You noted that you can get "user Kerberos tickets as root" but you have a "key is not available" error.
find_krb5_cc: /tmp/krb5cc_1000 is owned by 1000, not 0
This error means mount.cifs does not have access to the Kerberos ticket because is not owned by root (userid: 0), which calls mount.cifs. I would assume that the Kerberos tickets root obtained with a user's password were designated for use only by that user.
Now why does mount want the ticket to be owned by root?
This part of first line:
uid=0x0;creduid=0x0;user=root;
may be the reason. Mount.cifs is being carried out as root. You might want to try changing uid and creduid to the useruid of the user.
I don't know where you're calling mount.cifs from, so I'm sorry if that's a little vague. Could you please give the mount.cifs command you're running and its options?
As for the share being "accessible for all users on the server":
I have pam_mount run after a user logs in and mount a share with their username, password and their Kerberos ticket, so I'm not using a keytab.
This is the mount command I'm calling:
mount -t cifs //<SERVER>/<VOLUME> <MOUNTPOINT> -o username=%(USER),sec=krb5,domain=<DOMAIN>,cruid=%(USERUID),uid=%(USERUID),gid=%(USERGID),rw
Add the authorized users to a single group. Also set file_mode= and dir_mode= to the correct permissions for the group to have read/write access to the file, something like 770.
Cron isn't using the ticket cache, either because it doesn't know to (KRB5CCNAME
isn't set or passed to the job) or it can't read the cache (permissions on the cache prevent the user the job is running as from reading it).
Best Answer
Finally I found a work around on it. I made a script to run as a service and as root kinit user machine account using /etc/krb5.keytab. Then I ve add a line in FSTAB to use root's cache with machine accounts ticket and also add multiuser option and it works. so the main part is to use CRUID option of CIFS and put the id of root user. So cifs will go and check the ticket in root's cache.