I am running into an issue with mounting shares as all users via nautilus or gio mount. Rocky 8 and 9 machines are joined to a windows active directory domain via sssd. I am able to login with AD users, and I am able to successfully mount using sudo mount and sec=krb5, so it appears the kerberos ticket is present.
When trying to mount via nautilus or gio mount, I get “Failed to mount Windows share: Cannot allocate memory”. Via nautius I am using smb://servername and it displays the shares, clicking on each share shows this message. If I kdestroy, It will prompt for credentials and I am able to mount. Using gio mount smb://servername/share gives the same error “Failed to mount Windows share: Cannot allocate memory”.
I have two things in my standard configuration that are related to resolving this issue:
Install krb5-workstation
Edit the default_ccache_name setting in /etc/krb5.conf
Though I think my second step isn’t necessary since it seems to be overridden by /etc/krb5.conf.d/kcm_default_ccache and sssd-kcm.service.
In any case, I’m seeing the same errors when connecting to smb://servername/share, but connecting to smb://servername.domain.tld/share works without errors for some servers. (But the actual samba servers are still giving me a login prompt instead of accepting the ticket.)
@linde Thank you for the info. I do have krb5-workstation installed. I tested what you said (hostname vs FQDN) and found that using the FQDN works with the GUI using kerberos credentials. Same goes for gio mount. If I only use the hostname, I get the error of “cannot allocate memory”. I appreciate you sharing this, I didn’t even try the FQDN before this post.
@hortimech It appears to work fine with SSSD and kerberos via the GUI when I use the FQDN instead of just hostname.
Does anyone know where I could potentially add the domain name to “auto append” or something so when only the hostname is used, it also works?
Try adding a host SPN (Service Principal Name) for the short hostname (without domain) to the machine account in Active Directory, example for a machine named “servername”:
It appears that the solution for this lies in /etc/samba/smb.conf even if you’re not running any samba or winbind services.
Adding the line realm = MY.REALM.TLD in the [global] section fixed short hostnames for me and FQDNs not ending in the realm name.
Prior to this change, the only things that accepted the kerberos ticket and connected without a password prompt were shares accessed by FQDN where the realm name was the suffix.
How I got here:
The following will cause the gio mount command to produce a lot of debug output:
My active directory / kerberos realm is “ad.mydomain.tld”, but many AD-connected servers have canonical hostnames (and SPNs) ending in “other.mydomain.tld”.
In the output following a command like gio mount smb://{server}.other.mydomain.tld/{share}, it seemed to be trying to locate a KDC for a realm “other.mydomain.tld”.
There were also messages about accessing /var/lib/samba/lock/gencache.tdb which pointed me in the samba direction.
Everything works in the few remaining older systems on CentOS 7 connected to the domain with winbind instead of sssd.
Adding the kerberos-related configuration lines to smb.conf seemed to fix it and the realm setting alone appears to be sufficient.