thr3ads.net - samba - [Samba] CIFS, Kerberos over SSH tunnel (change service principal?) [Nov 2008]

If this information is useful, please help other people find it:
Share via:
Theo Markettos
2008-Nov-25 23:40 UTC
[Samba] CIFS, Kerberos over SSH tunnel (change service principal?)

I'm trying to set up a CIFS mount to a NetApp F840 called 'elmer'
over
an SSH tunnel.  I also tunnel the Kerberos ports to the Windows AD 
server 'cannonstreet' Using Ubuntu hardy, with recent updates for CIFS 
that are claimed to work: 
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/236830

I tunnel like this:
ssh -f -N -x -o TCPKeepAlive=yes -L88:cannonstreet:88 -L137:cannonstreet:137 
-L139:elmer:139 -L445:elmer:445 userid@host

My /etc/krb5.conf contains:
[libdefaults]
 default_realm = AD.CL.CAM.AC.UK
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 AD.CL.CAM.AC.UK = {
  kdc = localhost
  admin_server = localhost
 }

[domain_realm]
 localhost = AD.CL.CAM.AC.UK
 .cl.cam.ac.uk = AD.CL.CAM.AC.UK
 .ad.cl.cam.ac.uk = AD.CL.CAM.AC.UK
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf


My smb.conf has:
[global]
        security = ads
        realm = AD.CL.CAM.AC.UK
        password server = 127.0.0.1
# note that workgroup is the 'short' domain name
        workgroup = AD.CL.CAM.AC.UK
#       winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%D/%U
        template shell = /bin/bash
        client use spnego = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes
        winbind use default domain = yes
        restrict anonymous = 2


I get a Kerberos ticket:

atm26@bigwig:~$ sudo kinit atm26
Password for atm26@AD.CL.CAM.AC.UK:
atm26@bigwig:~$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: atm26@AD.CL.CAM.AC.UK

Valid starting     Expires            Service principal
11/25/08 16:39:48  11/26/08 02:39:50  krbtgt/AD.CL.CAM.AC.UK@AD.CL.CAM.AC.UK
	renew until 11/26/08 16:39:48

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


My /etc/request-key.conf has a line:
create  cifs.spnego     *       *               /usr/bin/cifs.upcall %k %d
(changing this does seem to make a difference to the error code)

But when I try to mount, I get:
atm26@bigwig:~$ sudo mount.cifs //elmer/bigdisc /mnt/bigdisc/ 
-oip=127.0.0.1,username=atm26,user=atm26,sec=krb5,guest
mount error 126 = Required key not available
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
atm26@bigwig:~$ 

(Tried various versions of hostname including 'localhost' and FQDN)

If I increase the debug to 3 in /proc/fs/cifs/cifsFYI I get:

[ 2306.872008]  /build/buildd/linux-2.6.24/fs/cifs/cifsfs.c: Devname:
//elmer/bigdisc
flags: 64 
[ 2306.872016]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: CIFS VFS: in
cifs_mount as
Xid: 8 with uid: 0
[ 2306.872025]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: Username: atm26
[ 2306.872029]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: UNC:
\\elmer\bigdisc ip:
127.0.0.1
[ 2306.872039]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: Socket created
[ 2306.874879]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: sndbuf 50592
rcvbuf 87888
rcvtimeo 0x7fffffff
[ 2306.874933]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: Demultiplex PID:
14282
[ 2306.874949]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: Existing smb sess
not found
[ 2306.874961]  /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: secFlags 0x8
[ 2306.874966]  /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: Kerberos only
mechanism,
enable extended security
[ 2306.874975]  /build/buildd/linux-2.6.24/fs/cifs/transport.c: For smb_command
114
[ 2306.874981]  /build/buildd/linux-2.6.24/fs/cifs/transport.c: Sending smb of
length 69
[ 2306.877431]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: rfc1002 length
0xbd
[ 2306.877673]  /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: Dialect: 2
[ 2306.877686]  /build/buildd/linux-2.6.24/fs/cifs/asn1.c: OID len = 7 oid = 0x1
0x2 0x348
0x1bb92
[ 2306.877691]  /build/buildd/linux-2.6.24/fs/cifs/asn1.c: OID len = 7 oid = 0x1
0x2 0x348
0xbb92
[ 2306.877696]  /build/buildd/linux-2.6.24/fs/cifs/asn1.c: OID len = 10 oid =
0x1 0x3 0x6
0x1
[ 2306.877701]  /build/buildd/linux-2.6.24/fs/cifs/asn1.c: Need to call 
asn1_octets_decode() function for cifs/bigwig.cl.cam.ac.uk@AD.CL.CAM.AC.UK
[ 2306.877706]  /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: Signing disabled
[ 2306.877710]  /build/buildd/linux-2.6.24/fs/cifs/cifssmb.c: negprot rc 0
[ 2306.877714]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: Security Mode: 0x3
Capabilities: 0x8080f3fd TimeAdjust: 0
[ 2306.877719]  /build/buildd/linux-2.6.24/fs/cifs/sess.c: sess setup type 6
[ 2306.877729]  /build/buildd/linux-2.6.24/fs/cifs/cifs_spnego.c: key
description =
ver=0x1;host=elmer;ip4=127.0.0.1;sec=krb5;uid=0x0
[ 2306.879410]  /build/buildd/linux-2.6.24/fs/cifs/sess.c: ssetup freeing small
buf
dff88200
[ 2306.879417]  CIFS VFS: Send error in SessSetup = -126
[ 2307.009182]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: No session or bad
tcon
[ 2307.009196]  /build/buildd/linux-2.6.24/fs/cifs/connect.c: CIFS VFS: leaving
cifs_mount
(xid = 8) rc = -126
[ 2307.009202]  CIFS VFS: cifs_mount failed w/return code = -126


Can anyone tell me what's going wrong here?  I think it might be that 
the service principal of my ticket is 
krbtgt/AD.CL.CAM.AC.UK@AD.CL.CAM.AC.UK but CIFS is trying to access 
cifs/bigwig.cl.cam.ac.uk@AD.CL.CAM.AC.UK.  bigwig is the name of the 
client machine, which the CIFS server knows nothing about (it's not on 
its network, hence the SSH tunnel).  I can't work out how to change the 
principal name (using '-S bigwig' on kinit just complains the server 
isn't found)

smbclient says this:
atm26@bigwig:~$ sudo smbclient -k -L 127.0.0.1
ads_krb5_mk_req: krb5_get_credentials failed for
cifs/bigwig.cl.cam.ac.uk@AD.CL.CAM.AC.UK
(Server not found in Kerberos database)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Server not found in
Kerberos
database session setup failed: SUCCESS - 0

FWIW the following used to work under Samba:
sudo kinit atm26
sudo smbmount "\\\filer\homes-6" /mnt/homes-6 -o
krb,ip=127.0.0.1,fmask=700,dmask=700,uid=atm26,gid=atm26
sudo smbmount "\\\filer\bigdisc" /mnt/bigdisc -o
krb,ip=127.0.0.1,fmask=700,dmask=700,uid=atm26,gid=atm26

Anyone have any ideas?

Thanks
Theo
Maybe Matching Threads

Search for more maybe matching threads
samba - Nov 2008 - CIFS, Kerberos over SSH tunnel (change service principal?)

[Samba] CIFS, Kerberos over SSH tunnel (change service principal?)

Maybe Matching Threads

Wisdom of the Ancients
