in klist:

$ klist
Valid starting       Expires              Service principal
04/09/2024 17:52:46  04/10/2024 03:39:06  krbtgt/[email protected]
04/09/2024 18:00:02  04/10/2024 03:39:06  HTTP/[email protected]
04/09/2024 18:00:02  04/10/2024 03:39:06  nfs/[email protected]
04/09/2024 18:00:05  04/10/2024 03:39:06  imap/[email protected]
04/09/2024 18:00:05  04/10/2024 03:39:06  host/[email protected]
04/09/2024 18:00:06  04/10/2024 03:39:06  nfs/[email protected]

This means that, in order the client to successfully get tickets for the correct Kerberos service, it needs to be given the correct hostname or subdomain name that the KDC knows for that service – any random address will not work.

The generic "Required key not available" error code comes from the 'cifs.upcall' program failing to get a ticket; you can see the more detailed error messages in your syslog or system journal (journalctl).

(Linux Kerberos sometimes makes it work by using 'reverse DNS' to look up the hostname from IP address via PTR records, but most networks do not have rDNS available for their internal IPs.)

When servers are joined to AD, their computer accounts automatically get SPNs for their full domain name cifs/nas02.example.com and their short computer name cifs/nas02, but not for their IP address (and also not for any manually-created DNS CNAME aliases). So you need to find out what the "real" AD hostname of the Synology NAS is, and then use that in your 'mount' command.

You can usually look up computer SPNs in Active Directory through LDAP with ldapsearch (unless the AD admins have deliberately hidden them), or you can manually guess at possible SPNs using the kvno tool (e.g. kvno cifs/[email protected]).

1. Look up a DC name:

   host -t srv _ldap._tcp.example.com    => dc01.example.com
   

2. Search for SPNs of non-Windows servers:

   ldapsearch -H ldap://dc01.example.com -Y GSS-SPNEGO -Q \
              '(&(objectCategory=computer)(!(operatingSystem=Windows*)))' \
              servicePrincipalName \
              | grep -i '\bhost/' | sort -f