[Samba] Samba4 Does cifs need a keytab for the multiuser option?

steve steve at steve-ss.com
Fri Apr 12 01:32:56 MDT 2013 

On 12/04/13 08:06, steve wrote:
> On 11/04/13 22:45, steve wrote:
>> On 11/04/13 22:05, Rowland Penny wrote:
>>> On 11/04/13 20:42, steve wrote:
>>>> On 11/04/13 20:39, Rowland Penny wrote:
>>>>> On 11/04/13 17:27, steve wrote:
>>>>>> Hi
>>>>>> samba --version
>>>>>> Version 4.0.6-GIT-4bebda4
>>>>>>
>>>>>> smb.conf:
>>>>>> [users]
>>>>>> path = /home/users
>>>>>> read only = No
>>>>>>
>>>>>> Working on the DC which is also the fileserver
>>>>>> user steve2 can write to his folder at /home/users/steve2
>>>>>>
>>>>>> But if we now mount the share:
>>>>>> sudo mount -t cifs //doloresdc/users /mnt -osec=krb5,multiuser
>>>>>>
>>>>>> he can't write to the mounted share at /mnt/users/steve2 He gets 
>>>>>> 'Permission denied'. His id is the same, all that's changed is 
>>>>>> that now it's mounted via cifs.
>>>>>>
>>>>>> The mount:
>>>>>>
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: key description: 
>>>>>> cifs.spnego;0;0;3f000000;ver=0x2;host=doloresdc;ip4=192.168.1.100;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x116b 
>>>>>>
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: ver=2
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: host=doloresdc
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: ip=192.168.1.100
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: sec=1
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: uid=0
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: creduid=0
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: user=root
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: pid=4459
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: find_krb5_cc: considering 
>>>>>> /tmp/krb5cc_0
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: find_krb5_cc: 
>>>>>> FILE:/tmp/krb5cc_0 is valid ccache
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: handle_krb5_mech: getting 
>>>>>> service ticket for doloresdc
>>>>>> Apr 11 18:18:16 doloresdc cifs.upcall: handle_krb5_mech: obtained 
>>>>>> service ticket
>>>>>>
>>>>>> user steve2, (uid=3000032) goes to his cifs mounted share:
>>>>>>
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: key description: 
>>>>>> cifs.spnego;3000032;20513;3f000000;ver=0x2;host=doloresdc;ip4=192.168.1.100;sec=krb5;uid=0x2dc6e0;creduid=0x2dc6e0;pid=0x1193 
>>>>>>
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: ver=2
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: host=doloresdc
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: ip=192.168.1.100
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: sec=1
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: uid=3000032
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: creduid=3000032
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: pid=4499
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: considering 
>>>>>> /tmp/krb5cc_3000032_NI8WDi
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: 
>>>>>> FILE:/tmp/krb5cc_3000032_NI8WDi is valid ccache
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: considering 
>>>>>> /tmp/krb5cc_0
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: find_krb5_cc: 
>>>>>> /tmp/krb5cc_0 is owned by 0, not 3000032
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: handle_krb5_mech: getting 
>>>>>> service ticket for doloresdc
>>>>>> Apr 11 18:19:50 doloresdc cifs.upcall: handle_krb5_mech: obtained 
>>>>>> service ticket
>>>>>>
>>>>>> but cannot write to it:(
>>>>>>
>>>>>> This works OK if I drop the multiuser option but that's no good 
>>>>>> for us as we're trying to migrate erm, multiple users from nfs to 
>>>>>> cifs on our Linux boxes.
>>>>>> Question: Am I missing a keytab? Does cifs need any keys for the 
>>>>>> multiuser option?
>>>>>>
>>>>>> Cheers,
>>>>>> Steve
>>>>>>
>>>>> Hi Steve, in a word YES!
>>>>> If you are mounting the users home directory from the S4 server 
>>>>> via cifs, I do not think that you need the multiuser option. I 
>>>>> think you only need it if you want multiple users to use the the 
>>>>> same mount.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Hi Rowland, hi everyone
>>>> I think I do need multiuser because I am mounting the users home 
>>>> directories and many users will need to access their own folders 
>>>> with their own uid:gid. That can't happen if the mount is owned by 
>>>> just one user since all files are created by that uid:gid 
>>>> combination,no good for hundreds of different users. In fact we 
>>>> have just that with nfs at the mement but want to replace it with 
>>>> cifs because of locking problems between nfs and windows.
>>>>
>>>> Anyway, I just put the host and machine clients in /etc/krb5.keytab 
>>>> ancache d nada. Still  the same. Permission denied when a user 
>>>> tries to write to his cifs mounted home folder.
>>>>
>>>> I think this has something to do with changes in cifs-utils but. . .
>>>>
>>>> Cheers,
>>>> Steve
>>>>
>>> Hi Steve, each user needs to have their own kerberos cache, I seem 
>>> to have this working on my small test network but I am using sssd as 
>>> I have come to the conclusion that winbind sucks ;-)
>>>
>>> Rowland
>>>
>>>
>> Hi Rowland
>> Absolutely agree on winbind;) We've always used nss-ldapd. Each user 
>> who logs in gets his own cache under /tmp e.g. /tmp/krb5cc_3000032 so 
>> I don't think it's the cache that's the problem. If we use kerberised 
>> nfs instead of cifs, the user can write to the share fine.
>>
>> It's something about the cifs multiuser I've missed I'm almost certain.
>> Cheers,
>> Steve
> Hi
> Maybe this has something to do with it?
> dmesg
>
> [  535.106336] FS-Cache: Loaded
> [  535.121753] FS-Cache: Netfs 'cifs' registered for caching
> [  535.121790] Key type cifs.spnego registered
> [  535.121823] Key type cifs.idmap registered
> [  535.589126] CIFS VFS: Send error in SessSetup = -126
> [  535.589270] CIFS VFS: cifs_mount failed w/return code = -126
> [  821.816568] CIFS VFS: Send error in SessSetup = -126
> [  823.964101] CIFS VFS: Send error in SessSetup = -126
> [  835.880675] CIFS VFS: Send error in SessSetup = -126
>
> Thanks, Steve
>
>
Hi again
This is driving me crazy!
If I change the permissions on the cifs share to 0777, I can then write 
to the cifs share as user steve2 BUT the uid:gid sent by cifs are wrong:

-rw-r--r--  1 3000032 20513 0 Apr 12 09:25 j2
-rwxrwxr-x+ 1 3000017 users 0 Apr 12 09:25 j3

The file j2 was created on the unmounted share with the correct uid:gid, 
3000032:20513
The file j3 was created on the cifs mounted share. The server has sent 
3000017:100 :(

Any ideas?
Cheers,
Steve

More information about the samba mailing list