Hi I have a s3 fileserver joined to a s4 DC Here is smb.conf on the fileserver: [global] workgroup = HH3 realm = HH3.SITE security = ADS kerberos method = system keytab winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config HH3:backend = ad idmap config HH3:range = 20000-40000000 idmap config HH3:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes winbind use default domain = Yes [users] path = /home/users read only = No getent passwd works fine and shows AD users. But cifs mount fails: sudo mount -t cifs //oliva/users --verbose /mnt -osec=krb5 mount.cifs kernel mount options: ip=127.0.0.1,unc=\\oliva \users,sec=krb5,user=root,pass=******** mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) the log gives: May 26 12:35:05 oliva cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=oliva;ip4=127.0.0.1;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6f3 May 26 12:35:05 oliva cifs.upcall: ver=2 May 26 12:35:05 oliva cifs.upcall: host=oliva May 26 12:35:05 oliva cifs.upcall: ip=127.0.0.1 May 26 12:35:05 oliva cifs.upcall: sec=1 May 26 12:35:05 oliva cifs.upcall: uid=0 May 26 12:35:05 oliva cifs.upcall: creduid=0 May 26 12:35:05 oliva cifs.upcall: user=root May 26 12:35:05 oliva cifs.upcall: pid=1779 May 26 12:35:05 oliva cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_0 May 26 12:35:05 oliva cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is valid ccache May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: getting service ticket for oliva May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: obtained service ticket May 26 12:35:05 oliva kernel: [ 612.342045] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE May 26 12:35:05 oliva kernel: [ 612.342109] CIFS VFS: Send error in SessSetup = -13 May 26 12:35:05 oliva kernel: [ 612.343323] CIFS VFS: cifs_mount failed w/return code = -13 smbd fails with this: Maximum core file size limits now 16777216(soft) -1(hard) smbd version 3.6.9 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 uid=0 gid=0 euid=0 egid=0 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" Processing section "[users]" adding IPC service added interface eth0 ip=fe80::a00:27ff:fe7c:2d50%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: added interface eth0 ip=192.168.1.110 bcast=192.168.1.255 netmask=255.255.255.0 loaded services Initialise the svcctl registry keys if needed. Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Initialise the eventlog registry keys if needed. Closed policy get_dc_list: preferred server list: "hh16.hh3.site, *" Successfully contacted LDAP server 192.168.1.16 get_dc_list: preferred server list: "hh16.hh3.site, *" get_dc_list: preferred server list: "hh16.hh3.site, *" Successfully contacted LDAP server 192.168.1.16 Connected to LDAP server hh16.hh3.site ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178@please_ignore ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] expiration dom, 26 may 2013 22:46:04 CEST ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT reloading printcap cache reload status: ok waiting for connections Unable to connect to CUPS server localhost:631 - Transport endpoint is not connected failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Could not find child 1808 -- ignoring Allowed connection from 127.0.0.1 (127.0.0.1) init_oplocks: initializing messages. Linux kernel oplocks enabled Transaction 0 of length 82 (0 toread) switch message SMBnegprot (pid 1807) conn 0x0 Requested protocol [LM1.2X002] Requested protocol [LANMAN2.1] Requested protocol [NT LM 0.12] Requested protocol [POSIX 2] using SPNEGO Selected protocol NT LM 0.12 Transaction 1 of length 1450 (0 toread) switch message SMBsesssetupX (pid 1807) conn 0x0 wct=12 flg2=0xd801 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. Doing spnego session setup NativeOS=[Linux version 3.8.0-22-generic] NativeLanMan=[CIFS VFS Client for Linux] PrimaryDomain=[] reply_spnego_negotiate: Got secblob of size 1227 libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab succeeded for principal host/oliva.hh3.site@xxxxxxxx Found account name from PAC: Administrator [] Kerberos ticket principal name is [Administrator@xxxxxxxx] Username HH3\Administrator is invalid on this system error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE Server exit (failed to receive smb request) Anyone please? In particular, why ntlm authentication? Why Username HH3 \Administrator is invalid on this system? I've tried without winbind use default domain = but nada. Cheers, Steve -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
