[linux-cifs-client] Can not mount AD share with Kerberos ticket: mount error 126 = Required key not available

Jeff Layton jlayton at poochiereds.net
Fri Sep 11 08:55:27 MDT 2009 

On Fri, 11 Sep 2009 14:49:04 +0200
Robert Euhus <euhus-liste1 at rrzn.uni-hannover.de> wrote:

> Hello,
> 
> I have added my Linux computer "relogin" to the our local AD-Realm
> "WORKGROUP.INTERN".
> I'm using Winbind for authentification against AD an usermapping (with
> idmap_rid).
> 
> At login I get two kerberos tickets:
> 
> -----------------------------------------------------------------
> euhus at relogin:~$ klist -5
> Ticket cache: FILE:/tmp/krb5cc_101125
> Default principal: euhus at WORKGROUP.INTERN
> 
> Valid starting     Expires            Service principal
> 08/28/09 14:54:57  08/29/09 00:54:57
> krbtgt/WORKGROUP.INTERN at WORKGROUP.INTERN
>         renew until 09/04/09 14:54:57
> 08/28/09 14:54:57  08/29/09 00:54:57  RELOGIN$@WORKGROUP.INTERN
>         renew until 09/04/09 14:54:57
> euhus at relogin:~$
> -----------------------------------------------------------------
> 
> However when I try to use these tickets for mounting a share I it fails
> with "mount error 126 = Required key not available":
> 
> -----------------------------------------------------------------
> euhus at relogin:~$ /sbin/mount.cifs //dc1.workgroup.site.de/homes
> .workgroup/homes/ --verbose -o sec=krb5i,guest
> parsing options: sec=krb5i,guest
> 
> mount.cifs kernel mount options
> unc=//dc1.workgroup.site.de\homes,ip=1.2.3.220,user=euhus,ver=1,sec=krb5i,guest,uid=101125,gid=100513
> 
> mount error 126 = Required key not available
> Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
> -----------------------------------------------------------------
> 
> In /etc/request-key.conf I have:
> 
> -----------------------------------------------------------------
> create        cifs.spnego    * * /usr/sbin/cifs.upcall %k %d
> create      dns_resolver   * * /usr/sbin/cifs.upcall %k
> -----------------------------------------------------------------
> 
> Even with "echo 3 > /proc/fs/cifs/cifsFYI" dmesg does not really help:
> 
> -----------------------------------------------------------------
> [442597.829966]  fs/cifs/connect.c: No session or bad tcon
> [442597.829966]  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid =
> 25) rc = -95
> [442597.829966]  CIFS VFS: cifs_mount failed w/return code = -95
> [442602.280555]  fs/cifs/cifsfs.c: Devname:
> //dc1.workgroup.site.de/homes flags: 64
> [442602.280555]  fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 26
> with uid: 0
> [442602.280555]  fs/cifs/connect.c: Username: euhus
> [442602.280555]  fs/cifs/connect.c: UNC: \\dc1.workgroup.site.de\homes
> ip: 1.2.3.220
> [442602.280555]  fs/cifs/connect.c: Socket created
> [442602.280555]  fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo
> 0x7fffffff
> [442602.281556]  fs/cifs/connect.c: Existing smb sess not found
> [442602.280555]  fs/cifs/connect.c: Demultiplex PID: 20596
> [442602.281556]  fs/cifs/cifssmb.c: secFlags 0x1009
> [442602.281556]  fs/cifs/cifssmb.c: Kerberos only mechanism, enable
> extended security
> [442602.281556]  fs/cifs/transport.c: For smb_command 114
> [442602.281556]  fs/cifs/transport.c: Sending smb of length 78
> [442602.280555]  fs/cifs/connect.c: rfc1002 length 0xc5
> [442602.281556]  fs/cifs/cifssmb.c: Dialect: 2
> [442602.281556]  fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
> [442602.281556]  fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
> [442602.281556]  fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92
> [442602.281556]  fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
> [442602.281556]  fs/cifs/asn1.c: Need to call asn1_octets_decode()
> function for not_defined_in_RFC4178 at please_ignore
> [442602.281556]  fs/cifs/cifssmb.c: Must sign - secFlags 0x1009
> [442602.281556]  fs/cifs/cifssmb.c: negprot rc 0
> [442602.281556]  fs/cifs/connect.c: Security Mode: 0xf Capabilities:
> 0x8001f3fd TimeAdjust: -7200
> [442602.281556]  fs/cifs/sess.c: sess setup type 6
> [442602.281556]  fs/cifs/cifs_spnego.c: key description =
> ver=0x1;host=dc1.workgroup.site.de;ip4=1.2.3.220;sec=krb5;uid=0x18b05;user=euhus
> [442602.328182]  fs/cifs/sess.c: ssetup freeing small buf f699dc80
> [442602.328182]  CIFS VFS: Send error in SessSetup = -126
> [442602.460181]  fs/cifs/connect.c: No session or bad tcon
> [442602.460181]  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid =
> 26) rc = -126
> [442602.460181]  CIFS VFS: cifs_mount failed w/return code = -126
> -----------------------------------------------------------------
> I guess that cifs.upcall is trying to get the key for
> "host/relogin.workgroup.site.de at WORKGROUP.INTERN" which I don't have as
> user. I don't really have an idea why. But kerberos tickets vor my host
> are in fact available in /etc/krb5.keytab:
> 

...nope, according to the above info, cifs.upcall is going to attempt
to get a service principal of:

    host/dc1.workgroup.site.de at WORKGROUP.INTERN

...before connecting to the server. That's failing for some reason. In
general with krb5 you'll want to use the canonical hostname of the
server when mounting as that's the name most likely to be used in
service principals.

