[linux-cifs-client] Question on current state of sec=krb5* integration in cifs.ko

Fri Oct 23 05:12:14 MDT 2009

Hi Robert,

Robert Euhus schrieb am Friday, den 23. October 2009:

> [...]
> It works here on Lenny, although you might have to install the keyutils
> Package and add the following lines to /etc/request-key.conf :
> 
> create cifs.spnego * * /usr/sbin/cifs.upcall %k %d
> create dns_resolver * * /usr/sbin/cifs.upcall %k

I just tried that. Mount options in /etc/fstab are

noauto,sec=krb5i,iocharset=iso8859-15

When I issue the mount cmd, it asks me for a password. Is there any
way to get more debugging info from the mount.cifs cmd and the CIFS
VFS kernel module? (I was checking /var/log/syslog, /var/log/messages,
/var/log/daemon.log, but found nothing that could be helpful).

Like I mentioned, kerberized smbclient sessions work as expected (i.e.
I'm *not* asked for a password; just as it's supposed to be). I do get
a valid Kerberos ticket for cifs, as shown in this output from "klist
-5f":

==========

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user at MYREALM

Valid starting     Expires            Service principal
10/23/09 12:31:13  10/24/09 04:31:13  krbtgt/MYREALM at MYREALM
	 renew until 10/24/09 12:30:51, Flags: FRIAT
	 10/23/09 12:40:42  10/24/09 04:31:13
cifs/sambaserver.mydomain at MYREALM
					 renew until 10/24/09
12:30:51, Flags: FRAT

==========

I should perhaps also mention that my LDAP accounts were created using
Debian Lenny's ldapscripts package before I installed Samba and used
ldapsam:editposix. Samba's LDAP stuff was initialized using "net sam
provision"; as described in

http://wiki.samba.org/index.php/Ldapsam_Editposix

So, the Kerberos user named "user" doesn't have the
samba* attributes set in the LDAP database yet. But since that didn't
seem to matter for smbclient sessions, it also shouldn't matter for
mount.cifs, should it? 

In addition, my Kerberos database is stored in the
same OpenLDAP database as the user accounts are, just below a
different ou. (But that shouldn't matter since smbclient works, so the
LDAP lookup itself shouldn't be the problem).

> You might also want to have a look at a small (and not quite finished
> yet) German HOWTO I wrote:
> 
> http://www.rrzn.uni-hannover.de/anl-linclient-ads.html

Thanks for mentioning this, but I have MIT Kerberos installed on a
Debian Lenny machine acting as KDC. Nevertheless, still helpful for AD
integration.

The main difference compared to your setup is that my server is
actually a Samba server running on a Debian Lenny system and I'm
trying to mount a cifs fs on a Linux client (i.e. a Linux machine
pretending to be a Windows client). Do I need the winbindd also on the
client machine in such a scenario (your HOWTO suggests running in on the
client, but you are authenticating against a "real" AD on a Windows
server; I'm authenticating against OpenLDAP+MIT Kerberos+Samba on a Debian
Lenny system)?

(In case you need more info, I will of course try provide it).

Thanks in advance for any hints & kind regards,

       Holger

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/linux-cifs-client/attachments/20091023/ba1455c4/attachment.pgp>