[linux-cifs-client] Can not mount AD share with Kerberos ticket: mount error 126 = Required key not available

Q (Igor Mammedov) qwerty0987654321 at mail.ru
Fri Sep 11 09:40:29 MDT 2009 

On Fri, Sep 11, 2009 at 6:55 PM, Jeff Layton <jlayton at poochiereds.net> wrote:
> On Fri, 11 Sep 2009 14:49:04 +0200
> Robert Euhus <euhus-liste1 at rrzn.uni-hannover.de> wrote:
>
>> Hello,
>>
>> I have added my Linux computer "relogin" to the our local AD-Realm
>> "WORKGROUP.INTERN".
>> I'm using Winbind for authentification against AD an usermapping (with
>> idmap_rid).
>>
>> At login I get two kerberos tickets:
>>
>> -----------------------------------------------------------------
>> euhus at relogin:~$ klist -5
>> Ticket cache: FILE:/tmp/krb5cc_101125
>> Default principal: euhus at WORKGROUP.INTERN
>>
>> Valid starting     Expires            Service principal
>> 08/28/09 14:54:57  08/29/09 00:54:57
>> krbtgt/WORKGROUP.INTERN at WORKGROUP.INTERN
>>         renew until 09/04/09 14:54:57
>> 08/28/09 14:54:57  08/29/09 00:54:57  RELOGIN$@WORKGROUP.INTERN
>>         renew until 09/04/09 14:54:57
>> euhus at relogin:~$
>> -----------------------------------------------------------------
>>
>> However when I try to use these tickets for mounting a share I it fails
>> with "mount error 126 = Required key not available":
>>
>> -----------------------------------------------------------------
>> euhus at relogin:~$ /sbin/mount.cifs //dc1.workgroup.site.de/homes
>> .workgroup/homes/ --verbose -o sec=krb5i,guest
>> parsing options: sec=krb5i,guest
>>
>> mount.cifs kernel mount options
>> unc=//dc1.workgroup.site.de\homes,ip=1.2.3.220,user=euhus,ver=1,sec=krb5i,guest,uid=101125,gid=100513
>>
>> mount error 126 = Required key not available
>> Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
>> -----------------------------------------------------------------
>>
>> In /etc/request-key.conf I have:
>>
>> -----------------------------------------------------------------
>> create        cifs.spnego    * * /usr/sbin/cifs.upcall %k %d
>> create      dns_resolver   * * /usr/sbin/cifs.upcall %k
>> -----------------------------------------------------------------
>>
>> Even with "echo 3 > /proc/fs/cifs/cifsFYI" dmesg does not really help:
>>
>> -----------------------------------------------------------------
>> [442597.829966]  fs/cifs/connect.c: No session or bad tcon
>> [442597.829966]  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid =
>> 25) rc = -95
>> [442597.829966]  CIFS VFS: cifs_mount failed w/return code = -95
>> [442602.280555]  fs/cifs/cifsfs.c: Devname:
>> //dc1.workgroup.site.de/homes flags: 64
>> [442602.280555]  fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 26
>> with uid: 0
>> [442602.280555]  fs/cifs/connect.c: Username: euhus
>> [442602.280555]  fs/cifs/connect.c: UNC: \\dc1.workgroup.site.de\homes
>> ip: 1.2.3.220
>> [442602.280555]  fs/cifs/connect.c: Socket created
>> [442602.280555]  fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo
>> 0x7fffffff
>> [442602.281556]  fs/cifs/connect.c: Existing smb sess not found
>> [442602.280555]  fs/cifs/connect.c: Demultiplex PID: 20596
>> [442602.281556]  fs/cifs/cifssmb.c: secFlags 0x1009
>> [442602.281556]  fs/cifs/cifssmb.c: Kerberos only mechanism, enable
>> extended security
>> [442602.281556]  fs/cifs/transport.c: For smb_command 114
>> [442602.281556]  fs/cifs/transport.c: Sending smb of length 78
>> [442602.280555]  fs/cifs/connect.c: rfc1002 length 0xc5
>> [442602.281556]  fs/cifs/cifssmb.c: Dialect: 2
>> [442602.281556]  fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
>> [442602.281556]  fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
>> [442602.281556]  fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92
>> [442602.281556]  fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
>> [442602.281556]  fs/cifs/asn1.c: Need to call asn1_octets_decode()
>> function for not_defined_in_RFC4178 at please_ignore
>> [442602.281556]  fs/cifs/cifssmb.c: Must sign - secFlags 0x1009
>> [442602.281556]  fs/cifs/cifssmb.c: negprot rc 0
>> [442602.281556]  fs/cifs/connect.c: Security Mode: 0xf Capabilities:
>> 0x8001f3fd TimeAdjust: -7200
>> [442602.281556]  fs/cifs/sess.c: sess setup type 6
>> [442602.281556]  fs/cifs/cifs_spnego.c: key description =
>> ver=0x1;host=dc1.workgroup.site.de;ip4=1.2.3.220;sec=krb5;uid=0x18b05;user=euhus
>> [442602.328182]  fs/cifs/sess.c: ssetup freeing small buf f699dc80
>> [442602.328182]  CIFS VFS: Send error in SessSetup = -126
>> [442602.460181]  fs/cifs/connect.c: No session or bad tcon
>> [442602.460181]  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid =
>> 26) rc = -126
>> [442602.460181]  CIFS VFS: cifs_mount failed w/return code = -126
>> -----------------------------------------------------------------
>> I guess that cifs.upcall is trying to get the key for
>> "host/relogin.workgroup.site.de at WORKGROUP.INTERN" which I don't have as
>> user. I don't really have an idea why. But kerberos tickets vor my host
>> are in fact available in /etc/krb5.keytab:
>>
>
> ...nope, according to the above info, cifs.upcall is going to attempt
> to get a service principal of:
>
>    host/dc1.workgroup.site.de at WORKGROUP.INTERN

Robert,

Try to use command (something like this):
$ kvno host/dc1.workgroup.site.de
to see if you can get a service ticket.