> -----------------------------------------------------------------
> relogin:~# klist -k /etc/krb5.keytab
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    4 host/relogin.workgroup.site.de at WORKGROUP.INTERN
>    4 host/relogin.workgroup.site.de at WORKGROUP.INTERN
>    4 host/relogin.workgroup.site.de at WORKGROUP.INTERN
>    4 host/relogin at WORKGROUP.INTERN
>    4 host/relogin at WORKGROUP.INTERN
>    4 host/relogin at WORKGROUP.INTERN
>    4 RELOGIN$@WORKGROUP.INTERN
>    4 RELOGIN$@WORKGROUP.INTERN
>    4 RELOGIN$@WORKGROUP.INTERN
> -----------------------------------------------------------------
> 
> Using smbclient, Konqueror and Nautilus works with the ticket.
> 
> I have tried the same on an Ubuntu 9.04 system without success.
> Sadly I haven't found any hints on the web. So maybe someon could at
> least give me a hint what to look out for eg. I would really like to see
> what key it is trying to find. But I could not find an option for seeing
> this in the logs.
> 
> Some more Information on my System:
> Standard Debian Lenny with kernel 2.6.28-15-generic which has CIFS
> Version 1.55
> 
> One more thing that might be connected to this (although I don't think
> so): in /var/log/samba/log.winbindd I found:
> 
> -----------------------------------------------------------------
> [2009/08/24 10:12:52,  0]
> winbindd/winbindd_cache.c:initialize_winbindd_cache(2374)
>   initialize_winbindd_cache: clearing cache and re-creating with version
> number 1
> [2009/08/24 10:12:52,  2] winbindd/winbindd_util.c:add_trusted_domain(192)
>   Added domain BUILTIN  S-1-5-32
> [2009/08/24 10:12:52,  2] winbindd/winbindd_util.c:add_trusted_domain(192)
>   Added domain RELOGIN  S-1-5-21-1796453317-37119528-1882467029
> [2009/08/24 10:12:52,  2] winbindd/winbindd_util.c:add_trusted_domain(192)
>   Added domain WORKGROUP WORKGROUP.INTERN
> S-1-5-21-3432792198-3694902127-1061648754
> [2009/08/24 10:12:52,  2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(619)
>   Doing kerberos session setup
> [2009/08/24 10:12:52,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
>   ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP
> (Cannot resolve network address for KDC in requested realm)
> [2009/08/24 10:12:52,  1]
> libsmb/cliconnect.c:cli_session_setup_kerberos(626)
>   cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
> resolve network address for KDC in requested realm
> [2009/08/24 10:45:08,  0] lib/util_sock.c:write_data(1139)
>   write_data: write failure. Error = Die Verbindung wurde vom
> Kommunikationspartner zurückgesetzt
> [2009/08/24 10:45:08,  0] libsmb/clientgen.c:write_socket(242)
>   write_socket: Error writing 100 bytes to socket 18: ERRNO = Die
> Verbindung wurde vom Kommunikationspartner zurückgesetzt
> [2009/08/24 10:45:08,  0] libsmb/clientgen.c:cli_send_smb(290)
>   Error writing 100 bytes to client. -1 (Die Verbindung wurde vom
> Kommunikationspartner zurückgesetzt)
> [2009/08/24 10:45:08,  1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2227)
>   cli_rpc_pipe_open: cli_nt_create failed on pipe \samr to machine
> dc1.workgroup.intern.  Error was Write error: Die Verbindung wurde vom
> Kommunikationspartner zurückgesetzt
> [2009/08/24 10:45:08,  2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(619)
>   Doing kerberos session setup
> [2009/08/24 10:45:08,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
>   ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP
> (Cannot resolve network address for KDC in requested realm)
> [2009/08/24 10:45:08,  1]
> libsmb/cliconnect.c:cli_session_setup_kerberos(626)
>   cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
> resolve network address for KDC in requested realm
> -----------------------------------------------------------------
> 
> If You need any other information, please let me know.
> Thanks for Your patience!
> 
> Cheers,
> Robert
> 
> _______________________________________________
> linux-cifs-client mailing list
> linux-cifs-client at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux-cifs-client


-- 
Jeff Layton <jlayton at poochiereds.net>

More information about the linux-cifs-client mailing list