[Samba] mount.cifs and kerberos failure
Rowland Penny
rowlandpenny at googlemail.com
Sat Sep 28 08:58:06 MDT 2013
On 28/09/13 15:28, Cheng-Yang Tan wrote:
> Hi guys,
> This seems to be a well-known problem with mount.cifs on Ubuntu 12.04. Unfortunately, although I have applied the suggestions I found with google, I can't seem to be able to get mount.cifs to work with kerberos. I am trying to use kerberos to mount my Windows shares because this is the only allowed secure way in my company to connect to shares. Before anyone asks, I can successfully use smbclient to connect once I have a valid kerberos ticket either as cytan or as root.
>
> However with mount.cifs, I get the following message:
>
> (Note I am root when I do this, and yes I have done the following to get a valid kerberos ticket:
> kinit cytan
> and /tmp/krb5cc_0 does exist. See below.
> )
>
> **************************************
> root at ad109688-lt:/home/cytan# mount.cifs -o sec=krb5,user=cytan,domain=ABCDE //beamssrv1.abcd.com/cytan$ ./win --verbose
> mount.cifs kernel mount options: ip=xxx.xxx.xxx.xx,unc=\\beamssrv1.abcd.com\cytan$, sec=krb5,ver=1,user=cytan,domain=ABCDE,pass=*********
> mount error(126): Required key not available
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> *************************************
>
> Here's the dmesg output:
> ************************************
> [16262.785552] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/cifs_spnego.c: key description = ver=0x2;host=beamssrv1.abcd.com;ip4=xxx.xxx.xxx.xx ;sec=krb5;uid=0x0;creduid=0x0;user=cytan;pid=0x155 d
> [16262.946608] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/sess.c: ssetup freeing small buf ffff88005772ddc0
> [16262.946618] CIFS VFS: Send error in SessSetup = -126
> [16262.946627] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 57) rc = -126
> [16262.946640] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0xffff880023277c00/0xffff88005a2ac140)
> [16262.946803] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 56) rc = -126
> **************************************
>
> Notice the uid and creduid are both 0x0.
>
> I tried both ways of kinit'ing as myself: cytan and as root. See klist below:
> *****************************************
> as cytan:
>
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: cytan at ABCD.COM
>
> Valid starting Expires Service principal
> 27/09/2013 09:03 28/09/2013 11:03 krbtgt/ABCD.COM at ABCD.COM
> renew until 04/10/2013 09:03
>
> *******************************************
>
> as root:
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: cytan at ABCD.COM
>
> Valid starting Expires Service principal
> 27/09/2013 13:42 28/09/2013 15:42 krbtgt/ABCD.COM at ABCD.COM
> renew until 04/10/2013 13:42
>
> *********************************************
>
> Unfortunately, using either uid's always gives me the "Required key not available" problem.
>
>
> What am I doing wrong? Or is this a bug and is there a workaround?
>
> Has anyone actually gotten samba to work with kerberos?
>
>
> Thanks!
>
> cytan
In answer to your question, yes
I have tried several ways to do what you are asking about and have come
to the conclusion that the easiest way is by using sssd and autofs, see
here: http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs.html
Rowland
More information about the samba
mailing list