[Samba] Samba4 Does cifs need a keytab for the multiuser option?

steve steve at steve-ss.com
Fri Apr 12 00:06:52 MDT 2013 

On 11/04/13 22:45, steve wrote:
> On 11/04/13 22:05, Rowland Penny wrote:
>> On 11/04/13 20:42, steve wrote:
>>> On 11/04/13 20:39, Rowland Penny wrote:
>>>> On 11/04/13 17:27, steve wrote:
>>>>> Hi
>>>>> samba --version
>>>>> Version 4.0.6-GIT-4bebda4
>>>>>
>>>>> smb.conf:
>>>>> [users]
>>>>> path = /home/users
>>>>> read only = No
>>>>>
>>>>> Working on the DC which is also the fileserver
>>>>> user steve2 can write to his folder at /home/users/steve2
>>>>>
>>>>> But if we now mount the share:
>>>>> sudo mount -t cifs //doloresdc/users /mnt -osec=krb5,multiuser
>>>>>
>>>>> he can't write to the mounted share at /mnt/users/steve2 He gets 
>>>>> 'Permission denied'. His id is the same, all that's changed is 
>>>>> that now it's mounted via cifs.
>>>>>
>>>>> The mount:
>>>>>
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: key description: 
>>>>> cifs.spnego;0;0;3f000000;ver=0x2;host=doloresdc;ip4=192.168.1.100;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x116b
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: ver=2
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: host=doloresdc
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: ip=192.168.1.100
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: sec=1
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: uid=0
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: creduid=0
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: user=root
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: pid=4459
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: find_krb5_cc: considering 
>>>>> /tmp/krb5cc_0
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: find_krb5_cc: 
>>>>> FILE:/tmp/krb5cc_0 is valid ccache
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: handle_krb5_mech: getting 
>>>>> service ticket for doloresdc
>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: handle_krb5_mech: obtained 
>>>>> service ticket
>>>>>
>>>>> user steve2, (uid=3000032) goes to his cifs mounted share:
>>>>>
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: key description: 
>>>>> cifs.spnego;3000032;20513;3f000000;ver=0x2;host=doloresdc;ip4=192.168.1.100;sec=krb5;uid=0x2dc6e0;creduid=0x2dc6e0;pid=0x1193
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: ver=2
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: host=doloresdc
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: ip=192.168.1.100
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: sec=1
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: uid=3000032
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: creduid=3000032
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: pid=4499
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: considering 
>>>>> /tmp/krb5cc_3000032_NI8WDi
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: 
>>>>> FILE:/tmp/krb5cc_3000032_NI8WDi is valid ccache
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: considering 
>>>>> /tmp/krb5cc_0
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: /tmp/krb5cc_0 
>>>>> is owned by 0, not 3000032
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: handle_krb5_mech: getting 
>>>>> service ticket for doloresdc
>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: handle_krb5_mech: obtained 
>>>>> service ticket
>>>>>
>>>>> but cannot write to it:(
>>>>>
>>>>> This works OK if I drop the multiuser option but that's no good 
>>>>> for us as we're trying to migrate erm, multiple users from nfs to 
>>>>> cifs on our Linux boxes.
>>>>> Question: Am I missing a keytab? Does cifs need any keys for the 
>>>>> multiuser option?
>>>>>
>>>>> Cheers,
>>>>> Steve
>>>>>
>>>> Hi Steve, in a word YES!
>>>> If you are mounting the users home directory from the S4 server via 
>>>> cifs, I do not think that you need the multiuser option. I think 
>>>> you only need it if you want multiple users to use the the same mount.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>>
>>> Hi Rowland, hi everyone
>>> I think I do need multiuser because I am mounting the users home 
>>> directories and many users will need to access their own folders 
>>> with their own uid:gid. That can't happen if the mount is owned by 
>>> just one user since all files are created by that uid:gid 
>>> combination,no good for hundreds of different users. In fact we have 
>>> just that with nfs at the mement but want to replace it with cifs 
>>> because of locking problems between nfs and windows.
>>>
>>> Anyway, I just put the host and machine clients in /etc/krb5.keytab 
>>> ancache d nada. Still  the same. Permission denied when a user tries 
>>> to write to his cifs mounted home folder.
>>>
>>> I think this has something to do with changes in cifs-utils but. . .
>>>
>>> Cheers,
>>> Steve
>>>
>> Hi Steve, each user needs to have their own kerberos cache, I seem to 
>> have this working on my small test network but I am using sssd as I 
>> have come to the conclusion that winbind sucks ;-)
>>
>> Rowland
>>
>>
> Hi Rowland
> Absolutely agree on winbind;) We've always used nss-ldapd. Each user 
> who logs in gets his own cache under /tmp e.g. /tmp/krb5cc_3000032 so 
> I don't think it's the cache that's the problem. If we use kerberised 
> nfs instead of cifs, the user can write to the share fine.
>
> It's something about the cifs multiuser I've missed I'm almost certain.
> Cheers,
> Steve
Hi
Maybe this has something to do with it?
dmesg

[  535.106336] FS-Cache: Loaded
[  535.121753] FS-Cache: Netfs 'cifs' registered for caching
[  535.121790] Key type cifs.spnego registered
[  535.121823] Key type cifs.idmap registered
[  535.589126] CIFS VFS: Send error in SessSetup = -126
[  535.589270] CIFS VFS: cifs_mount failed w/return code = -126
[  821.816568] CIFS VFS: Send error in SessSetup = -126
[  823.964101] CIFS VFS: Send error in SessSetup = -126
[  835.880675] CIFS VFS: Send error in SessSetup = -126

Thanks, Steve

More information about the samba mailing list