Hi Frank,
When sec=krb5 is used, the Linux cifs client ignores the password
supplied. You're right. This needs to be documented.
It relies on external utilities (like samba-winbind, sssd or manual
setup of krb5 client) to fetch the krb5 TGT needed for sec=krb5.
I don't know how smbclient does this. Might be worth checking.
If you're connecting to something like a Windows AD, you can setup
winbind to fetch the krb5 TGTs for the AD users.
Once configured, winbind will fetch the kerberos credentials on behalf
of the user during login.
Alternatively, you can setup a kerberos keytab file or credential
cache file yourself manually using kinit.
Regards,
Shyam
On Sat, Mar 27, 2021 at 5:09 PM Frank Loeffler
<frank.loeffler@xxxxxxxxxxx> wrote:
>
> Hi,
>
> after hours of debugging, I finally write to this list to see if I
> understood things. Let me first explain what I tried to do and I'll post
> my question towards the end.
>
>
> What I want to do is mount a Windows-share via 'mount.cifs'. I can see
> stuff on that directory using smbclient, so login credentials ect. are
> ok:
>
> # smbclient -A /etc/my-credentials -L \\\\share.name.org
>
> Sharename Type Comment
> --------- ---- -------
> ... some content ...
>
> # smbclient -A /etc/my-credentials //share.name.org/home
> Try "help" to get a list of possible commands.
> smb: \> ls
> . D 0 Fri Jan 31 12:36:03 2014
> .. D 0 Fri Jan 29 07:38:10
> 2021
> ...
> smb: \>
>
> So far, so good. Now I want to mount:
>
> # mount -t cifs '\\share.name.org\home' -o credentials=/etc/my-credentials /mnt/win
> domain=MYDOMAIN
> mount.cifs kernel mount options:
> ip=10.10.10.10,unc=\\share.name.org\home,user=me@xxxxxxxxx,domain=MYDOMAIN,pass=********
> mount error(13): Permission denied
>
> Looking at wireshark-captures of the smbclient-connect I see it using
> krb5, so let's do that too with cifs:
>
> # mount -t cifs '\\share.name.org\home' -o credentials=/etc/my-credentials,sec=krb5 /mnt/win
> domain=MYDOMAIN
> mount.cifs kernel mount options:
> ip=10.10.10.10,unc=\\share.name.org\home,sec=krb5,user=me@xxxxxxxxx,domain=MYDOMAIN,pass=********
> mount error(2): No such file or directory
>
> Note, I do not have active krb5-tickets on this machine, I do not even have kinit installed.
>
> Even more strange, trying without actually specifying a password:
>
> # mount -v -t cifs '\\share.name.org\home' -o username=me@xxxxxxxxx,domain=MYDOMAIN,sec=krb5 /mnt/win
> mount.cifs kernel mount options: ip=10.10.10.10,unc=\\share.name.org\home,sec=krb5,user=me@xxxxxxxxx,domain=MYDOMAIN,pass=********
> mount error(2): No such file or directory
>
> Shows the same: it does not even ask me for the password (but still
> shows 'pass=********' in the kernel mount options). This is strange,
> because the docs say:
>
> password=arg|pass=arg
> specifies the CIFS password. If this option is not given
> then the environment variable PASSWD is used. If the password is not
> specified directly or indirectly via an argument to mount, mount.cifs
> will prompt for a password, unless the guest option is specified.
>
> Trying without password and without sec=krb5 does indeed give me the
> expected prompt.
>
> Digging deeper, into the source of mount.cifs, I find
> (cifs.upcall.c:582)
>
> /*
> * Prepares AP-REQ data for mechToken and gets session key
> * Uses credentials from cache. It will not ask for password
> * you should receive credentials for yuor name manually using
> * kinit or whatever you wish.
> */
>
> According to that source-code comment, sec=krb5 will ignore any password
> setting - it will not even ask for one. mount.cifs.c:918 shows similar
> intentions:
>
> if (!strncmp(value, "krb5", 4)) {
> parsed_info->is_krb5 = 1;
> parsed_info->got_password = 1;
> }
>
> So, now my questions:
>
> 1. Is it intended that mount.cifs will not ask for a password when using
> sec=krb5 and will ignore any set password?
> 2. I don't want to setup krb5-tokens for users. All I want is
> authenticate using krb5 to get the smb-session and then forget about
> krb5. smbclient seems to be able to do this. I don't know how they do
> it, I suspect they create a temporary token, open the session, and then
> drop it again. Whatever smbclient does: couldn't mount.cifs do the same
> or something similar? This would make the 'password' setting meaningful
> for sec=krb5. This does not mean that existing tokens couldn't and
> shouldn't be used. It would just mean that users would not *have* to use
> an external mechanism for this.
> 3. For the moment (and only if my observations are correct): could the
> documentation be updated to reflect that "password" is ignored for
> "sec=krb5"? Users shouldn't need to dig inside the source code to find
> out things like that.
> 4. Currently, trying sec=krb5 without token cache files results in the
> rather obscure error "mount error(2): No such file or directory". Could
> this me changed into something that points users to the actual cause of
> the error?
> 5. Am I even remotely correct with any of this? :)
>
> thanks, Frank
>
--
Regards,
Shyam
