Bug 605650

Summary: cifs-mounting DFS shares w/ Kerberos still problematic
Product: Red Hat Enterprise Linux 5 Reporter: Harald Milz <harald.milz>
Component: samba3xAssignee: Jeff Layton <jlayton>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: gdeschner, jlayton, steved
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-02 19:04:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
daemon.log from 605650
none
cifsFYI from 605650 none

Description Harald Milz 2010-06-18 13:25:32 UTC 
Description of problem:

We're trying to 

mount.cifs //R0803/DFSROOT/foo/bar /mount/point -o sec=krb5i

but we get the infamous mount error 126 "Required key not available". Tried "cifs.upcall -t" as suggested by Jeff on the linux-cifs-client ml last january (see http://old.nabble.com/Re%3A-Handling-Kerberos-principals-that-don%27t-match-hostnames-p27075033.html) but no luck. The fqdn of the DFS root server is r0803.ads.customer.de, the SPN is the same all uppercase. 

Mounts against "normal" Windows 2008 shares work reliably fine, e.g. 

mount.cifs //FS00GHJK/foo/bar /mount/point -o sec=krb5i

Mounting the DFS shares using sec=ntlmv2i and username / password works fine too. 


Version-Release number of selected component (if applicable):

samba-3x-3.3.8-50 as on the CD / DVD


How reproducible:

always. 


Steps to Reproduce:
1. see above
2.
3.
  
Actual results:

error 126 "Required key does not exist"

Expected results:

mount should work. 


Additional info:
Comment 1 Guenther Deschner 2010-06-18 13:35:33 UTC 
Does that mean that dfs shares with kerberos work against Windows 2008 and not against Samba3x server ?
Comment 2 Jeff Layton 2010-06-18 14:34:04 UTC 
It would probably be helpful to make syslog log daemon.debug and then try your mount attempt. That should give us more information about what cifs.upcall is actually doing.
Comment 3 Harald Milz 2010-06-21 16:06:44 UTC 
@Günther: No, this is samba3x-winbind and samba3x-client against Windows 2008R2. Sorry for the missing precision ;-) 

@Jeff: yup, will try to get this info this week. I have no permanent access to the affected machine.
Comment 4 Harald Milz 2010-06-24 11:55:47 UTC 
Created attachment 426541 [details]
daemon.log from 605650
Comment 5 Harald Milz 2010-06-24 11:56:16 UTC 
Created attachment 426542 [details]
cifsFYI from 605650
Comment 6 Harald Milz 2010-06-24 11:58:54 UTC 
Hi, I attached the logs for this case. As you can see, for the DFS shares, cifs.upcall seems unable to find the right TGT. 

Strange thing is, if I invoke the mount command manually on the command line, it works, while if I invoke the mount script calling the exact same command from the very same command line as the very same user, it does not. I would rather not attach the script here because it contains customer and Red Hat IP - if you get me an address to mail it to I'd be willing to send it. 

TIA!
Comment 7 Jeff Layton 2010-06-30 18:05:44 UTC 
Grabbing from Gunther until we determine what the problem is...
Comment 8 Jeff Layton 2010-06-30 19:00:48 UTC 
From dmesg log, here's the upcall string:

 fs/cifs/cifs_spnego.c: key description = ver=0x2;host=R0803;ip4=10.128.133.253;sec=mskrb5;uid=0x2e82;user=yc0t37d
 fs/cifs/sess.c: ssetup freeing small buf f3f22040
 CIFS VFS: Send error in SessSetup = -126

...here's the log from daemon.log:

Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/R0803
Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for host/R0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: ip_to_fqdn: resolved 10.128.133.253 to r0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/r0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for host/r0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)

That error is:

/usr/include/krb5/krb5.h:#define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN          (-1765328377L)

...so it looks like the KDC doesn't have service principals that match cifs/r0803 or host/r0803, or those with the hostname part capitalised.

I think you should have a hard look at your name resolution on this client. It appears that it's reverse resolving that IP address to a short name, and you probably want it to resolve to a FQDN. Alternately, you could consider adding service principals for the short names to the KDC and teach the fileserver about them.
Comment 9 Jeff Layton 2010-07-01 15:22:08 UTC 
Harald, can you fix your name resolution so that you get FQDN back when trying to resolve the IP address to name? If so, then I suspect that will fix this.
Comment 10 Jeff Layton 2010-08-02 19:04:04 UTC 
No response in over a month. I'm going to go ahead and close this as NOTABUG. Please reopen if you're still having problems with it.