>
> ...before connecting to the server. That's failing for some reason. In
> general with krb5 you'll want to use the canonical hostname of the
> server when mounting as that's the name most likely to be used in
> service principals.
>
>> -----------------------------------------------------------------
>> relogin:~# klist -k /etc/krb5.keytab
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>>    4 host/relogin.workgroup.site.de at WORKGROUP.INTERN
>>    4 host/relogin.workgroup.site.de at WORKGROUP.INTERN
>>    4 host/relogin.workgroup.site.de at WORKGROUP.INTERN
>>    4 host/relogin at WORKGROUP.INTERN
>>    4 host/relogin at WORKGROUP.INTERN
>>    4 host/relogin at WORKGROUP.INTERN
>>    4 RELOGIN$@WORKGROUP.INTERN
>>    4 RELOGIN$@WORKGROUP.INTERN
>>    4 RELOGIN$@WORKGROUP.INTERN
>> -----------------------------------------------------------------
>>
>> Using smbclient, Konqueror and Nautilus works with the ticket.
>>
>> I have tried the same on an Ubuntu 9.04 system without success.
>> Sadly I haven't found any hints on the web. So maybe someon could at
>> least give me a hint what to look out for eg. I would really like to see
>> what key it is trying to find. But I could not find an option for seeing
>> this in the logs.
>>
>> Some more Information on my System:
>> Standard Debian Lenny with kernel 2.6.28-15-generic which has CIFS
>> Version 1.55
>>
>> One more thing that might be connected to this (although I don't think
>> so): in /var/log/samba/log.winbindd I found:
>>
>> -----------------------------------------------------------------
>> [2009/08/24 10:12:52,  0]
>> winbindd/winbindd_cache.c:initialize_winbindd_cache(2374)
>>   initialize_winbindd_cache: clearing cache and re-creating with version
>> number 1
>> [2009/08/24 10:12:52,  2] winbindd/winbindd_util.c:add_trusted_domain(192)
>>   Added domain BUILTIN  S-1-5-32
>> [2009/08/24 10:12:52,  2] winbindd/winbindd_util.c:add_trusted_domain(192)
>>   Added domain RELOGIN  S-1-5-21-1796453317-37119528-1882467029
>> [2009/08/24 10:12:52,  2] winbindd/winbindd_util.c:add_trusted_domain(192)
>>   Added domain WORKGROUP WORKGROUP.INTERN
>> S-1-5-21-3432792198-3694902127-1061648754
>> [2009/08/24 10:12:52,  2]
>> libsmb/cliconnect.c:cli_session_setup_kerberos(619)
>>   Doing kerberos session setup
>> [2009/08/24 10:12:52,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
>>   ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP
>> (Cannot resolve network address for KDC in requested realm)
>> [2009/08/24 10:12:52,  1]
>> libsmb/cliconnect.c:cli_session_setup_kerberos(626)
>>   cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
>> resolve network address for KDC in requested realm
>> [2009/08/24 10:45:08,  0] lib/util_sock.c:write_data(1139)
>>   write_data: write failure. Error = Die Verbindung wurde vom
>> Kommunikationspartner zurückgesetzt
>> [2009/08/24 10:45:08,  0] libsmb/clientgen.c:write_socket(242)
>>   write_socket: Error writing 100 bytes to socket 18: ERRNO = Die
>> Verbindung wurde vom Kommunikationspartner zurückgesetzt
>> [2009/08/24 10:45:08,  0] libsmb/clientgen.c:cli_send_smb(290)
>>   Error writing 100 bytes to client. -1 (Die Verbindung wurde vom
>> Kommunikationspartner zurückgesetzt)
>> [2009/08/24 10:45:08,  1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2227)
>>   cli_rpc_pipe_open: cli_nt_create failed on pipe \samr to machine
>> dc1.workgroup.intern.  Error was Write error: Die Verbindung wurde vom
>> Kommunikationspartner zurückgesetzt
>> [2009/08/24 10:45:08,  2]
>> libsmb/cliconnect.c:cli_session_setup_kerberos(619)
>>   Doing kerberos session setup
>> [2009/08/24 10:45:08,  1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
>>   ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP
>> (Cannot resolve network address for KDC in requested realm)
>> [2009/08/24 10:45:08,  1]
>> libsmb/cliconnect.c:cli_session_setup_kerberos(626)
>>   cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot
>> resolve network address for KDC in requested realm
>> -----------------------------------------------------------------
>>
>> If You need any other information, please let me know.
>> Thanks for Your patience!
>>
>> Cheers,
>> Robert
>>
>> _______________________________________________
>> linux-cifs-client mailing list
>> linux-cifs-client at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>
>
> --
> Jeff Layton <jlayton at poochiereds.net>
> _______________________________________________
> linux-cifs-client mailing list
> linux-cifs-client at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux-cifs-client
>

More information about the linux-cifs-client mailing list