Re: cifs autofs krb5i

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 17 Nov 2012 14:56:54 +0100
"sergio.conrad" <sergio.conrad@xxxxxxxxxxx> wrote:

> 
> 
> 
> > Message du 17/11/12 11:44
> > De : "Jeff Layton" 
> > A : "sergio.conrad" 
> > Copie à : linux-cifs@xxxxxxxxxxxxxxx
> > Objet : Re: cifs autofs krb5i
> >
> > On Sat, 17 Nov 2012 08:53:02 +0100
> > "sergio.conrad"  wrote:
> > 
> > > 
> > > 
> > > 
> > > > Message du 17/11/12 03:01
> > > > De : "Jeff Layton" 
> > > > A : "sergio.conrad" 
> > > > Copie à : linux-cifs@xxxxxxxxxxxxxxx
> > > > Objet : Re: cifs autofs krb5i
> > > >
> > > > On Fri, 16 Nov 2012 23:37:52 +0100
> > > > "sergio.conrad" wrote:
> > > > 
> > > > > Hi,
> > > > > 
> > > > > I am able to connect to cifs share on Windows 2008 with Kerberos security via 
> autofs 
> > > with 
> > > > > this map : 
> > > > > * -
> > > > > 
> > > 
> fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> > > > > o ://figue/data/&
> > > > > 
> > > > > Is it working fine with alpha numeric login 
> > > > > fs/cifs/cifs_spnego.c: key description = 
> > > > > 
> > > 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > > > > ;pid=0xd331
> > > > > 
> > > > > 
> > > > > But if i use numeric only login like 12345678 i have a problem :
> > > > > fs/cifs/cifs_spnego.c: key description = 
> > > > > 
> > > 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> > > > > pid=0xe5db
> > > > > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> > > > > CIFS VFS: Send error in SessSetup = -126
> > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
> > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> > > > > CIFS VFS: cifs_mount failed w/return code = -126
> > > > > 
> > > > > What can I do to solve this issue ?
> > > > 
> > > > 
> > > > cifs.upcall logs at daemon.debug level. Set up syslog to log that and
> > > > you'll get some details about what it's doing.
> > > > 
> > > > -- 
> > > > Jeff Layton 
> > > > 
> > > 
> > > Thanks for your response, 
> > > I got the error 
> > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
> > > 16777221, not 12345678
> > > 
> > > Perhaps it is a confusion about the uid and the login in a numeric value
> > > 
> > > [12345678@centad5 ~]$ id
> > > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> > > groupes=16777216(utilisateurs du domaine),16777217(profs)
> > > 
> > > The full log is :
> > > 
> > > Nov 17 08:42:53 centad5 cifs.upcall: key description: 
> > > 
> cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui
> > > d=0xbc614e;user=12345678;pid=0x9b5
> > > Nov 17 08:42:53 centad5 cifs.upcall: ver=2
> > > Nov 17 08:42:53 centad5 cifs.upcall: host=figue
> > > Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11
> > > Nov 17 08:42:53 centad5 cifs.upcall: sec=1
> > > Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678
> > > Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678
> > > Nov 17 08:42:53 centad5 cifs.upcall: user=12345678
> > > Nov 17 08:42:53 centad5 cifs.upcall: pid=2485
> > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777221
> > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
> > > 16777221, not 12345678
> > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777216
> > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is owned by 
> > > 16777216, not 12345678
> > > Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13
> > > Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service ticket for 
> figue
> > > Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to 
> > > ccache
> > > @
> > 
> > What a bizarre setup you have. I imagine all sorts of things get
> > confused by numeric usernames. Many programs will assume that when
> > given a numeric username that it's a uid, not a name. You might
> > reconsider that setup -- maybe prefix the numbers with a letter or
> > something...
> > 
> It seems it is a little late for this, we are already in a production state with Active 
> Directory and winbind for authentication, Windows 2008 as a cifs server, Fedora 15 for 
> client and using pam_mount for mounting partition.
> As we are experiencing some CIFS VFS: Unexpected SMB signature with this 
> I am testing some others ways...
> 
> > In any case, it does seem like there is confusion somewhere with
> > numeric uids, but I don't think that confusion is with cifs.upcall. If
> > that is the correct credcache for this user, then it looks like its
> > being created with the wrong ownership.
> > 
> > What does the output of "klist" look like when you're logged in as this
> > user?
> > 
> 
> [12345678@centad5 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_16777221
> Default principal: 12345678@DOMAIN.LOCAL
> 
> Valid starting Expires Service principal
> 11/17/12 14:34:04 11/18/12 00:34:04 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
> renew until 11/24/12 14:34:04
> 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
> renew until 11/24/12 14:34:04
> 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
> renew until 11/24/12 14:34:04
> [12345678@centad5 ~]$
> 
> > How about the output of "stat /tmp/krb5cc_16777216" ?
> 
> 16777216 or 16777221 ? 
> I did it for the two files 
> 
> [12345678@centad5 ~]$ id
> uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> groupes=16777216(utilisateurs du domaine),16777217(profs)
> [12345678@centad5 ~]$
> 
> 
> [12345678@centad5 ~]$ stat /tmp/krb5cc_16777221 
> File: « /tmp/krb5cc_16777221 »
> Size: 3830 Blocks: 8 IO Block: 4096 fichier
> Device: 801h/2049d Inode: 1985377 Links: 1
> Access: (0600/-rw-------) Uid: (16777221/12345678) Gid: ( 0/ root)
> Access: 2012-11-17 14:41:37.056868612 +0100
> Modify: 2012-11-17 14:41:32.251850184 +0100
> Change: 2012-11-17 14:41:32.251850184 +0100
> 
> 
> [12345678@centad5 ~]$ stat /tmp/krb5cc_16777216 
> File: « /tmp/krb5cc_16777216 »
> Size: 3751 Blocks: 8 IO Block: 4096 fichier
> Device: 801h/2049d Inode: 1966082 Links: 1
> Access: (0600/-rw-------) Uid: (16777216/ conrad5) Gid: ( 0/ root)
> Access: 2012-11-16 23:11:47.948511483 +0100
> Modify: 2012-11-16 23:11:47.948511483 +0100
> Change: 2012-11-16 23:11:47.948511483 +0100
> > 

Ok, I think I see now. I believe your problem is in the options you're
passing in at mount time:

    fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverino ://figue/data/&

...specifically, the 'uid=&' and 'cruid=&' options. When mount.cifs gets
a numeric value for those options, it assumes that it's a uid, not a
username. You should probably replace those options in your automount
map with something like:

    uid=$UID,cruid=$UID

...which will make it pass in the numeric uid instead (that should also
be slightly more efficient since you won't need to go to NSS to resolve
username to uid). You may also want to consider adding:

    gid=$GID

...but that depends on your needs. See the section on "Variable
Substitution" in autofs(5) for info on $UID and $GID.

Best of luck!
-- 
Jeff Layton <jlayton@xxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux