[linux-cifs-client] Problems mounting CIFS ressources with
Kerberos
Jeff Layton
jlayton at redhat.com
Sat Jul 12 02:20:52 GMT 2008
On Fri, 11 Jul 2008 09:22:20 -0400
Jeff Layton <jlayton at redhat.com> wrote:
> On Fri, 11 Jul 2008 14:34:38 +0200
> "Sébastien Canchon" <scanchon at gmail.com> wrote:
>
> > Hello,
> >
> > I have some Linux boxes, which are added on a AD domain by Samba.
> > Recently, with the Experimental CIFS support and spnego upcall, it is
> > possible to mount CIFS shares with kerberos support.
> > I have compiled my kernel with support, installed the last version of Samba
> > (3.2.0) and configure the spnego file in /etc.
> > When I try to mount a W2K3 Share, it works perfectly, but when i try to
> > mount a share from our NAS (Netapp Filer), i have this result:
> >
> > ~$ mount.cifs //vzy-filertest/PartageCIFS/ ~/toto -o
> > sec=krb5,username=vzyinstall,password=fake
> > mount error 5 = Input/output error
> >
> > Dmesg output:
> > [165731.924222] /usr/src/kernel/linux-2.6.24/fs/cifs/cifsfs.c: Devname:
> > //vzy-filertest/PartageCIFS/ flags: 64
> > [165731.924233] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: CIFS VFS: in
> > cifs_mount as Xid: 38 with uid: 0[165731.924245]
> > /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Username: vzyinstall
> > [165731.924250] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: UNC:
> > \\vzy-filertest\PartageCIFS ip: 10.142.65.133[165731.924261]
> > /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Socket created
> > [165731.924883] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: sndbuf 16384
> > rcvbuf 87380 rcvtimeo 0x7fffffff[165731.925250]
> > /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Demultiplex PID: 10129
> > [165731.925386] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Existing smb
> > sess not found
> > [165731.925396] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c: secFlags 0x8
> > [165731.925400] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c: Kerberos
> > only mechanism, enable extended security[165731.925406]
> > /usr/src/kernel/linux-2.6.24/fs/cifs/transport.c: For smb_command 114
> > [165731.925410] /usr/src/kernel/linux-2.6.24/fs/cifs/transport.c: Sending
> > smb of length 69
> > [165731.933580] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: rfc1002
> > length 0xa8
> > [165731.933599] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c: Dialect: 2
> > [165731.933604] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c: negprot rc
> > -5
> > [165732.062832] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: No session
> > or bad tcon
> > [165732.062841] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: CIFS VFS:
> > leaving cifs_mount (xid = 38) rc = -5
> >
> > Another thing is when i try to connect on this share from a XP box, it works
> > perfectly with Kerberos (i see the KRBREQ/KRBREP and NEGOTIATE transactions
> > in wireshark)
> >
> > I use a 2.6.24-19-generic (under i386 platform) kernel with
> > CONFIG_CIFS_UPCALL, CONFIG_CIFS_EXPERIMENTAL CONFIG_CIFS_STATS and
> > CONFIG_CIFS_WEAK_PW_HASH activated.
> > Cifs Module version is 1.52 and Samba version is 3.2.0
> >
> > Anyone has already try to do that ?
> > Another question, what must need to appear in the SMB packet for get
> > kerberos working with the module ?
> > Thanks,
> > Sebastien CANCHON.
>
> We'll probably need to see a binary network capture of the negotiate
> protocol exchange. There are several possibilities of things that can
> cause CIFSSMBNegotiate to return -EIO but we'll need to inspect the
> packet being sent from the server.
>
> Here's what I suggest. Before attempting the mount, on the client do:
>
> # tcpdump -i ifname -s0 -w /tmp/cifs-krb5-mount.pcap host ip_address_of_server
>
> ...then do the mount attempt. Once it fails, ^c the tcpdump. Then bzip2
> the cifs-krb5-mount.pcap file and send it to me. I can have a look and
> see what's going on.
>
> If you'd prefer, you can open a bug against the linux cifs client at
> samba.org's bugzilla and we can work on this there (that might be
> better if we need to manage several captures or involve other people).
>
PS: if you do open a samba BZ, please email me the BZ number (or add me to
the CC list)
Thanks,
--
Jeff Layton <jlayton at redhat.com>
More information about the linux-cifs-client
mailing list