Hi @all,
I have some problems when using pam_mount.conf.xml to mount shares via kerberos
(and also for ntlm) regarding reliability of the mount. I have tested the issue
with 2 different environments. My environments are: 2 Microsoft Domain
Controllers + a separate fileserver and Ubuntu 18.04 or 22.04 as clients. My
other tested environment is one Microsoft Server 2019 (as domain controller and
fileserver) + Ubuntu 22.04 as client.
The login with my configuration works all the time reliably, but sometimes the
shares are not getting mounted. I have read a ton of documentation, but can not
figure out where the problem really is.
For me, it looks like cifs.upcall is sometimes using a wrong file name for the
cache internally. I have also tried with the kernel cache, but that seems to
even increase the problem.
Steps to reproduce (client side):
- Microsoft Server 2019 as Domain Controller
- Install Ubuntu 22.04
- configure domain name in /etc/krb5.conf
- join the domain with realm -v join -U Administrator
- install krb5-user package
- restart sssd (systemctl restart sssd)
- make the necessary entries in pam_mount.conf.xml
Most of the time the mounting works while login, but when restarting sometimes
it can happen that the shares are not getting mounted.
The relevant syslog is here:
========================================Oct 11 22:45:32 pc-jm kernel: [
13.725094] FS-Cache: Loaded
Oct 11 22:45:32 pc-jm kernel: [ 13.752265] Key type cifs.spnego registered
Oct 11 22:45:32 pc-jm kernel: [ 13.752272] Key type cifs.idmap registered
Oct 11 22:45:32 pc-jm kernel: [ 13.752483] CIFS: No dialect specified on
mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g.
SMB3.1.1), from CIFS (SMB1). To use the less secure SMB1 dialect to access old
servers which do not support SMB3.1.1 (or even SMB3 or SMB2.1) specify vers=1.0
on mount.
Oct 11 22:45:32 pc-jm kernel: [ 13.752484] CIFS: Attempting to mount
\\srv-dc01.example.localnet\Daten$
Oct 11 22:45:32 pc-jm cifs.upcall: key description:
cifs.spnego;0;0;39010000;ver=0x2;host=srv-dc01.example.localnet;ip4=192.168.0.36;sec=krb5;uid=0x14163c77;creduid=0x14163c77;user=tester;pid=0xaa8
Oct 11 22:45:32 pc-jm cifs.upcall: ver=2
Oct 11 22:45:32 pc-jm cifs.upcall: host=srv-dc01.example.localnet
Oct 11 22:45:32 pc-jm cifs.upcall: ip=192.168.0.36
Oct 11 22:45:32 pc-jm cifs.upcall: sec=1
Oct 11 22:45:32 pc-jm cifs.upcall: uid=337001591
Oct 11 22:45:32 pc-jm cifs.upcall: creduid=337001591
Oct 11 22:45:32 pc-jm cifs.upcall: user=tester
Oct 11 22:45:32 pc-jm cifs.upcall: pid=2728
Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env:
pathname=/proc/2728/environ
Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: cachename =
FILE:/tmp/krb5cc_337001591
Oct 11 22:45:32 pc-jm cifs.upcall: get_existing_cc: default ccache is
FILE:/tmp/krb5cc_337001591
Oct 11 22:45:32 pc-jm kernel: [ 13.764725] CIFS: VFS: Verify user has a krb5
ticket and keyutils is installed
Oct 11 22:45:32 pc-jm kernel: [ 13.764728] CIFS: VFS:
\\srv-dc01.example.localnet Send error in SessSetup = -126
Oct 11 22:45:32 pc-jm kernel: [ 13.764733] CIFS: VFS: cifs_mount failed
w/return code = -126
Oct 11 22:45:32 pc-jm cifs.upcall: krb5_get_init_creds_keytab: -1765328174
Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:68): Messages from underlying mount
program:
Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): mount error(126): Required key
not available
Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): Refer to the mount.cifs(8)
manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
Oct 11 22:45:32 pc-jm sddm[2274]: (pam_mount.c:522): mount of Daten$ failed
