[linux-cifs-client] Problem mounting shares using mount.cifsl
Jeff Layton
jlayton at redhat.com
Fri Sep 25 07:46:38 MDT 2009
On Fri, 25 Sep 2009 12:08:06 +0200
Julian Thomé <frostisch at yahoo.de> wrote:
> Hello mailing list,
> I have a problem mounting samba-shares using mount.cifs with kerberos
> authentication.
> A snippet of the samba-configuration-file with the important kerberos
> option is as follows:
> >8-------------------------------------------smb.conf
> [global]
> client use spnego = yes
> security = user
> realm = REALM
> ...
> use kerberos keytab = yes
> ...
> wins support = yes
> domain logons = yes
> domain master = yes
> -----------------------------------------------------8<
> A snippet of the kerberos-configuration-file is as follows:
> >8-------------------------------------------krb5.conf
> [libdefaults]
> default_realm = REALM
>
> [realms]
> REALM = {
> kdc = ...
> admin_server = ...
> }
>
> [domain_realm]
> .intern.kmux.de = REALM
>
> [kdc]
> database = {
> realm = REALM
> dbname = ldap:ou=Benutzer,dc=kmux,dc=de
> hdb-ldap-structural-object = inetOrgPerson
> acl-file = /etc/heimdal-kdc/kadmind.acl
> mkey_file = /var/lib/heimdal-kdc/m-key
> }
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5default.log
>
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = true
> }
> -----------------------------------------------------8<
> The /etc/request-key.conf -file on the Client has the following content:
> >8------------------------------------request-key.conf
> create cifs.spnego * * /usr/sbin/cifs.upcall -c %k
> create dns_resolver * * /usr/sbin/cifs.upcall %k
> -----------------------------------------------------8<
> After login i receive a ticket, but if i want to mount a share with the
> command:
So you have pam.krb5 set up? Or are you kinit'ing manually?
> mount.cifs //sambaserver//public /home/admin/test -o sec=krb5
> an error occurs with the error message: mount error (126): Required key
> not available
>
> the full dmesg:
> >8------------------------------------dmesg
> [ 658.349644] fs/cifs/cifsfs.c: Devname: //sambaserver/public flags: 64
> [ 658.349644] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 18
> with uid: 0
> [ 658.349644] fs/cifs/connect.c: Username: admin
> [ 658.349644] fs/cifs/connect.c: UNC: \\sambaserver\public ip:
> 192.168.32.22
> [ 658.349644] fs/cifs/connect.c: Socket created
> [ 658.349644] fs/cifs/connect.c: sndbuf 655360 rcvbuf 873800 rcvtimeo
> 0x7fffffff
> [ 658.349644] fs/cifs/connect.c: Existing smb sess not found
> [ 658.565617] fs/cifs/connect.c: Demultiplex PID: 5409
> [ 658.349644] fs/cifs/cifssmb.c: secFlags 0x8
> [ 658.349644] fs/cifs/cifssmb.c: Kerberos only mechanism, enable
> extended security
> [ 658.349644] fs/cifs/transport.c: For smb_command 114
> [ 658.349644] fs/cifs/transport.c: Sending smb of length 78
> [ 658.569617] fs/cifs/connect.c: rfc1002 length 0xbf
> [ 658.569617] fs/cifs/cifssmb.c: Dialect: 2
> [ 658.569617] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
> [ 658.569617] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
> [ 658.569617] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
> [ 658.569617] fs/cifs/asn1.c: Need to call asn1_octets_decode()
> function for cifs/sambaserver at REALM
> [ 658.569617] fs/cifs/cifssmb.c: Signing disabled
> [ 658.569617] fs/cifs/cifssmb.c: negprot rc 0
> [ 658.569617] fs/cifs/connect.c: Security Mode: 0x3 Capabilities:
> 0x8080e3fd TimeAdjust: -7200
> [ 658.569617] fs/cifs/sess.c: sess setup type 6
> [ 658.569617] fs/cifs/cifs_spnego.c: key description =
> ver=0x1;host=sambaserver;ip4=192.168.32.22;sec=krb5;uid=0x0;user=admin
> [ 658.569617] fs/cifs/sess.c: ssetup freeing small buf f7bb7740
> [ 658.569617] CIFS VFS: Send error in SessSetup = -126
> [ 658.705643] fs/cifs/connect.c: No session or bad tcon
> [ 658.705643] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid =
> 18) rc = -126
> [ 658.705643] CIFS VFS: cifs_mount failed w/return code = -126
> -----------------------------------------------------8<
>
> The principal cifs/sambaserver exists.
> It would be very nice if someone could help me and/or explain this error
> to me ;-)
>
> Thank you in advance !!
>
It may be that you're using a non-default credcache location (i.e.
$KRB5CCNAME is set). cifs.upcall just recently learned how to find
those and support has not yet made it into most distros yet. If you
run this, what does it say?
$ klist | grep "Ticket cache:"
--
Jeff Layton <jlayton at redhat.com>
More information about the linux-cifs-client
mailing list