[linux-cifs-client] Using mount.cifs with krb5/SPNEGO Win2k3 share
Jeff Layton
jlayton at redhat.com
Tue Feb 5 12:52:10 GMT 2008
On Tue, 05 Feb 2008 12:21:55 +0000
Seb James <seb at esfnet.co.uk> wrote:
> Hi List,
>
> I'm having a real problem mounting a share on a Windows 2003 server, and
> the problem seems related to the authentication methods available on the
> server.
>
> Symptoms:
> The call to mount.cifs appears to mount the share, and df -h shows the
> share, but I cannot write any data to the share.
>
> Server Setup:
> The share has been set up on the Win2k3 server with write access
> allowed for this user - I have been sent a screenshot of the share's
> "Properties" window. I don't have any control over the Win2k3 server
> myself. I don't have any info from the admin about what authentication
> methods they are using.
>
> Client software versions:
> root at cifsclient:root # mount.cifs --version
> mount.cifs version: 1.10-3.0.24
> Linux kernel version is 2.6.11 (yes, I know it's old).
>
SPNEGO support is very new. It just went in in 2.6.24 -- you'll also
need the cifs.spnego upcall program to use it.
> Reading the Manual:
> I seem to have discovered (by reading the Linux CIFS Client Guide)
> that this is an authentication/kerberos issue - the site certainly
> uses Active Directory to a fairly great extent and I suspect they are
> using krb5/spnego authentication. Do the attached logs bear this out?
> (Aside: What does spnego stand for?)
>
> Questions:
> * Should I be able to use NTLMv2 with this site if I (use the) backport
> version 1.47 (or later) of the cifs client into my 2.6.11 kernel?
IIRC, it depends on the server's security policy.
> * Is Kerberos support available in cifs version 1.50 (The latest
> mainline version as I write this)?
I don't believe so -- 1.52, I believe. If you really want kerberos
support for that old kernel, then you'll probably want to use Steve's
backported source tarballs and then backport patches out of the
cifs-2.6 git tree until you have Kerberos support.
> * What should I look for in the cifsFYI (or smbclient debug) output to
> work out what authentication schemes the server provides/requires?
>
I usually sniff traffic and look for the Negotiate Protocol packets,
but it may show up in debug info too.
> Debug Output:
> I've appended the cifsFYI output from the cifsclient syslog here, for
> the mount/attempt-to-create-file/unmount actions.
>
> The machine running the mount.cifs command is called "cifsclient".
> The domain is SRVDOM and the share name is LOGSPACE. The username for
> this share is LOGSPACE also and the password is 12345.
>
> In DebugData, I think I need to understand this:
> Capabilities: 0x1f3fd
I believe that's the bitmask of capabilities for the server (stuff like
posix extensions, etc).
> and also this:
> 1) \\172.20.3.62\logspace Uses: 1 Type: NTFS Characteristics: 0x20 Attributes: 0x700ff
> - in particular the Attributes.
>
Don't recall, though I don't believe that's the security mask.
> I will go and have a look at the kernel source to figure these out..
>
> Many thanks for reading,
>
> Seb James
>
>
>
>
>
> First we mount the share:
>
> root at cifsclient:/tmp # mount.cifs \\\\172.20.3.62\\logspace /tmp/log -o user='SRVDOM\LOGSPACE',pass='12345',ip=172.20.3.62
> root at cifsclient:/tmp #
>
> Output in syslog (/proc/fs/cifs/cifsFYI is set to "1"):
> -------------------
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/cifsfs.c: Devname: //172.20.3.62/logspace flags: 64
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 79 with uid: 0
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Domain name set
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Username: LOGSPACE
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: UNC: \\172.20.3.62\logspace ip: 172.20.3.62
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Socket created
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Existing smb sess not found
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: For smb_command 114
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 47
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Demultiplex PID: 716
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0x77)
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Mid 0x70 matched - waking up
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x1f3fd Time Zone: 0
I think the Security Mode printk here might be a good place to start.
Note that negotiating security in CIFS is rather tricky since the
server and client have to agree on a set of options. The code to do
that is somewhat less than straightforward.
