[linux-cifs-client] Unable to mount CIFS with kerberos security
Jeff Layton
jlayton at redhat.com
Tue Jan 27 16:57:26 GMT 2009
On Tue, 27 Jan 2009 18:29:00 +0530
Suresh Jayaraman <sjayaraman at suse.de> wrote:
> Hi all,
>
> While mounting with kerberos, I'm getting -126 (Key not found) error
> only if I use IP addresses instead of hostname.
>
> For e.g.
> (using hostname)
> #kinit Administrator
> #mount -t cifs -o //novell-owa/Winshare /mnt/cifs -o
> user=Administrator,sec=krb5i
>
> succeeds
>
> (using IP)
> #kinit Administrator
> #mount -t cifs -o //164.99.99.182/Winshare /mnt/cifs -o
> user=Administrator,sec=krb5i
>
> fails.
>
> I enabled CifsFYI o/p and the only difference I see is:
>
> (with hostname)
> fs/cifs/cifs_spnego.c: key description =
> ver=0x2;host=myserver;ip4=164.99.99.182;sec=mskrb5;uid=0x0;user=Administrator
> (with IP)
> fs/cifs/cifs_spnego.c: key description =
> ver=0x2;host=164.99.99.182;ip4=164.99.99.182;sec=mskrb5;uid=0x0;user=Administrator
>
> * note "host=" parameter ^^^ it contains value of IP, when we use IP to
> mount. May be this is the problem, passing down ip as "host=" down to
> request_key() ?
>
> In CIFS_SessSetup
> spnego_key = cifs_get_spnego_key(ses);
>
> fails and returns error -126
>
> The setup remains unaltered while mounting using hostname and IP and the
> only difference in CifsFYI o/p is the hostname being considered as IP.
> And this is reproducible _always_.
>
> Any clues? Am I missing something obvious?
>
The upcall program needs some way to know what cifs or host principal to look
for. When it just has an IP address to go on, then it often doesn't have a
way to know. To fix this, we'll need to fix cifs.upcall to be able to make
better guesses as to the hostname when we try to get the SPNEGO key.
Patches welcome.
--
Jeff Layton <jlayton at redhat.com>
More information about the linux-cifs-client
mailing list