AD joined Rocky 8 & 9 cannot mount smb shares via Kerberos

I am running into an issue with mounting shares as all users via nautilus or gio mount. Rocky 8 and 9 machines are joined to a windows active directory domain via sssd. I am able to login with AD users, and I am able to successfully mount using sudo mount and sec=krb5, so it appears the kerberos ticket is present.

When trying to mount via nautilus or gio mount, I get “Failed to mount Windows share: Cannot allocate memory”. Via nautius I am using smb://servername and it displays the shares, clicking on each share shows this message. If I kdestroy, It will prompt for credentials and I am able to mount. Using gio mount smb://servername/share gives the same error “Failed to mount Windows share: Cannot allocate memory”.

Any assistance would be greatly appreciated.

I have two things in my standard configuration that are related to resolving this issue:

  1. Install krb5-workstation
  2. Edit the default_ccache_name setting in /etc/krb5.conf

Though I think my second step isn’t necessary since it seems to be overridden by /etc/krb5.conf.d/kcm_default_ccache and sssd-kcm.service.

In any case, I’m seeing the same errors when connecting to smb://servername/share, but connecting to smb://servername.domain.tld/share works without errors for some servers. (But the actual samba servers are still giving me a login prompt instead of accepting the ticket.)

The GUIs use NTLM not kerberos, if you want to use a GUI, remove sssd and set up Samba with winbind.

@linde Thank you for the info. I do have krb5-workstation installed. I tested what you said (hostname vs FQDN) and found that using the FQDN works with the GUI using kerberos credentials. Same goes for gio mount. If I only use the hostname, I get the error of “cannot allocate memory”. I appreciate you sharing this, I didn’t even try the FQDN before this post.

@hortimech It appears to work fine with SSSD and kerberos via the GUI when I use the FQDN instead of just hostname.

Does anyone know where I could potentially add the domain name to “auto append” or something so when only the hostname is used, it also works?

Try adding a host SPN (Service Principal Name) for the short hostname (without domain) to the machine account in Active Directory, example for a machine named “servername”:

setspn -s host/servername servername

@dali It appears to already have a spn for HOST/NAME and HOST/NAME.DOMAIN

It appears that the solution for this lies in /etc/samba/smb.conf even if you’re not running any samba or winbind services.

Adding the line realm = MY.REALM.TLD in the [global] section fixed short hostnames for me and FQDNs not ending in the realm name.

Prior to this change, the only things that accepted the kerberos ticket and connected without a password prompt were shares accessed by FQDN where the realm name was the suffix.

How I got here:

The following will cause the gio mount command to produce a lot of debug output:

GVFS_DEBUG=1 GVFS_SMB_DEBUG=99 /usr/libexec/gvfsd -r &

My active directory / kerberos realm is “ad.mydomain.tld”, but many AD-connected servers have canonical hostnames (and SPNs) ending in “other.mydomain.tld”.

In the output following a command like gio mount smb://{server}.other.mydomain.tld/{share}, it seemed to be trying to locate a KDC for a realm “other.mydomain.tld”.

There were also messages about accessing /var/lib/samba/lock/gencache.tdb which pointed me in the samba direction.

Everything works in the few remaining older systems on CentOS 7 connected to the domain with winbind instead of sssd.

Adding the kerberos-related configuration lines to smb.conf seemed to fix it and the realm setting alone appears to be sufficient.

Thank you @linde ! That worked perfectly!