[Samba] CIFS, Kerberos over SSH tunnel (change service principal?)

Theo Markettos theom+news at chiark.greenend.org.uk
Tue Nov 25 17:02:00 GMT 2008

I'm trying to set up a CIFS mount to a NetApp F840 called 'elmer' over 
an SSH tunnel.  I also tunnel the Kerberos ports to the Windows AD 
server 'cannonstreet' Using Ubuntu hardy, with recent updates for CIFS 
that are claimed to work: 

I tunnel like this:
ssh -f -N -x -o TCPKeepAlive=yes -L88:cannonstreet:88 -L137:cannonstreet:137 
-L139:elmer:139 -L445:elmer:445 userid at host

My /etc/krb5.conf contains:
 default_realm = AD.CL.CAM.AC.UK
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

  kdc = localhost
  admin_server = localhost

 localhost = AD.CL.CAM.AC.UK
 .cl.cam.ac.uk = AD.CL.CAM.AC.UK
 .ad.cl.cam.ac.uk = AD.CL.CAM.AC.UK
 profile = /var/kerberos/krb5kdc/kdc.conf

My smb.conf has:
        security = ads
        realm = AD.CL.CAM.AC.UK
        password server =
# note that workgroup is the 'short' domain name
        workgroup = AD.CL.CAM.AC.UK
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2

I get a Kerberos ticket:

atm26 at bigwig:~$ sudo kinit atm26
Password for atm26 at AD.CL.CAM.AC.UK:
atm26 at bigwig:~$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: atm26 at AD.CL.CAM.AC.UK

Valid starting     Expires            Service principal
11/25/08 16:39:48  11/26/08 02:39:50  krbtgt/AD.CL.CAM.AC.UK at AD.CL.CAM.AC.UK
	renew until 11/26/08 16:39:48

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

My /etc/request-key.conf has a line:
create  cifs.spnego     *       *               /usr/bin/cifs.upcall %k %d
(changing this does seem to make a difference to the error code)

But when I try to mount, I get:
atm26 at bigwig:~$ sudo mount.cifs //elmer/bigdisc /mnt/bigdisc/ 
mount error 126 = Required key not available
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
atm26 at bigwig:~$ 

(Tried various versions of hostname including 'localhost' and FQDN)

If I increase the debug to 3 in /proc/fs/cifs/cifsFYI I get:

[ 2306.872008]  /build/buildd/linux-2.6.24/fs/cifs/cifsfs.c: Devname: //elmer/bigdisc 
flags: 64 
[ 2306.872016]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: CIFS VFS: in cifs_mount as 
Xid: 8 with uid: 0
[ 2306.872025]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: Username: atm26
[ 2306.872029]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: UNC: \\elmer\bigdisc ip:
[ 2306.872039]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: Socket created
[ 2306.874879]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: sndbuf 50592 rcvbuf 87888 
rcvtimeo 0x7fffffff
[ 2306.874933]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: Demultiplex PID: 14282
[ 2306.874949]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: Existing smb sess not found
[ 2306.874961]  /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: secFlags 0x8
[ 2306.874966]  /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: Kerberos only mechanism, 
enable extended security
[ 2306.874975]  /build/buildd/linux-2.6.24/fs/cifs/transport.c: For smb_command 114
[ 2306.874981]  /build/buildd/linux-2.6.24/fs/cifs/transport.c: Sending smb of length 69
[ 2306.877431]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: rfc1002 length 0xbd
[ 2306.877673]  /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: Dialect: 2
[ 2306.877686]  /build/buildd/linux-2.6.24/fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 
[ 2306.877691]  /build/buildd/linux-2.6.24/fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 
[ 2306.877696]  /build/buildd/linux-2.6.24/fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 
[ 2306.877701]  /build/buildd/linux-2.6.24/fs/cifs/asn1.c: Need to call 
asn1_octets_decode() function for cifs/bigwig.cl.cam.ac.uk at AD.CL.CAM.AC.UK
[ 2306.877706]  /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: Signing disabled
[ 2306.877710]  /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: negprot rc 0
[ 2306.877714]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: Security Mode: 0x3 
Capabilities: 0x8080f3fd TimeAdjust: 0
[ 2306.877719]  /build/buildd/linux-2.6.24/fs/cifs/sess.c: sess setup type 6
[ 2306.877729]  /build/buildd/linux-2.6.24/fs/cifs/cifs_spnego.c: key description = 
[ 2306.879410]  /build/buildd/linux-2.6.24/fs/cifs/sess.c: ssetup freeing small buf 
[ 2306.879417]  CIFS VFS: Send error in SessSetup = -126
[ 2307.009182]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: No session or bad tcon
[ 2307.009196]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: CIFS VFS: leaving cifs_mount 
(xid = 8) rc = -126
[ 2307.009202]  CIFS VFS: cifs_mount failed w/return code = -126

Can anyone tell me what's going wrong here?  I think it might be that 
the service principal of my ticket is 
krbtgt/AD.CL.CAM.AC.UK at AD.CL.CAM.AC.UK but CIFS is trying to access 
cifs/bigwig.cl.cam.ac.uk at AD.CL.CAM.AC.UK.  bigwig is the name of the 
client machine, which the CIFS server knows nothing about (it's not on 
its network, hence the SSH tunnel).  I can't work out how to change the 
principal name (using '-S bigwig' on kinit just complains the server 
isn't found)

smbclient says this:
atm26 at bigwig:~$ sudo smbclient -k -L
ads_krb5_mk_req: krb5_get_credentials failed for cifs/bigwig.cl.cam.ac.uk at AD.CL.CAM.AC.UK 
(Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in Kerberos 
database session setup failed: SUCCESS - 0

FWIW the following used to work under Samba:
sudo kinit atm26
sudo smbmount "\\\filer\homes-6" /mnt/homes-6 -o krb,ip=,fmask=700,dmask=700,uid=atm26,gid=atm26
sudo smbmount "\\\filer\bigdisc" /mnt/bigdisc -o krb,ip=,fmask=700,dmask=700,uid=atm26,gid=atm26

Anyone have any ideas?


More information about the samba mailing list