> Message du 17/11/12 11:44 > De : "Jeff Layton" > A : "sergio.conrad" > Copie à : linux-cifs@xxxxxxxxxxxxxxx > Objet : Re: cifs autofs krb5i > > On Sat, 17 Nov 2012 08:53:02 +0100 > "sergio.conrad" wrote: > > > > > > > > > > Message du 17/11/12 03:01 > > > De : "Jeff Layton" > > > A : "sergio.conrad" > > > Copie à : linux-cifs@xxxxxxxxxxxxxxx > > > Objet : Re: cifs autofs krb5i > > > > > > On Fri, 16 Nov 2012 23:37:52 +0100 > > > "sergio.conrad" wrote: > > > > > > > Hi, > > > > > > > > I am able to connect to cifs share on Windows 2008 with Kerberos security via autofs > > with > > > > this map : > > > > * - > > > > > > fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin > > > > o ://figue/data/& > > > > > > > > Is it working fine with alpha numeric login > > > > fs/cifs/cifs_spnego.c: key description = > > > > > > ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3 > > > > ;pid=0xd331 > > > > > > > > > > > > But if i use numeric only login like 12345678 i have a problem : > > > > fs/cifs/cifs_spnego.c: key description = > > > > > > ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678; > > > > pid=0xe5db > > > > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140 > > > > CIFS VFS: Send error in SessSetup = -126 > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126 > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126 > > > > CIFS VFS: cifs_mount failed w/return code = -126 > > > > > > > > What can I do to solve this issue ? > > > > > > > > > cifs.upcall logs at daemon.debug level. Set up syslog to log that and > > > you'll get some details about what it's doing. > > > > > > -- > > > Jeff Layton > > > > > > > Thanks for your response, > > I got the error > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by > > 16777221, not 12345678 > > > > Perhaps it is a confusion about the uid and the login in a numeric value > > > > [12345678@centad5 ~]$ id > > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) > > groupes=16777216(utilisateurs du domaine),16777217(profs) > > > > The full log is : > > > > Nov 17 08:42:53 centad5 cifs.upcall: key description: > > cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui > > d=0xbc614e;user=12345678;pid=0x9b5 > > Nov 17 08:42:53 centad5 cifs.upcall: ver=2 > > Nov 17 08:42:53 centad5 cifs.upcall: host=figue > > Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11 > > Nov 17 08:42:53 centad5 cifs.upcall: sec=1 > > Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678 > > Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678 > > Nov 17 08:42:53 centad5 cifs.upcall: user=12345678 > > Nov 17 08:42:53 centad5 cifs.upcall: pid=2485 > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777221 > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by > > 16777221, not 12345678 > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777216 > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is owned by > > 16777216, not 12345678 > > Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13 > > Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service ticket for figue > > Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to > > ccache > > @ > > What a bizarre setup you have. I imagine all sorts of things get > confused by numeric usernames. Many programs will assume that when > given a numeric username that it's a uid, not a name. You might > reconsider that setup -- maybe prefix the numbers with a letter or > something... > It seems it is a little late for this, we are already in a production state with Active Directory and winbind for authentication, Windows 2008 as a cifs server, Fedora 15 for client and using pam_mount for mounting partition. As we are experiencing some CIFS VFS: Unexpected SMB signature with this I am testing some others ways... > In any case, it does seem like there is confusion somewhere with > numeric uids, but I don't think that confusion is with cifs.upcall. If > that is the correct credcache for this user, then it looks like its > being created with the wrong ownership. > > What does the output of "klist" look like when you're logged in as this > user? > [12345678@centad5 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_16777221 Default principal: 12345678@DOMAIN.LOCAL Valid starting Expires Service principal 11/17/12 14:34:04 11/18/12 00:34:04 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL renew until 11/24/12 14:34:04 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL renew until 11/24/12 14:34:04 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL renew until 11/24/12 14:34:04 [12345678@centad5 ~]$ > How about the output of "stat /tmp/krb5cc_16777216" ? 16777216 or 16777221 ? I did it for the two files [12345678@centad5 ~]$ id uid=16777221(12345678) gid=16777216(utilisateurs du domaine) groupes=16777216(utilisateurs du domaine),16777217(profs) [12345678@centad5 ~]$ [12345678@centad5 ~]$ stat /tmp/krb5cc_16777221 File: « /tmp/krb5cc_16777221 » Size: 3830 Blocks: 8 IO Block: 4096 fichier Device: 801h/2049d Inode: 1985377 Links: 1 Access: (0600/-rw-------) Uid: (16777221/12345678) Gid: ( 0/ root) Access: 2012-11-17 14:41:37.056868612 +0100 Modify: 2012-11-17 14:41:32.251850184 +0100 Change: 2012-11-17 14:41:32.251850184 +0100 [12345678@centad5 ~]$ stat /tmp/krb5cc_16777216 File: « /tmp/krb5cc_16777216 » Size: 3751 Blocks: 8 IO Block: 4096 fichier Device: 801h/2049d Inode: 1966082 Links: 1 Access: (0600/-rw-------) Uid: (16777216/ conrad5) Gid: ( 0/ root) Access: 2012-11-16 23:11:47.948511483 +0100 Modify: 2012-11-16 23:11:47.948511483 +0100 Change: 2012-11-16 23:11:47.948511483 +0100 > > -- > Jeff Layton > Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html