[linux-cifs-client] Can not mount AD share with Kerberos ticket: mount error 126 = Required key not available

Robert Euhus euhus-liste1 at rrzn.uni-hannover.de
Fri Sep 11 06:49:04 MDT 2009


Hello,

I have added my Linux computer "relogin" to the our local AD-Realm
"WORKGROUP.INTERN".
I'm using Winbind for authentification against AD an usermapping (with
idmap_rid).

At login I get two kerberos tickets:

-----------------------------------------------------------------
euhus at relogin:~$ klist -5
Ticket cache: FILE:/tmp/krb5cc_101125
Default principal: euhus at WORKGROUP.INTERN

Valid starting     Expires            Service principal
08/28/09 14:54:57  08/29/09 00:54:57
krbtgt/WORKGROUP.INTERN at WORKGROUP.INTERN
        renew until 09/04/09 14:54:57
08/28/09 14:54:57  08/29/09 00:54:57  RELOGIN$@WORKGROUP.INTERN
        renew until 09/04/09 14:54:57
euhus at relogin:~$
-----------------------------------------------------------------

However when I try to use these tickets for mounting a share I it fails
with "mount error 126 = Required key not available":

-----------------------------------------------------------------
euhus at relogin:~$ /sbin/mount.cifs //dc1.workgroup.site.de/homes
.workgroup/homes/ --verbose -o sec=krb5i,guest
parsing options: sec=krb5i,guest

mount.cifs kernel mount options
unc=//dc1.workgroup.site.de\homes,ip=1.2.3.220,user=euhus,ver=1,sec=krb5i,guest,uid=101125,gid=100513

mount error 126 = Required key not available
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
-----------------------------------------------------------------

In /etc/request-key.conf I have:

-----------------------------------------------------------------
create        cifs.spnego    * * /usr/sbin/cifs.upcall %k %d
create      dns_resolver   * * /usr/sbin/cifs.upcall %k
-----------------------------------------------------------------

Even with "echo 3 > /proc/fs/cifs/cifsFYI" dmesg does not really help:

-----------------------------------------------------------------
[442597.829966]  fs/cifs/connect.c: No session or bad tcon
[442597.829966]  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid =
25) rc = -95
[442597.829966]  CIFS VFS: cifs_mount failed w/return code = -95
[442602.280555]  fs/cifs/cifsfs.c: Devname:
//dc1.workgroup.site.de/homes flags: 64
[442602.280555]  fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 26
with uid: 0
[442602.280555]  fs/cifs/connect.c: Username: euhus
[442602.280555]  fs/cifs/connect.c: UNC: \\dc1.workgroup.site.de\homes
ip: 1.2.3.220
[442602.280555]  fs/cifs/connect.c: Socket created
[442602.280555]  fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo
0x7fffffff
[442602.281556]  fs/cifs/connect.c: Existing smb sess not found
[442602.280555]  fs/cifs/connect.c: Demultiplex PID: 20596
[442602.281556]  fs/cifs/cifssmb.c: secFlags 0x1009
[442602.281556]  fs/cifs/cifssmb.c: Kerberos only mechanism, enable
extended security
[442602.281556]  fs/cifs/transport.c: For smb_command 114
[442602.281556]  fs/cifs/transport.c: Sending smb of length 78
[442602.280555]  fs/cifs/connect.c: rfc1002 length 0xc5
[442602.281556]  fs/cifs/cifssmb.c: Dialect: 2
[442602.281556]  fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
[442602.281556]  fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
[442602.281556]  fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92
[442602.281556]  fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
[442602.281556]  fs/cifs/asn1.c: Need to call asn1_octets_decode()
function for not_defined_in_RFC4178 at please_ignore
[442602.281556]  fs/cifs/cifssmb.c: Must sign - secFlags 0x1009
[442602.281556]  fs/cifs/cifssmb.c: negprot rc 0
[442602.281556]  fs/cifs/connect.c: Security Mode: 0xf Capabilities:
0x8001f3fd TimeAdjust: -7200
[442602.281556]  fs/cifs/sess.c: sess setup type 6
[442602.281556]  fs/cifs/cifs_spnego.c: key description =
ver=0x1;host=dc1.workgroup.site.de;ip4=1.2.3.220;sec=krb5;uid=0x18b05;user=euhus
[442602.328182]  fs/cifs/sess.c: ssetup freeing small buf f699dc80
[442602.328182]  CIFS VFS: Send error in SessSetup = -126
[442602.460181]  fs/cifs/connect.c: No session or bad tcon
[442602.460181]  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid =
26) rc = -126
[442602.460181]  CIFS VFS: cifs_mount failed w/return code = -126
-----------------------------------------------------------------
I guess that cifs.upcall is trying to get the key for
"host/relogin.workgroup.site.de at WORKGROUP.INTERN" which I don't have as
user. I don't really have an idea why. But kerberos tickets vor my host
are in fact available in /etc/krb5.keytab:

