[linux-cifs-client] mount.cifs with sec=krb5 where kerberos principal is not the same as file server

Andrew Baumann andrewb at inf.ethz.ch
Wed Oct 28 03:20:26 MDT 2009 

Hi all,

I'm trying to get mount.cifs to work with kerberos authentication (sec=krb5).
smbclient -k works, however mount.cifs reports:

$ /sbin/mount.cifs //fs.systems.inf.ethz.ch/sharename ./mnt -o sec=krb5
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

The dmesg output is as follows:
[3460893.349868]  /build/buildd/linux-2.6.28/fs/cifs/cifsfs.c: Devname: //fs.systems.inf.ethz.ch/sharename flags: 64
[3460893.349874]  /build/buildd/linux-2.6.28/fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 147 with uid: 0
[3460893.349882]  /build/buildd/linux-2.6.28/fs/cifs/connect.c: Username: username
[3460893.349885]  /build/buildd/linux-2.6.28/fs/cifs/connect.c: UNC: \\fs.systems.inf.ethz.ch\sharename ip: 129.132.19.42
[3460893.349894]  /build/buildd/linux-2.6.28/fs/cifs/connect.c: Socket created
[3460893.350930]  /build/buildd/linux-2.6.28/fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x7fffffffffffffff
[3460893.350973]  /build/buildd/linux-2.6.28/fs/cifs/connect.c: Existing smb sess not found
[3460893.350979]  /build/buildd/linux-2.6.28/fs/cifs/cifssmb.c: secFlags 0x8
[3460893.350981]  /build/buildd/linux-2.6.28/fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security
[3460893.350985]  /build/buildd/linux-2.6.28/fs/cifs/transport.c: For smb_command 114
[3460893.350988]  /build/buildd/linux-2.6.28/fs/cifs/transport.c: Sending smb of length 78
[3460893.351004]  /build/buildd/linux-2.6.28/fs/cifs/connect.c: Demultiplex PID: 28499
[3460893.354098]  /build/buildd/linux-2.6.28/fs/cifs/connect.c: rfc1002 length 0xb7
[3460893.355167]  /build/buildd/linux-2.6.28/fs/cifs/cifssmb.c: Dialect: 2
[3460893.355173]  /build/buildd/linux-2.6.28/fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
[3460893.355176]  /build/buildd/linux-2.6.28/fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
[3460893.355179]  /build/buildd/linux-2.6.28/fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
[3460893.355182]  /build/buildd/linux-2.6.28/fs/cifs/asn1.c: Need to call asn1_octets_decode() function for cifs/fs-
srv1.inf.ethz.ch at D.ETHZ.CH
[3460893.355185]  /build/buildd/linux-2.6.28/fs/cifs/cifssmb.c: Signing disabled
[3460893.355190]  /build/buildd/linux-2.6.28/fs/cifs/cifssmb.c: negprot rc 0
[3460893.355192]  /build/buildd/linux-2.6.28/fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x8000f3fd TimeAdjust: -3600
[3460893.355196]  /build/buildd/linux-2.6.28/fs/cifs/sess.c: sess setup type 6
[3460893.355202]  /build/buildd/linux-2.6.28/fs/cifs/cifs_spnego.c: key description = 
ver=0x2;host=fs.systems.inf.ethz.ch;ip4=129.132.19.42;sec=krb5;uid=0xc926;user=username
[3460893.410781]  /build/buildd/linux-2.6.28/fs/cifs/sess.c: ssetup freeing small buf ffff880114155dc0
[3460893.410786]  CIFS VFS: Send error in SessSetup = -126
[3460893.410796]  /build/buildd/linux-2.6.28/fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 147) rc = -126
[3460893.410799]  CIFS VFS: cifs_mount failed w/return code = -126

... from this, and looking at packet capture logs, it seems that the negotiate
response from the server specifies a principal of cifs/fs-srv1.inf.ethz.ch at D.ETHZ.CH
however the cifs code persists in trying to get a kerberos ticket for the file
server host (fs.systems.inf.ethz.ch), which fails. smbclient gets this right and
presents the cached ticket for cifs/fs-srv1.inf.ethz.ch at D.ETHZ.CH.

Note that fs-srv1 is really a different host from the file server, so I cannot
work around this problem by simply mounting with a different host name.

