[linux-cifs-client] Problems mounting CIFS ressources with
Kerberos
Sébastien Canchon
scanchon at gmail.com
Tue Jul 15 12:18:51 GMT 2008
2008/7/12, Jeff Layton <jlayton at redhat.com>:
> On Fri, 11 Jul 2008 09:22:20 -0400
> Jeff Layton <jlayton at redhat.com> wrote:
>
> > On Fri, 11 Jul 2008 14:34:38 +0200
> > "Sébastien Canchon" <scanchon at gmail.com> wrote:
> >
> > > Hello,
> > >
> > > I have some Linux boxes, which are added on a AD domain by Samba.
> > > Recently, with the Experimental CIFS support and spnego upcall, it is
> > > possible to mount CIFS shares with kerberos support.
> > > I have compiled my kernel with support, installed the last version of
> Samba
> > > (3.2.0) and configure the spnego file in /etc.
> > > When I try to mount a W2K3 Share, it works perfectly, but when i try to
> > > mount a share from our NAS (Netapp Filer), i have this result:
> > >
> > > ~$ mount.cifs //vzy-filertest/PartageCIFS/ ~/toto -o
> > > sec=krb5,username=vzyinstall,password=fake
> > > mount error 5 = Input/output error
> > >
> > > Dmesg output:
> > > [165731.924222] /usr/src/kernel/linux-2.6.24/fs/cifs/cifsfs.c: Devname:
> > > //vzy-filertest/PartageCIFS/ flags: 64
> > > [165731.924233] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: CIFS
> VFS: in
> > > cifs_mount as Xid: 38 with uid: 0[165731.924245]
> > > /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Username: vzyinstall
> > > [165731.924250] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: UNC:
> > > \\vzy-filertest\PartageCIFS ip: 10.142.65.133[165731.924261]
> > > /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Socket created
> > > [165731.924883] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: sndbuf
> 16384
> > > rcvbuf 87380 rcvtimeo 0x7fffffff[165731.925250]
> > > /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: Demultiplex PID: 10129
> > > [165731.925386] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c:
> Existing smb
> > > sess not found
> > > [165731.925396] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c:
> secFlags 0x8
> > > [165731.925400] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c:
> Kerberos
> > > only mechanism, enable extended security[165731.925406]
> > > /usr/src/kernel/linux-2.6.24/fs/cifs/transport.c: For smb_command 114
> > > [165731.925410] /usr/src/kernel/linux-2.6.24/fs/cifs/transport.c:
> Sending
> > > smb of length 69
> > > [165731.933580] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: rfc1002
> > > length 0xa8
> > > [165731.933599] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c:
> Dialect: 2
> > > [165731.933604] /usr/src/kernel/linux-2.6.24/fs/cifs/cifssmb.c: negprot
> rc
> > > -5
> > > [165732.062832] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: No
> session
> > > or bad tcon
> > > [165732.062841] /usr/src/kernel/linux-2.6.24/fs/cifs/connect.c: CIFS
> VFS:
> > > leaving cifs_mount (xid = 38) rc = -5
> > >
> > > Another thing is when i try to connect on this share from a XP box, it
> works
> > > perfectly with Kerberos (i see the KRBREQ/KRBREP and NEGOTIATE
> transactions
> > > in wireshark)
> > >
> > > I use a 2.6.24-19-generic (under i386 platform) kernel with
> > > CONFIG_CIFS_UPCALL, CONFIG_CIFS_EXPERIMENTAL CONFIG_CIFS_STATS and
> > > CONFIG_CIFS_WEAK_PW_HASH activated.
> > > Cifs Module version is 1.52 and Samba version is 3.2.0
> > >
> > > Anyone has already try to do that ?
> > > Another question, what must need to appear in the SMB packet for get
> > > kerberos working with the module ?
> > > Thanks,
> > > Sebastien CANCHON.
> >
> > We'll probably need to see a binary network capture of the negotiate
> > protocol exchange. There are several possibilities of things that can
> > cause CIFSSMBNegotiate to return -EIO but we'll need to inspect the
> > packet being sent from the server.
> >
> > Here's what I suggest. Before attempting the mount, on the client do:
> >
> > # tcpdump -i ifname -s0 -w /tmp/cifs-krb5-mount.pcap host
> ip_address_of_server
> >
> > ...then do the mount attempt. Once it fails, ^c the tcpdump. Then bzip2
> > the cifs-krb5-mount.pcap file and send it to me. I can have a look and
> > see what's going on.
> >
> > If you'd prefer, you can open a bug against the linux cifs client at
> > samba.org's bugzilla and we can work on this there (that might be
> > better if we need to manage several captures or involve other people).
> >
>
> PS: if you do open a samba BZ, please email me the BZ number (or add me to
> the CC list)
>
> Thanks,
> --
> Jeff Layton <jlayton at redhat.com>
> _______________________________________________
> linux-cifs-client mailing list
> linux-cifs-client at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>
Thanks for reply's and sorry for the late.
I have submited bug in Samba's bugzilla, with number 5614. Network capture
and some informations are inclued.
Sébastien CANCHON.
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the linux-cifs-client
mailing list