-----------------------------------------------------------------
relogin:~# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   4 host/relogin.workgroup.site.de at WORKGROUP.INTERN
   4 host/relogin.workgroup.site.de at WORKGROUP.INTERN
   4 host/relogin.workgroup.site.de at WORKGROUP.INTERN
   4 host/relogin at WORKGROUP.INTERN
   4 host/relogin at WORKGROUP.INTERN
   4 host/relogin at WORKGROUP.INTERN
   4 RELOGIN$@WORKGROUP.INTERN
   4 RELOGIN$@WORKGROUP.INTERN
   4 RELOGIN$@WORKGROUP.INTERN
-----------------------------------------------------------------

Using smbclient, Konqueror and Nautilus works with the ticket.

I have tried the same on an Ubuntu 9.04 system without success.
Sadly I haven't found any hints on the web. So maybe someon could at
least give me a hint what to look out for eg. I would really like to see
what key it is trying to find. But I could not find an option for seeing
this in the logs.

Some more Information on my System:
Standard Debian Lenny with kernel 2.6.28-15-generic which has CIFS
Version 1.55

One more thing that might be connected to this (although I don't think
so): in /var/log/samba/log.winbindd I found:

-----------------------------------------------------------------
[2009/08/24 10:12:52,  0]
winbindd/winbindd_cache.c:initialize_winbindd_cache(2374)
  initialize_winbindd_cache: clearing cache and re-creating with version
number 1
[2009/08/24 10:12:52,  2] winbindd/winbindd_util.c:add_trusted_domain(192)
  Added domain BUILTIN  S-1-5-32
[2009/08/24 10:12:52,  2] winbindd/winbindd_util.c:add_trusted_domain(192)
  Added domain RELOGIN  S-1-5-21-1796453317-37119528-1882467029
[2009/08/24 10:12:52,  2] winbindd/winbindd_util.c:add_trusted_domain(192)
  Added domain WORKGROUP WORKGROUP.INTERN
S-1-5-21-3432792198-3694902127-1061648754
[2009/08/24 10:12:52,  2]
libsmb/cliconnect.c:cli_session_setup_kerberos(619)
  Doing kerberos session setup
[2009/08/24 10:12:52,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
  ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP
(Cannot resolve network address for KDC in requested realm)
[2009/08/24 10:12:52,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(626)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
[2009/08/24 10:45:08,  0] lib/util_sock.c:write_data(1139)
  write_data: write failure. Error = Die Verbindung wurde vom
Kommunikationspartner zurückgesetzt
[2009/08/24 10:45:08,  0] libsmb/clientgen.c:write_socket(242)
  write_socket: Error writing 100 bytes to socket 18: ERRNO = Die
Verbindung wurde vom Kommunikationspartner zurückgesetzt
[2009/08/24 10:45:08,  0] libsmb/clientgen.c:cli_send_smb(290)
  Error writing 100 bytes to client. -1 (Die Verbindung wurde vom
Kommunikationspartner zurückgesetzt)
[2009/08/24 10:45:08,  1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2227)
  cli_rpc_pipe_open: cli_nt_create failed on pipe \samr to machine
dc1.workgroup.intern.  Error was Write error: Die Verbindung wurde vom
Kommunikationspartner zurückgesetzt
[2009/08/24 10:45:08,  2]
libsmb/cliconnect.c:cli_session_setup_kerberos(619)
  Doing kerberos session setup
[2009/08/24 10:45:08,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
  ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP
(Cannot resolve network address for KDC in requested realm)
[2009/08/24 10:45:08,  1]
libsmb/cliconnect.c:cli_session_setup_kerberos(626)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
resolve network address for KDC in requested realm
-----------------------------------------------------------------

If You need any other information, please let me know.
Thanks for Your patience!

Cheers,
Robert



More information about the linux-cifs-client mailing list