|Summary:||cifs-mounting DFS shares w/ Kerberos still problematic|
|Product:||Red Hat Enterprise Linux 5||Reporter:||Harald Milz <harald.milz>|
|Component:||samba3x||Assignee:||Jeff Layton <jlayton>|
|Status:||CLOSED NOTABUG||QA Contact:||qe-baseos-daemons|
|Version:||5.5||CC:||gdeschner, jlayton, steved|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-08-02 19:04:04 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Harald Milz 2010-06-18 13:25:32 UTC
Description of problem: We're trying to mount.cifs //R0803/DFSROOT/foo/bar /mount/point -o sec=krb5i but we get the infamous mount error 126 "Required key not available". Tried "cifs.upcall -t" as suggested by Jeff on the linux-cifs-client ml last january (see http://old.nabble.com/Re%3A-Handling-Kerberos-principals-that-don%27t-match-hostnames-p27075033.html) but no luck. The fqdn of the DFS root server is r0803.ads.customer.de, the SPN is the same all uppercase. Mounts against "normal" Windows 2008 shares work reliably fine, e.g. mount.cifs //FS00GHJK/foo/bar /mount/point -o sec=krb5i Mounting the DFS shares using sec=ntlmv2i and username / password works fine too. Version-Release number of selected component (if applicable): samba-3x-3.3.8-50 as on the CD / DVD How reproducible: always. Steps to Reproduce: 1. see above 2. 3. Actual results: error 126 "Required key does not exist" Expected results: mount should work. Additional info:
Comment 1 Guenther Deschner 2010-06-18 13:35:33 UTC
Does that mean that dfs shares with kerberos work against Windows 2008 and not against Samba3x server ?
Comment 2 Jeff Layton 2010-06-18 14:34:04 UTC
It would probably be helpful to make syslog log daemon.debug and then try your mount attempt. That should give us more information about what cifs.upcall is actually doing.
Comment 3 Harald Milz 2010-06-21 16:06:44 UTC
@Günther: No, this is samba3x-winbind and samba3x-client against Windows 2008R2. Sorry for the missing precision ;-) @Jeff: yup, will try to get this info this week. I have no permanent access to the affected machine.
Comment 4 Harald Milz 2010-06-24 11:55:47 UTC
Created attachment 426541 [details] daemon.log from 605650
Comment 5 Harald Milz 2010-06-24 11:56:16 UTC
Created attachment 426542 [details] cifsFYI from 605650
Comment 6 Harald Milz 2010-06-24 11:58:54 UTC
Hi, I attached the logs for this case. As you can see, for the DFS shares, cifs.upcall seems unable to find the right TGT. Strange thing is, if I invoke the mount command manually on the command line, it works, while if I invoke the mount script calling the exact same command from the very same command line as the very same user, it does not. I would rather not attach the script here because it contains customer and Red Hat IP - if you get me an address to mail it to I'd be willing to send it. TIA!
Comment 7 Jeff Layton 2010-06-30 18:05:44 UTC
Grabbing from Gunther until we determine what the problem is...
Comment 8 Jeff Layton 2010-06-30 19:00:48 UTC
From dmesg log, here's the upcall string: fs/cifs/cifs_spnego.c: key description = ver=0x2;host=R0803;ip4=10.128.133.253;sec=mskrb5;uid=0x2e82;user=yc0t37d fs/cifs/sess.c: ssetup freeing small buf f3f22040 CIFS VFS: Send error in SessSetup = -126 ...here's the log from daemon.log: Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/R0803 Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for host/R0803 Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) Jun 22 13:15:59 fsnxsrv3 cifs.upcall: ip_to_fqdn: resolved 10.128.133.253 to r0803 Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/r0803 Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for host/r0803 Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) That error is: /usr/include/krb5/krb5.h:#define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377L) ...so it looks like the KDC doesn't have service principals that match cifs/r0803 or host/r0803, or those with the hostname part capitalised. I think you should have a hard look at your name resolution on this client. It appears that it's reverse resolving that IP address to a short name, and you probably want it to resolve to a FQDN. Alternately, you could consider adding service principals for the short names to the KDC and teach the fileserver about them.
Comment 9 Jeff Layton 2010-07-01 15:22:08 UTC
Harald, can you fix your name resolution so that you get FQDN back when trying to resolve the IP address to name? If so, then I suspect that will fix this.
Comment 10 Jeff Layton 2010-08-02 19:04:04 UTC
No response in over a month. I'm going to go ahead and close this as NOTABUG. Please reopen if you're still having problems with it.