[linux-cifs-client] Re: [PATCH 0/6] Introduction: implement SPNEGO/Kerberos in CIFS (try #2)

[Doug Kelly]

Ok, I gave this patch a shot (using the 2.6.24-rc1 kernel), and the  
patch applied cleanly, but mounting any CIFS share with Kerberos seems  
to give an error:
kernel:  CIFS VFS: Send error in SessSetup = -126
CIFS VFS: cifs_mount failed w/return code = -126

And from the command I'm using:
# mount -t cifs -o sec=krb5 //server/share testmount
mount error 126 = Required key not available
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

Using krb5i gives a "signing required but server lacks support"  
error.  If I use plain password auth (remove the sec=krb5), I get the  
share mounted without problems.  From all the testing I've done, this  
seems to be an issue within keyutils, which wouldn't surprise me (the  
keyutils package didn't seem to install properly, no matter what I  
did).  I am using RHEL5, and the keyutils package it provides (I had  
to grab the keyutils.h header from another system when building the  
userspace program for the upcall, as well as symlink keyutils.so.? to  
keyutils.so, I believe)...  Unfortunately, I know absolutely nothing  
about the way keyutils works.  I have ensured klist shows I have a  
Kerberos ticket, but if there's something I'm missing (or just don't  
know about)... please let me know.

Also, might be worthwhile to point out, Q's userspace program for  
handling the Kerberos upcall won't work out of the box with the second  
proposed SPNEGO/Kerberos patch--I found writing a wrapper script  
(since the data Q's program expects only seems to be an IP) or  
altering the output from the cifs module seems to be necessary at this  
time.