I am using Quest Authentication Services to integrate my Linux systems with our lab domain. I want to use the cached kerberos tickets to authenticate without providing a password when mounting an exported SMB share using the command 'mount -t cifs <device> <dir> -o sec=krb5'. My understanding is that when request-key is called by the kernel cifs.upcall is used to locate the cached kerberos ticket. The problem I am having is that when I directly call cifs.upcall with the uid of the user it does not return anything and it has an exit code of 1. If I look at /var/log/messages I see the following log message related to the call.
Jun 19 09:55:03 merlin cifs.upcall: keyctl_describe_alloc failed: Required key not available
Per the cifs.upcall man page I added the following two lines to request-key.conf
create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
create dns_resolver * * /usr/local/sbin/cifs.upcall %k
BK