[Samba] CIFS, Kerberos over SSH tunnel (change service principal?)
Theo Markettos
theom+news at chiark.greenend.org.uk
Tue Nov 25 17:02:00 GMT 2008
I'm trying to set up a CIFS mount to a NetApp F840 called 'elmer' over
an SSH tunnel. I also tunnel the Kerberos ports to the Windows AD
server 'cannonstreet' Using Ubuntu hardy, with recent updates for CIFS
that are claimed to work:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/236830
I tunnel like this:
ssh -f -N -x -o TCPKeepAlive=yes -L88:cannonstreet:88 -L137:cannonstreet:137
-L139:elmer:139 -L445:elmer:445 userid at host
My /etc/krb5.conf contains:
[libdefaults]
default_realm = AD.CL.CAM.AC.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
AD.CL.CAM.AC.UK = {
kdc = localhost
admin_server = localhost
}
[domain_realm]
localhost = AD.CL.CAM.AC.UK
.cl.cam.ac.uk = AD.CL.CAM.AC.UK
.ad.cl.cam.ac.uk = AD.CL.CAM.AC.UK
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
My smb.conf has:
[global]
security = ads
realm = AD.CL.CAM.AC.UK
password server = 127.0.0.1
# note that workgroup is the 'short' domain name
workgroup = AD.CL.CAM.AC.UK
# winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
I get a Kerberos ticket:
atm26 at bigwig:~$ sudo kinit atm26
Password for atm26 at AD.CL.CAM.AC.UK:
atm26 at bigwig:~$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: atm26 at AD.CL.CAM.AC.UK
Valid starting Expires Service principal
11/25/08 16:39:48 11/26/08 02:39:50 krbtgt/AD.CL.CAM.AC.UK at AD.CL.CAM.AC.UK
renew until 11/26/08 16:39:48
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
My /etc/request-key.conf has a line:
create cifs.spnego * * /usr/bin/cifs.upcall %k %d
(changing this does seem to make a difference to the error code)
But when I try to mount, I get:
atm26 at bigwig:~$ sudo mount.cifs //elmer/bigdisc /mnt/bigdisc/
-oip=127.0.0.1,username=atm26,user=atm26,sec=krb5,guest
mount error 126 = Required key not available
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
atm26 at bigwig:~$
(Tried various versions of hostname including 'localhost' and FQDN)
If I increase the debug to 3 in /proc/fs/cifs/cifsFYI I get:
[ 2306.872008] /build/buildd/linux-2.6.24/fs/cifs/cifsfs.c: Devname: //elmer/bigdisc
flags: 64
[ 2306.872016] /build/buildd/linux-2.6.24/fs/cifs/connect.c: CIFS VFS: in cifs_mount as
Xid: 8 with uid: 0
[ 2306.872025] /build/buildd/linux-2.6.24/fs/cifs/connect.c: Username: atm26
[ 2306.872029] /build/buildd/linux-2.6.24/fs/cifs/connect.c: UNC: \\elmer\bigdisc ip:
127.0.0.1
[ 2306.872039] /build/buildd/linux-2.6.24/fs/cifs/connect.c: Socket created
[ 2306.874879] /build/buildd/linux-2.6.24/fs/cifs/connect.c: sndbuf 50592 rcvbuf 87888
rcvtimeo 0x7fffffff
[ 2306.874933] /build/buildd/linux-2.6.24/fs/cifs/connect.c: Demultiplex PID: 14282
[ 2306.874949] /build/buildd/linux-2.6.24/fs/cifs/connect.c: Existing smb sess not found
[ 2306.874961] /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: secFlags 0x8
[ 2306.874966] /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: Kerberos only mechanism,
enable extended security
[ 2306.874975] /build/buildd/linux-2.6.24/fs/cifs/transport.c: For smb_command 114
[ 2306.874981] /build/buildd/linux-2.6.24/fs/cifs/transport.c: Sending smb of length 69
[ 2306.877431] /build/buildd/linux-2.6.24/fs/cifs/connect.c: rfc1002 length 0xbd
[ 2306.877673] /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: Dialect: 2
[ 2306.877686] /build/buildd/linux-2.6.24/fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348
0x1bb92
[ 2306.877691] /build/buildd/linux-2.6.24/fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348
0xbb92
[ 2306.877696] /build/buildd/linux-2.6.24/fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6
0x1
[ 2306.877701] /build/buildd/linux-2.6.24/fs/cifs/asn1.c: Need to call
asn1_octets_decode() function for cifs/bigwig.cl.cam.ac.uk at AD.CL.CAM.AC.UK
[ 2306.877706] /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: Signing disabled
[ 2306.877710] /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: negprot rc 0
[ 2306.877714] /build/buildd/linux-2.6.24/fs/cifs/connect.c: Security Mode: 0x3
Capabilities: 0x8080f3fd TimeAdjust: 0
[ 2306.877719] /build/buildd/linux-2.6.24/fs/cifs/sess.c: sess setup type 6
[ 2306.877729] /build/buildd/linux-2.6.24/fs/cifs/cifs_spnego.c: key description =
ver=0x1;host=elmer;ip4=127.0.0.1;sec=krb5;uid=0x0
[ 2306.879410] /build/buildd/linux-2.6.24/fs/cifs/sess.c: ssetup freeing small buf
dff88200
[ 2306.879417] CIFS VFS: Send error in SessSetup = -126
[ 2307.009182] /build/buildd/linux-2.6.24/fs/cifs/connect.c: No session or bad tcon
[ 2307.009196] /build/buildd/linux-2.6.24/fs/cifs/connect.c: CIFS VFS: leaving cifs_mount
(xid = 8) rc = -126
[ 2307.009202] CIFS VFS: cifs_mount failed w/return code = -126
Can anyone tell me what's going wrong here? I think it might be that
the service principal of my ticket is
krbtgt/AD.CL.CAM.AC.UK at AD.CL.CAM.AC.UK but CIFS is trying to access
cifs/bigwig.cl.cam.ac.uk at AD.CL.CAM.AC.UK. bigwig is the name of the
client machine, which the CIFS server knows nothing about (it's not on
its network, hence the SSH tunnel). I can't work out how to change the
principal name (using '-S bigwig' on kinit just complains the server
isn't found)
smbclient says this:
atm26 at bigwig:~$ sudo smbclient -k -L 127.0.0.1
ads_krb5_mk_req: krb5_get_credentials failed for cifs/bigwig.cl.cam.ac.uk at AD.CL.CAM.AC.UK
(Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in Kerberos
database session setup failed: SUCCESS - 0
FWIW the following used to work under Samba:
sudo kinit atm26
sudo smbmount "\\\filer\homes-6" /mnt/homes-6 -o krb,ip=127.0.0.1,fmask=700,dmask=700,uid=atm26,gid=atm26
sudo smbmount "\\\filer\bigdisc" /mnt/bigdisc -o krb,ip=127.0.0.1,fmask=700,dmask=700,uid=atm26,gid=atm26
Anyone have any ideas?
Thanks
Theo
More information about the samba
mailing list