Chad William Seys
2017-Feb-09 19:23 UTC
[Samba] cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'
Hi Aurélien, Thanks for the idea! For Debian packages: 6.4-1 works 6.5-1 works 6.5-2 works 6.6-1 fails 6.6-5 fails So looks like something changed from 6.5 to 6.6... When I have time I'll figure out how to compile the upcall binary.
Chad William Seys
2017-Feb-09 20:45 UTC
[Samba] cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'
Hi Jeff, Could you look at the following mailing list posting? https://lists.samba.org/archive/samba/2017-February/206468.html It looks like cifs.upcall has changed its behavior. As described in that post, I can mount with root / kerberos, but then cannot access with another user who has credentials. The logs indicate that cifs.upcall cannot find the kerberos ticket for the non-root user. This problem does not exist in cifs-utils 6.5 and does exist in 6.6 . My best guess ATM is that the below commit caused the problem. Thanks for your time! Chad. commit 9be6e885c3bd63aa6ae9e6351e1b33a4b15d9183 Author: Jeff Layton <jlayton at samba.org> Date: Sun Aug 21 09:42:59 2016 -0400 cifs.upcall: use krb5 routines to get default ccname Currently we end up groveling around in /tmp, trying to guess what the credcache will be. Instead, just get the default ccname for the user, and then see if it has a valid tgt. If it doesn't then we try to use the keytab to init the credcache before proceeding.
Jeff Layton
2017-Feb-10 17:09 UTC
[Samba] cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'
On Thu, 2017-02-09 at 14:45 -0600, Chad William Seys wrote:> Hi Jeff, > Could you look at the following mailing list posting? > > https://lists.samba.org/archive/samba/2017-February/206468.html > > It looks like cifs.upcall has changed its behavior. As described in > that post, I can mount with root / kerberos, but then cannot access with > another user who has credentials. > > The logs indicate that cifs.upcall cannot find the kerberos ticket for > the non-root user. > > This problem does not exist in cifs-utils 6.5 and does exist in 6.6 . > > My best guess ATM is that the below commit caused the problem. > > Thanks for your time! > Chad. > > commit 9be6e885c3bd63aa6ae9e6351e1b33a4b15d9183 > Author: Jeff Layton <jlayton at samba.org> > Date: Sun Aug 21 09:42:59 2016 -0400 > > cifs.upcall: use krb5 routines to get default ccname > Currently we end up groveling around in /tmp, trying to guess what > the credcache will be. Instead, just get the default ccname for the > user, and then see if it has a valid tgt. If it doesn't then we try to > use the keytab to init the credcache before proceeding.Thanks... let's see... The logs have this in the non-working case: Feb 8 09:48:14 trog cifs.upcall: get_tgt_time: unable to get principal That corresponds to this bit of code in cifs.upcall: if (krb5_cc_get_principal(context, ccache, &principal)) { syslog(LOG_DEBUG, "%s: unable to get principal", __func__); goto err_cache; } So we have a default credcache for the user for whom we are operating as, but we can't get the default principal name from it. My guess is that it's not finding the The big difference between 6.5 and 6.6 is that we changed to not trying to scan /tmp for a credcache (which was always a bit sketchy). Instead, we rely on the info in krb5.conf to point cifs.upcall to the correct credcache. My guess is that that isn't working in your case for some reason. I'll see if I can cook up a patch to flesh out the debugging there a bit. It'd be nice to see what it cifs.upcall thinks the current credcache location is. -- Jeff Layton <jlayton at samba.org>
Possibly Parallel Threads
- cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'
- [RFC][cifs-utils PATCH] cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file
- [cifs-utils PATCH v3 0/4] cifs.upcall: allow cifs.upcall to scrape cache location initiating task's environment
- [PATCH v2 0/2] cifs.upcall: allow cifs.upcall to grab $KRB5CCNAME from initiating process
- cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'