Oct 11 22:45:32 pc-jm cifs.upcall: Exit status 1
Oct 11 22:45:32 pc-jm kernel: [ 13.771412] CIFS: Attempting to mount
\\srv-dc01.example.localnet\Home$
Oct 11 22:45:32 pc-jm cifs.upcall: key description:
cifs.spnego;0;0;39010000;ver=0x2;host=srv-dc01.example.localnet;ip4=192.168.0.36;sec=krb5;uid=0x14163c77;creduid=0x14163c77;user=tester;pid=0xabb
Oct 11 22:45:32 pc-jm cifs.upcall: ver=2
Oct 11 22:45:32 pc-jm cifs.upcall: host=srv-dc01.example.localnet
Oct 11 22:45:32 pc-jm cifs.upcall: ip=192.168.0.36
Oct 11 22:45:32 pc-jm cifs.upcall: sec=1
Oct 11 22:45:32 pc-jm cifs.upcall: uid=337001591
Oct 11 22:45:32 pc-jm cifs.upcall: creduid=337001591
Oct 11 22:45:32 pc-jm cifs.upcall: user=tester
Oct 11 22:45:32 pc-jm cifs.upcall: pid=2747
Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env:
pathname=/proc/2747/environ
Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: cachename =
FILE:/tmp/krb5cc_337001591
Oct 11 22:45:32 pc-jm cifs.upcall: get_existing_cc: default ccache is
FILE:/tmp/krb5cc_337001591
Oct 11 22:45:32 pc-jm cifs.upcall: krb5_get_init_creds_keytab: -1765328174
Oct 11 22:45:32 pc-jm cifs.upcall: Exit status 1
Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:68): Messages from underlying mount
program:
Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): mount error(126): Required key
not available
Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): Refer to the mount.cifs(8)
manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
Oct 11 22:45:32 pc-jm sddm[2274]: (pam_mount.c:522): mount of Home$ failed
========================================
This is my sssd configuration:
========================================[sssd]
domains = example.localnet
config_file_version = 2
services = nss, pam
[domain/example.localnet]
krb5_ccname_template=FILE:%d/krb5cc_%U
ad_gpo_access_control = enforcing
ad_gpo_map_remote_interactive = +xrdp-sesman
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = EXAMPLE.LOCALNET
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u
ad_domain = example.localnet
use_fully_qualified_names = False
ldap_id_mapping = True
access_provider = ad
========================================
This is my pam_mount.conf.xml:
========================================<?xml version="1.0"
encoding="utf-8"?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
See pam_mount.conf(5) for a description.
-->
<pam_mount>
<!-- debug should come before everything else,
since this file is still processed in a single pass
from top-to-bottom -->
<debug enable="0"/>
<!-- Volume definitions -->
<!-- pam_mount parameters: General tunables -->
<!--
<luserconf name=".pam_mount.conf.xml" />
-->
<!-- Note that commenting out mntoptions will give you the defaults.
You will need to explicitly initialize it with the empty string
to reset the defaults to nothing. -->
<mntoptions
allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other"/>
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev"/>
<!-- requires ofl from hxtools to be present -->
<logout wait="0" hup="no" term="no"
kill="no"/>
<!-- pam_mount parameters: Volume-related -->
<mkmountpoint enable="1" remove="true"/>
<volume fstype="cifs"
server="srv-dc01.example.localnet" path="Daten$"
mountpoint="/media/%(USER)/Daten"
options="iocharset=utf8,nosuid,nodev,echo_interval=15,sec=krb5i,cruid=%(USERUID),"
uid="5000-999999999"/>
<volume fstype="cifs"
server="srv-dc01.example.localnet" path="Home$"
mountpoint="/media/%(USER)/Home"
options="iocharset=utf8,nosuid,nodev,echo_interval=15,sec=krb5i,cruid=%(USERUID),"
uid="5000-999999999"/>
</pam_mount>
========================================
Any ideas?
Thanks majojoe