[linux-cifs-client] Problem mounting shares using mount.cifsl

Jeff Layton jlayton at redhat.com
Fri Sep 25 07:46:38 MDT 2009 

On Fri, 25 Sep 2009 12:08:06 +0200
Julian Thomé <frostisch at yahoo.de> wrote:

> Hello mailing list,
> I have a problem mounting samba-shares using mount.cifs with kerberos 
> authentication.
> A snippet of the samba-configuration-file with the important kerberos 
> option is as follows:
>  >8-------------------------------------------smb.conf
> [global]
>     client use spnego = yes
>     security = user
>     realm = REALM
>    ...
>     use kerberos keytab = yes
>    ...
>     wins support = yes
>     domain logons = yes
>     domain master = yes
> -----------------------------------------------------8<
> A snippet of the kerberos-configuration-file is as follows:
>  >8-------------------------------------------krb5.conf
> [libdefaults]
>     default_realm = REALM
> 
> [realms]
>     REALM = {
>             kdc = ...
>             admin_server = ...
>     }
> 
> [domain_realm]
>     .intern.kmux.de = REALM
> 
> [kdc]
>     database = {
>             realm = REALM
>             dbname = ldap:ou=Benutzer,dc=kmux,dc=de
>             hdb-ldap-structural-object = inetOrgPerson
>             acl-file = /etc/heimdal-kdc/kadmind.acl
>             mkey_file = /var/lib/heimdal-kdc/m-key
>     }
> 
> [logging]
>     kdc = FILE:/var/log/krb5kdc.log
>     admin_server = FILE:/var/log/kadmin.log
>     default = FILE:/var/log/krb5default.log
> 
> [appdefaults]
>     pam = {
>             ticket_lifetime = 1d
>             renew_lifetime = 1d
>             forwardable = true
>             proxiable = true
>     }
> -----------------------------------------------------8<
> The /etc/request-key.conf -file on the Client has the following content:
>  >8------------------------------------request-key.conf
> create  cifs.spnego    * * /usr/sbin/cifs.upcall -c %k
> create  dns_resolver   * * /usr/sbin/cifs.upcall %k
> -----------------------------------------------------8<
> After login i receive a ticket, but if i want to mount a share with the 
> command:

So you have pam.krb5 set up? Or are you kinit'ing manually?

> mount.cifs //sambaserver//public /home/admin/test -o sec=krb5
> an error occurs with the error message: mount error (126): Required key 
> not available
> 
> the full dmesg:
>  >8------------------------------------dmesg
> [  658.349644]  fs/cifs/cifsfs.c: Devname: //sambaserver/public flags: 64
> [  658.349644]  fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 18 
> with uid: 0
> [  658.349644]  fs/cifs/connect.c: Username: admin
> [  658.349644]  fs/cifs/connect.c: UNC: \\sambaserver\public ip: 
> 192.168.32.22
> [  658.349644]  fs/cifs/connect.c: Socket created
> [  658.349644]  fs/cifs/connect.c: sndbuf 655360 rcvbuf 873800 rcvtimeo 
> 0x7fffffff
> [  658.349644]  fs/cifs/connect.c: Existing smb sess not found
> [  658.565617]  fs/cifs/connect.c: Demultiplex PID: 5409
> [  658.349644]  fs/cifs/cifssmb.c: secFlags 0x8
> [  658.349644]  fs/cifs/cifssmb.c: Kerberos only mechanism, enable 
> extended security
> [  658.349644]  fs/cifs/transport.c: For smb_command 114
> [  658.349644]  fs/cifs/transport.c: Sending smb of length 78
> [  658.569617]  fs/cifs/connect.c: rfc1002 length 0xbf
> [  658.569617]  fs/cifs/cifssmb.c: Dialect: 2
> [  658.569617]  fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
> [  658.569617]  fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
> [  658.569617]  fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
> [  658.569617]  fs/cifs/asn1.c: Need to call asn1_octets_decode() 
> function for cifs/sambaserver at REALM
> [  658.569617]  fs/cifs/cifssmb.c: Signing disabled
> [  658.569617]  fs/cifs/cifssmb.c: negprot rc 0
> [  658.569617]  fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 
> 0x8080e3fd TimeAdjust: -7200
> [  658.569617]  fs/cifs/sess.c: sess setup type 6
> [  658.569617]  fs/cifs/cifs_spnego.c: key description = 
> ver=0x1;host=sambaserver;ip4=192.168.32.22;sec=krb5;uid=0x0;user=admin
> [  658.569617]  fs/cifs/sess.c: ssetup freeing small buf f7bb7740
> [  658.569617]  CIFS VFS: Send error in SessSetup = -126
> [  658.705643]  fs/cifs/connect.c: No session or bad tcon
> [  658.705643]  fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 
> 18) rc = -126
> [  658.705643]  CIFS VFS: cifs_mount failed w/return code = -126
> -----------------------------------------------------8<
> 
> The principal cifs/sambaserver exists.
> It would be very nice if someone could help me and/or explain this error 
> to me ;-)
> 
> Thank you in advance !!
> 

It may be that you're using a non-default credcache location (i.e.
$KRB5CCNAME is set). cifs.upcall just recently learned how to find
those and support has not yet made it into most distros yet. If you
run this, what does it say?

$ klist | grep "Ticket cache:"

-- 
Jeff Layton <jlayton at redhat.com>

More information about the linux-cifs-client mailing list