Bug 605650
Summary: | cifs-mounting DFS shares w/ Kerberos still problematic | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Harald Milz <harald.milz> | ||||||
Component: | samba3x | Assignee: | Jeff Layton <jlayton> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | qe-baseos-daemons | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 5.5 | CC: | gdeschner, jlayton, steved | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-08-02 19:04:04 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Harald Milz
2010-06-18 13:25:32 UTC
Does that mean that dfs shares with kerberos work against Windows 2008 and not against Samba3x server ? It would probably be helpful to make syslog log daemon.debug and then try your mount attempt. That should give us more information about what cifs.upcall is actually doing. @Günther: No, this is samba3x-winbind and samba3x-client against Windows 2008R2. Sorry for the missing precision ;-) @Jeff: yup, will try to get this info this week. I have no permanent access to the affected machine. Created attachment 426541 [details]
daemon.log from 605650
Created attachment 426542 [details]
cifsFYI from 605650
Hi, I attached the logs for this case. As you can see, for the DFS shares, cifs.upcall seems unable to find the right TGT. Strange thing is, if I invoke the mount command manually on the command line, it works, while if I invoke the mount script calling the exact same command from the very same command line as the very same user, it does not. I would rather not attach the script here because it contains customer and Red Hat IP - if you get me an address to mail it to I'd be willing to send it. TIA! Grabbing from Gunther until we determine what the problem is... From dmesg log, here's the upcall string: fs/cifs/cifs_spnego.c: key description = ver=0x2;host=R0803;ip4=10.128.133.253;sec=mskrb5;uid=0x2e82;user=yc0t37d fs/cifs/sess.c: ssetup freeing small buf f3f22040 CIFS VFS: Send error in SessSetup = -126 ...here's the log from daemon.log: Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/R0803 Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for host/R0803 Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) Jun 22 13:15:59 fsnxsrv3 cifs.upcall: ip_to_fqdn: resolved 10.128.133.253 to r0803 Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/r0803 Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for host/r0803 Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) That error is: /usr/include/krb5/krb5.h:#define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377L) ...so it looks like the KDC doesn't have service principals that match cifs/r0803 or host/r0803, or those with the hostname part capitalised. I think you should have a hard look at your name resolution on this client. It appears that it's reverse resolving that IP address to a short name, and you probably want it to resolve to a FQDN. Alternately, you could consider adding service principals for the short names to the KDC and teach the fileserver about them. Harald, can you fix your name resolution so that you get FQDN back when trying to resolve the IP address to name? If so, then I suspect that will fix this. No response in over a month. I'm going to go ahead and close this as NOTABUG. Please reopen if you're still having problems with it. |