Hi guys, This seems to be a well-known problem with mount.cifs on Ubuntu 12.04. Unfortunately, although I have applied the suggestions I found with google, I can't seem to be able to get mount.cifs to work with kerberos. I am trying to use kerberos to mount my Windows shares because this is the only allowed secure way in my company to connect to shares. Before anyone asks, I can successfully use smbclient to connect once I have a valid kerberos ticket either as cytan or as root.? However with mount.cifs, I get the following message: (Note I am root when I do this, and yes I have done the following to get a valid kerberos ticket: kinit cytan and /tmp/krb5cc_0 does exist. See below. ) ************************************** root at ad109688-lt:/home/cytan# mount.cifs -o sec=krb5,user=cytan,domain=ABCDE //beamssrv1.abcd.com/cytan$ ./win --verbose mount.cifs kernel mount options: ip=xxx.xxx.xxx.xx,unc=\\beamssrv1.abcd.com\cytan$, sec=krb5,ver=1,user=cytan,domain=ABCDE,pass=********* mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) ************************************* Here's the dmesg output: ************************************ [16262.785552] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/cifs_spnego.c: key description = ver=0x2;host=beamssrv1.abcd.com;ip4=xxx.xxx.xxx.xx ;sec=krb5;uid=0x0;creduid=0x0;user=cytan;pid=0x155 d [16262.946608] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/sess.c: ssetup freeing small buf ffff88005772ddc0 [16262.946618] CIFS VFS: Send error in SessSetup = -126 [16262.946627] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 57) rc = -126 [16262.946640] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0xffff880023277c00/0xffff88005a2ac140) [16262.946803] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 56) rc = -126 ************************************** Notice the uid and creduid are both 0x0. I tried both ways of kinit'ing as myself: cytan and as root. See klist below: ***************************************** as cytan: Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: cytan at ABCD.COM Valid starting Expires Service principal 27/09/2013 09:03 28/09/2013 11:03 krbtgt/ABCD.COM at ABCD.COM renew until 04/10/2013 09:03 ******************************************* as root: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: cytan at ABCD.COM Valid starting Expires Service principal 27/09/2013 13:42 28/09/2013 15:42 krbtgt/ABCD.COM at ABCD.COM renew until 04/10/2013 13:42 ********************************************* Unfortunately, using either uid's always gives me the "Required key not available" problem. What am I doing wrong? Or is this a bug and is there a workaround? Has anyone actually gotten samba to work with kerberos? Thanks! cytan
On 28/09/13 15:28, Cheng-Yang Tan wrote:> Hi guys, > This seems to be a well-known problem with mount.cifs on Ubuntu 12.04. Unfortunately, although I have applied the suggestions I found with google, I can't seem to be able to get mount.cifs to work with kerberos. I am trying to use kerberos to mount my Windows shares because this is the only allowed secure way in my company to connect to shares. Before anyone asks, I can successfully use smbclient to connect once I have a valid kerberos ticket either as cytan or as root. > > However with mount.cifs, I get the following message: > > (Note I am root when I do this, and yes I have done the following to get a valid kerberos ticket: > kinit cytan > and /tmp/krb5cc_0 does exist. See below. > ) > > ************************************** > root at ad109688-lt:/home/cytan# mount.cifs -o sec=krb5,user=cytan,domain=ABCDE //beamssrv1.abcd.com/cytan$ ./win --verbose > mount.cifs kernel mount options: ip=xxx.xxx.xxx.xx,unc=\\beamssrv1.abcd.com\cytan$, sec=krb5,ver=1,user=cytan,domain=ABCDE,pass=********* > mount error(126): Required key not available > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) > ************************************* > > Here's the dmesg output: > ************************************ > [16262.785552] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/cifs_spnego.c: key description = ver=0x2;host=beamssrv1.abcd.com;ip4=xxx.xxx.xxx.xx ;sec=krb5;uid=0x0;creduid=0x0;user=cytan;pid=0x155 d > [16262.946608] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/sess.c: ssetup freeing small buf ffff88005772ddc0 > [16262.946618] CIFS VFS: Send error in SessSetup = -126 > [16262.946627] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 57) rc = -126 > [16262.946640] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0xffff880023277c00/0xffff88005a2ac140) > [16262.946803] /build/buildd/linux-lts-quantal-3.5.0/fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 56) rc = -126 > ************************************** > > Notice the uid and creduid are both 0x0. > > I tried both ways of kinit'ing as myself: cytan and as root. See klist below: > ***************************************** > as cytan: > > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: cytan at ABCD.COM > > Valid starting Expires Service principal > 27/09/2013 09:03 28/09/2013 11:03 krbtgt/ABCD.COM at ABCD.COM > renew until 04/10/2013 09:03 > > ******************************************* > > as root: > > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: cytan at ABCD.COM > > Valid starting Expires Service principal > 27/09/2013 13:42 28/09/2013 15:42 krbtgt/ABCD.COM at ABCD.COM > renew until 04/10/2013 13:42 > > ********************************************* > > Unfortunately, using either uid's always gives me the "Required key not available" problem. > > > What am I doing wrong? Or is this a bug and is there a workaround? > > Has anyone actually gotten samba to work with kerberos? > > > Thanks! > > cytanIn answer to your question, yes I have tried several ways to do what you are asking about and have come to the conclusion that the easiest way is by using sssd and autofs, see here: http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs.html Rowland
On Sat, 2013-09-28 at 07:28 -0700, Cheng-Yang Tan wrote:> Hi guys, > This seems to be a well-known problem with mount.cifs on Ubuntu 12.04.Hi It's not a problem. It simply means that cifs.upcall doesn't know what key to use. mount.cifs -o sec=krb5,user=cytan,domain=ABCDE //beamssrv1.abcd.com/cytan$ ./win --verbose If you wish cytan to mount and access the share (not a good idea but anyway. . .) then cytan must have an entry in the keytab. The cifs mount is then performed as: mount -t cifs //beamssrv1.abcd.com/cytan\$ ./win -osec=krb5,username=cytan,domain=ABCDE note: username _not_ user and don't forget to escape the $. add the principal to the keytab on the client using ktutil: ktutil: addent -password -p cytan at ABCDE -k 1 -e arcfour-hmac the method is described here: http://linuxcostablanca.blogspot.com.es/2013/05/samba-3615-file-server-for-samba-406-ad.html It would be better not to use a regular user to mount the share but instead create an unprivileged domain user, e.g. cifsuser whos sole purpose is to mount the share. You can then mount it using the multiuser option if other users are required to use it. HTH Steve