[linux-cifs-client] Re: [PATCH 0/6] Introduction: implement
SPNEGO/Kerberos in CIFS (try #2)
Doug Kelly
dougk at dougk-ff7.net
Thu Nov 1 05:09:49 GMT 2007
Ok, I gave this patch a shot (using the 2.6.24-rc1 kernel), and the
patch applied cleanly, but mounting any CIFS share with Kerberos seems
to give an error:
kernel: CIFS VFS: Send error in SessSetup = -126
CIFS VFS: cifs_mount failed w/return code = -126
And from the command I'm using:
# mount -t cifs -o sec=krb5 //server/share testmount
mount error 126 = Required key not available
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
Using krb5i gives a "signing required but server lacks support"
error. If I use plain password auth (remove the sec=krb5), I get the
share mounted without problems. From all the testing I've done, this
seems to be an issue within keyutils, which wouldn't surprise me (the
keyutils package didn't seem to install properly, no matter what I
did). I am using RHEL5, and the keyutils package it provides (I had
to grab the keyutils.h header from another system when building the
userspace program for the upcall, as well as symlink keyutils.so.? to
keyutils.so, I believe)... Unfortunately, I know absolutely nothing
about the way keyutils works. I have ensured klist shows I have a
Kerberos ticket, but if there's something I'm missing (or just don't
know about)... please let me know.
Also, might be worthwhile to point out, Q's userspace program for
handling the Kerberos upcall won't work out of the box with the second
proposed SPNEGO/Kerberos patch--I found writing a wrapper script
(since the data Q's program expects only seems to be an IP) or
altering the output from the cifs module seems to be necessary at this
time.
More information about the linux-cifs-client
mailing list