Re: cifs autofs krb5i

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





> Message du 17/11/12 11:44
> De : "Jeff Layton" 
> A : "sergio.conrad" 
> Copie à : linux-cifs@xxxxxxxxxxxxxxx
> Objet : Re: cifs autofs krb5i
>
> On Sat, 17 Nov 2012 08:53:02 +0100
> "sergio.conrad"  wrote:
> 
> > 
> > 
> > 
> > > Message du 17/11/12 03:01
> > > De : "Jeff Layton" 
> > > A : "sergio.conrad" 
> > > Copie à : linux-cifs@xxxxxxxxxxxxxxx
> > > Objet : Re: cifs autofs krb5i
> > >
> > > On Fri, 16 Nov 2012 23:37:52 +0100
> > > "sergio.conrad" wrote:
> > > 
> > > > Hi,
> > > > 
> > > > I am able to connect to cifs share on Windows 2008 with Kerberos security via 
autofs 
> > with 
> > > > this map : 
> > > > * -
> > > > 
> > 
fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> > > > o ://figue/data/&
> > > > 
> > > > Is it working fine with alpha numeric login 
> > > > fs/cifs/cifs_spnego.c: key description = 
> > > > 
> > 
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > > > ;pid=0xd331
> > > > 
> > > > 
> > > > But if i use numeric only login like 12345678 i have a problem :
> > > > fs/cifs/cifs_spnego.c: key description = 
> > > > 
> > 
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> > > > pid=0xe5db
> > > > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> > > > CIFS VFS: Send error in SessSetup = -126
> > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
> > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> > > > CIFS VFS: cifs_mount failed w/return code = -126
> > > > 
> > > > What can I do to solve this issue ?
> > > 
> > > 
> > > cifs.upcall logs at daemon.debug level. Set up syslog to log that and
> > > you'll get some details about what it's doing.
> > > 
> > > -- 
> > > Jeff Layton 
> > > 
> > 
> > Thanks for your response, 
> > I got the error 
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
> > 16777221, not 12345678
> > 
> > Perhaps it is a confusion about the uid and the login in a numeric value
> > 
> > [12345678@centad5 ~]$ id
> > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> > groupes=16777216(utilisateurs du domaine),16777217(profs)
> > 
> > The full log is :
> > 
> > Nov 17 08:42:53 centad5 cifs.upcall: key description: 
> > 
cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui
> > d=0xbc614e;user=12345678;pid=0x9b5
> > Nov 17 08:42:53 centad5 cifs.upcall: ver=2
> > Nov 17 08:42:53 centad5 cifs.upcall: host=figue
> > Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11
> > Nov 17 08:42:53 centad5 cifs.upcall: sec=1
> > Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: user=12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: pid=2485
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777221
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
> > 16777221, not 12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777216
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is owned by 
> > 16777216, not 12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13
> > Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service ticket for 
figue
> > Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to 
> > ccache
> > @
> 
> What a bizarre setup you have. I imagine all sorts of things get
> confused by numeric usernames. Many programs will assume that when
> given a numeric username that it's a uid, not a name. You might
> reconsider that setup -- maybe prefix the numbers with a letter or
> something...
> 
It seems it is a little late for this, we are already in a production state with Active 
Directory and winbind for authentication, Windows 2008 as a cifs server, Fedora 15 for 
client and using pam_mount for mounting partition.
As we are experiencing some CIFS VFS: Unexpected SMB signature with this 
I am testing some others ways...

> In any case, it does seem like there is confusion somewhere with
> numeric uids, but I don't think that confusion is with cifs.upcall. If
> that is the correct credcache for this user, then it looks like its
> being created with the wrong ownership.
> 
> What does the output of "klist" look like when you're logged in as this
> user?
> 

[12345678@centad5 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_16777221
Default principal: 12345678@DOMAIN.LOCAL

Valid starting Expires Service principal
11/17/12 14:34:04 11/18/12 00:34:04 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
renew until 11/24/12 14:34:04
11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
renew until 11/24/12 14:34:04
11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
renew until 11/24/12 14:34:04
[12345678@centad5 ~]$

> How about the output of "stat /tmp/krb5cc_16777216" ?

16777216 or 16777221 ? 
I did it for the two files 

[12345678@centad5 ~]$ id
uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
groupes=16777216(utilisateurs du domaine),16777217(profs)
[12345678@centad5 ~]$


[12345678@centad5 ~]$ stat /tmp/krb5cc_16777221 
File: « /tmp/krb5cc_16777221 »
Size: 3830 Blocks: 8 IO Block: 4096 fichier
Device: 801h/2049d Inode: 1985377 Links: 1
Access: (0600/-rw-------) Uid: (16777221/12345678) Gid: ( 0/ root)
Access: 2012-11-17 14:41:37.056868612 +0100
Modify: 2012-11-17 14:41:32.251850184 +0100
Change: 2012-11-17 14:41:32.251850184 +0100


[12345678@centad5 ~]$ stat /tmp/krb5cc_16777216 
File: « /tmp/krb5cc_16777216 »
Size: 3751 Blocks: 8 IO Block: 4096 fichier
Device: 801h/2049d Inode: 1966082 Links: 1
Access: (0600/-rw-------) Uid: (16777216/ conrad5) Gid: ( 0/ root)
Access: 2012-11-16 23:11:47.948511483 +0100
Modify: 2012-11-16 23:11:47.948511483 +0100
Change: 2012-11-16 23:11:47.948511483 +0100
> 
> -- 
> Jeff Layton 
> 

Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux