[linux-cifs-client] Problems mounting CIFS ressources with Kerberos

Fri Jul 11 13:22:20 GMT 2008

On Fri, 11 Jul 2008 14:34:38 +0200
"Sébastien Canchon" <scanchon at gmail.com> wrote:

>  Hello,
> 
> I have some Linux boxes, which are added on a AD domain by Samba.
> Recently, with the Experimental CIFS support and spnego upcall, it is
> possible to mount CIFS shares with kerberos support.
> I have compiled my kernel with support, installed the last version of Samba
> (3.2.0) and configure the spnego file in /etc.
> When I try to mount a W2K3 Share, it works perfectly, but when i try to
> mount a share from our NAS (Netapp Filer), i have this result:
> 
> ~$ mount.cifs //vzy-filertest/PartageCIFS/ ~/toto -o
> sec=krb5,username=vzyinstall,password=fake
> mount error 5 = Input/output error
> 
> Dmesg output:
> [165731.924222] /usr/src/kernel/linux-2.6.24/fs/cifs/cifsfs.c: Devname:
> //vzy-filertest/PartageCIFS/ flags: 64
> [165731.924233] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: CIFS VFS: in
> cifs_mount as Xid: 38 with uid: 0[165731.924245]
> /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Username: vzyinstall
> [165731.924250] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: UNC:
> \\vzy-filertest\PartageCIFS ip: 10.142.65.133[165731.924261]
> /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Socket created
> [165731.924883] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: sndbuf 16384
> rcvbuf 87380 rcvtimeo 0x7fffffff[165731.925250]
> /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Demultiplex PID: 10129
> [165731.925386] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Existing smb
> sess not found
> [165731.925396] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c: secFlags 0x8
> [165731.925400] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c: Kerberos
> only mechanism, enable extended security[165731.925406]
> /usr/src/kernel/linux-2.6.24/fs/cifs/transport.c: For smb_command 114
> [165731.925410] /usr/src/kernel/linux-2.6.24/fs/cifs/transport.c: Sending
> smb of length 69
> [165731.933580] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: rfc1002
> length 0xa8
> [165731.933599] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c: Dialect: 2
> [165731.933604] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c: negprot rc
> -5
> [165732.062832] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: No session
> or bad tcon
> [165732.062841] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: CIFS VFS:
> leaving cifs_mount (xid = 38) rc = -5
> 
> Another thing is when i try to connect on this share from a XP box, it works
> perfectly with Kerberos (i see the KRBREQ/KRBREP and NEGOTIATE transactions
> in wireshark)
> 
> I use a 2.6.24-19-generic (under i386 platform) kernel with
> CONFIG_CIFS_UPCALL, CONFIG_CIFS_EXPERIMENTAL CONFIG_CIFS_STATS and
> CONFIG_CIFS_WEAK_PW_HASH activated.
> Cifs Module version is 1.52 and Samba version is 3.2.0
> 
> Anyone has already try to do that ?
> Another question, what must need to appear in the SMB packet for get
> kerberos working with the module ?
> Thanks,
> Sebastien CANCHON.

We'll probably need to see a binary network capture of the negotiate
protocol exchange. There are several possibilities of things that can
cause CIFSSMBNegotiate to return -EIO but we'll need to inspect the
packet being sent from the server.

Here's what I suggest. Before attempting the mount, on the client do:

# tcpdump -i ifname -s0 -w /tmp/cifs-krb5-mount.pcap host ip_address_of_server

...then do the mount attempt. Once it fails, ^c the tcpdump. Then bzip2
the cifs-krb5-mount.pcap file and send it to me. I can have a look and
see what's going on.

If you'd prefer, you can open a bug against the linux cifs client at
samba.org's bugzilla and we can work on this there (that might be
better if we need to manage several captures or involve other people).

Thanks,
-- 
Jeff Layton <jlayton at redhat.com>