Here is the full negotiate response from the server (and I can send other
packet logs if useful):

NetBIOS Session Service
    Message Type: Session message
    Length: 179
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        [Response to: 4]
        [Time from request: 0.001272000 seconds]
        SMB Command: Negotiate Protocol (0x72)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x88
            1... .... = Request/Response: Message is a response to the client/redirector
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
            .... 1... = Case Sensitivity: Path names are caseless
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0xc801
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
            .... .... .0.. .... = Long Names Used: Path names in request are not long file names
            .... .... .... .0.. = Security Signatures: Security signatures are not supported
            .... .... .... ..0. = Extended Attributes: Extended attributes are not supported
            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 0
        Process ID: 28048
        User ID: 0
        Multiplex ID: 1
    Negotiate Protocol Response (0x72)
        Word Count (WCT): 17
        Dialect Index: 8, greater than LANMAN2.1
        Security Mode: 0x03
            .... ...1 = Mode: USER security mode
            .... ..1. = Password: ENCRYPTED password. Use challenge/response
            .... .0.. = Signatures: Security signatures NOT enabled
            .... 0... = Sig Req: Security signatures NOT required
        Max Mpx Count: 50
        Max VCs: 1
        Max Buffer Size: 16644
        Max Raw Buffer: 65536
        Session Key: 0x00001ed9
        Capabilities: 0x8000f3fd
            .... .... .... .... .... .... .... ...1 = Raw Mode: Read Raw and Write Raw are supported
            .... .... .... .... .... .... .... ..0. = MPX Mode: Read Mpx and Write Mpx are not supported
            .... .... .... .... .... .... .... .1.. = Unicode: Unicode strings are supported
            .... .... .... .... .... .... .... 1... = Large Files: Large files are supported
            .... .... .... .... .... .... ...1 .... = NT SMBs: NT SMBs are supported
            .... .... .... .... .... .... ..1. .... = RPC Remote APIs: RPC remote APIs are supported
            .... .... .... .... .... .... .1.. .... = NT Status Codes: NT status codes are supported
            .... .... .... .... .... .... 1... .... = Level 2 Oplocks: Level 2 oplocks are supported
            .... .... .... .... .... ...1 .... .... = Lock and Read: Lock and Read is supported
            .... .... .... .... .... ..1. .... .... = NT Find: NT Find is supported
            .... .... .... .... ...1 .... .... .... = Dfs: Dfs is supported
            .... .... .... .... ..1. .... .... .... = Infolevel Passthru: NT information level request passthrough is supported
            .... .... .... .... .1.. .... .... .... = Large ReadX: Large Read andX is supported
            .... .... .... .... 1... .... .... .... = Large WriteX: Large Write andX is supported
            .... .... 0... .... .... .... .... .... = UNIX: UNIX extensions are not supported
            .... ..0. .... .... .... .... .... .... = Reserved: Reserved
            ..0. .... .... .... .... .... .... .... = Bulk Transfer: Bulk Read and Bulk Write are not supported
            .0.. .... .... .... .... .... .... .... = Compressed Data: Compressed data transfer is not supported
            1... .... .... .... .... .... .... .... = Extended Security: Extended security exchanges are supported
        System Time: Oct 28, 2009 09:42:32.000000000
        Server Time Zone: -60 min from UTC
        Key Length: 0
        Byte Count (BCC): 110
        Server GUID: 66732D73727631000000000000000000
        Security Blob: 605C06062B0601050502A0523050A024302206092A864886...
            GSS-API Generic Security Service Application Program Interface
                OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
                SPNEGO
                    negTokenInit
                        mechTypes: 3 items
                            Item: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                            Item: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)
                            Item: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)
                        mechListMIC: 3026A0241B22636966732F66732D737276312E696E662E65...
                            principal: cifs/fs-srv1.inf.ethz.ch at D.ETHZ.CH


$ uname -a
Linux prak 2.6.28-15-generic #49-Ubuntu SMP Tue Aug 18 19:25:34 UTC 2009 x86_64 GNU/Linux
$ /sbin/mount.cifs -V
mount.cifs version: 1.12-3.3.2
$ smbclient -V
Version 3.3.2
$ /usr/sbin/cifs.upcall -v
version: 1.2
$ grep cifs /etc/request-key.conf
create  cifs.spnego     *       *               /usr/sbin/cifs.upcall -c %k %d
create  dns_resolver    *       *               /usr/sbin/cifs.upcall -c %k

Cheers,
Andrew

More information about the linux-cifs-client mailing list