Hi,after hours of debugging, I finally write to this list to see if I understood things. Let me first explain what I tried to do and I'll post my question towards the end.
What I want to do is mount a Windows-share via 'mount.cifs'. I can see stuff on that directory using smbclient, so login credentials ect. are ok:
# smbclient -A /etc/my-credentials -L \\\\share.name.org
Sharename Type Comment
--------- ---- -------
... some content ...
# smbclient -A /etc/my-credentials //share.name.org/home
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jan 31 12:36:03 2014
.. D 0 Fri Jan 29 07:38:10
2021
... smb: \> So far, so good. Now I want to mount: # mount -t cifs '\\share.name.org\home' -o credentials=/etc/my-credentials /mnt/win domain=MYDOMAINmount.cifs kernel mount options: ip=10.10.10.10,unc=\\share.name.org\home,user=me@xxxxxxxxx,domain=MYDOMAIN,pass=********
mount error(13): Permission deniedLooking at wireshark-captures of the smbclient-connect I see it using krb5, so let's do that too with cifs:
# mount -t cifs '\\share.name.org\home' -o credentials=/etc/my-credentials,sec=krb5 /mnt/win domain=MYDOMAINmount.cifs kernel mount options: ip=10.10.10.10,unc=\\share.name.org\home,sec=krb5,user=me@xxxxxxxxx,domain=MYDOMAIN,pass=********
mount error(2): No such file or directory Note, I do not have active krb5-tickets on this machine, I do not even have kinit installed. Even more strange, trying without actually specifying a password: # mount -v -t cifs '\\share.name.org\home' -o username=me@xxxxxxxxx,domain=MYDOMAIN,sec=krb5 /mnt/win mount.cifs kernel mount options: ip=10.10.10.10,unc=\\share.name.org\home,sec=krb5,user=me@xxxxxxxxx,domain=MYDOMAIN,pass=******** mount error(2): No such file or directoryShows the same: it does not even ask me for the password (but still shows 'pass=********' in the kernel mount options). This is strange, because the docs say:
password=arg|pass=arg
specifies the CIFS password. If this option is not given
then the environment variable PASSWD is used. If the password is not
specified directly or indirectly via an argument to mount, mount.cifs
will prompt for a password, unless the guest option is specified.
Trying without password and without sec=krb5 does indeed give me the expected prompt.
Digging deeper, into the source of mount.cifs, I find (cifs.upcall.c:582)
/* * Prepares AP-REQ data for mechToken and gets session key * Uses credentials from cache. It will not ask for password * you should receive credentials for yuor name manually using * kinit or whatever you wish. */According to that source-code comment, sec=krb5 will ignore any password setting - it will not even ask for one. mount.cifs.c:918 shows similar intentions:
if (!strncmp(value, "krb5", 4)) {
parsed_info->is_krb5 = 1;
parsed_info->got_password = 1;
}
So, now my questions:
1. Is it intended that mount.cifs will not ask for a password when using
sec=krb5 and will ignore any set password?
2. I don't want to setup krb5-tokens for users. All I want is
authenticate using krb5 to get the smb-session and then forget about
krb5. smbclient seems to be able to do this. I don't know how they do
it, I suspect they create a temporary token, open the session, and then
drop it again. Whatever smbclient does: couldn't mount.cifs do the same
or something similar? This would make the 'password' setting meaningful
for sec=krb5. This does not mean that existing tokens couldn't and
shouldn't be used. It would just mean that users would not *have* to use
an external mechanism for this.
3. For the moment (and only if my observations are correct): could the
documentation be updated to reflect that "password" is ignored for
"sec=krb5"? Users shouldn't need to dig inside the source code to find
out things like that.
4. Currently, trying sec=krb5 without token cache files results in the
rather obscure error "mount error(2): No such file or directory". Could
this me changed into something that points users to the actual cause of
the error?
5. Am I even remotely correct with any of this? :) thanks, Frank
Attachment:
signature.asc
Description: PGP signature