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: In sesssetup
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: For smb_command 115
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 286
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0xcb)
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Mid 0x71 matched - waking up
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Unexpected signature received from server
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: UID = 34819
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: CIFS Session Established successfully
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: file mode: 0x7f7 dir mode: 0x1ff
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: For smb_command 117
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 94
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0x42)
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Mid 0x72 matched - waking up
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Unexpected signature received from server
^^^
Sounds like you didn't have signing enabled, but the server requires it
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Tcon flags: 0x1
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: CIFS Tcon rc = 0
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/cifssmb.c: In QFSDeviceInfo
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: For smb_command 50
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 68
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0x44)
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Mid 0x73 matched - waking up
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Unexpected signature received from server
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/cifssmb.c: In QFSAttributeInfo
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: For smb_command 50
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 68
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0x50)
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Mid 0x74 matched - waking up
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Unexpected signature received from server
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 79) rc = 0
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/inode.c: CIFS VFS: in cifs_read_inode as Xid: 80 with uid: 0
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/inode.c: Getting info on
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: For smb_command 50
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 74
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0x98)
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/connect.c: Mid 0x75 matched - waking up
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/transport.c: Unexpected signature received from server
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/inode.c: Old time 0
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/inode.c: New time 2582816
> Feb 5 10:50:54 cifsclient kernel: fs/cifs/inode.c: Directory inode
> -------------------
>
> And the output From DebugData:
>
> root at cifsclient:/tmp # cat /proc/fs/cifs/DebugData
> Display Internal CIFS Data Structures for Debugging
> ---------------------------------------------------
> Servers:
>
> 1) Name: 172.20.3.62 Domain: SRVDOM Mounts: 1 ServerOS: Windows Server 2003 R2 3790 Service Pack 2
> ServerNOS: Windows Server 2003 R2 5.2 Capabilities: 0x1f3fd
> SMB session status: 1 TCP status: 1
> Local Users To Server: 1 SecMode: 0xf Req Active: 0
> MIDs:
>
>
> Shares:
>
> 1) \\172.20.3.62\logspace Uses: 1 Type: NTFS Characteristics: 0x20 Attributes: 0x700ff
> PathComponentMax: 255 Status: 1 type: DISK
> root at cifsclient:/tmp #
>
> Second: Now that the share is mounted, let's try to create a test file:
>
> root at cifsclient:/tmp # touch log/testfile
> touch: log/testfile: Permission denied
> root at cifsclient:/tmp #
>
> Output in syslog:
> -----------------------
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/dir.c: CIFS VFS: in cifs_lookup as Xid: 81 with uid: 0
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/dir.c: parent inode = 0xf6c6fdec name is: testfile and dentry = 0xf72de900
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/dir.c: NULL inode in lookup
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/dir.c: Full path: \testfile inode = 0x00000000
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/inode.c: Getting info on \testfile
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/transport.c: For smb_command 50
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 92
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0x27)
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/connect.c: Mid 0x76 matched - waking up
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/transport.c: Unexpected signature received from server
> Feb 5 10:53:24 cifsclient kernel: Status code returned 0xc0000034 NT_STATUS_OBJECT_NAME_NOT_FOUND
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/netmisc.c: !!Mapping smb error code 2 to POSIX err -2 !!
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/cifssmb.c: Send error in QPathInfo = -2
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/dir.c: CIFS VFS: leaving cifs_lookup (xid = 81) rc = 0
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/dir.c: CIFS VFS: in cifs_create as Xid: 82 with uid: 0
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/transport.c: For smb_command 162
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 104
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0x27)
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/connect.c: Mid 0x77 matched - waking up
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/transport.c: Unexpected signature received from server
> Feb 5 10:53:24 cifsclient kernel: Status code returned 0xc0000022 NT_STATUS_ACCESS_DENIED
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/netmisc.c: !!Mapping smb error code 5 to POSIX err -13 !!
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/cifssmb.c: Error in Open = -13
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/dir.c: cifs_create returned 0xfffffff3
> Feb 5 10:53:24 cifsclient kernel: fs/cifs/dir.c: CIFS VFS: leaving cifs_create (xid = 82) rc = -13
> -----------------------
>
> Third: unmount the share again:
> root at cifsclient:/tmp # umount /tmp/log
> root at cifsclient:/tmp #
>
> -----------------------
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/inode.c: CIFS VFS: in cifs_revalidate as Xid: 83 with uid: 0
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/inode.c: Revalidate: inode 0xf6c6fdec count 1 dentry: 0xf72debd0 d_time 0 jiffies 2806797
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/inode.c: Getting info on
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/transport.c: For smb_command 50
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 74
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0x98)
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/connect.c: Mid 0x78 matched - waking up
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/transport.c: Unexpected signature received from server
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/inode.c: Old time 2582816
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/inode.c: New time 2806797
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/inode.c: Directory inode
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/inode.c: cifs_revalidate - inode unchanged
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/inode.c: CIFS VFS: leaving cifs_revalidate (xid = 83) rc = 0
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/cifsfs.c: In cifs_put_super
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/connect.c: CIFS VFS: in cifs_umount as Xid: 84 with uid: 0
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/cifssmb.c: In tree disconnect
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/transport.c: For smb_command 113
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 35
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0x27)
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/connect.c: Mid 0x79 matched - waking up
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/transport.c: Unexpected signature received from server
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/connect.c: About to do SMBLogoff
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/cifssmb.c: In SMBLogoff for session disconnect
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/transport.c: For smb_command 116
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/transport.c: Sending smb of length 39
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/connect.c: Peek length rcvd: 0x24 beginning 0x2b)
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/connect.c: Mid 0x7a matched - waking up
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/transport.c: Unexpected signature received from server
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/connect.c: Waking up socket by sending it signal
> Feb 5 10:54:38 cifsclient kernel: fs/cifs/connect.c: Wait for exit from demultiplex thread
> Feb 5 10:54:39 cifsclient kernel: fs/cifs/connect.c: CIFS VFS: leaving cifs_umount (xid = 84) rc = 0
> -----------------------
>
--
Jeff Layton <jlayton at redhat.com>
More information about the linux-cifs-client
mailing list