Bug 646223
| Summary: | cifs: multiuser mount support | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jeff Layton <jlayton> | |
| Component: | kernel | Assignee: | Jeff Layton <jlayton> | |
| Status: | CLOSED ERRATA | QA Contact: | Jian Li <jiali> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | 6.1 | CC: | bfields, jiali, joelc, nmurray, rwheeler, steved, yanwang | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | kernel-2.6.32-112.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 677189 1077979 (view as bug list) | Environment: | ||
| Last Closed: | 2011-05-23 20:27:15 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 677189, 1077979 | |||
|
Description
Jeff Layton
2010-10-25 01:02:43 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. pls help to provide how to test, thanks. Sure. The basic idea behind this patchset is to make it so that users use their own credentials to access the server. The idea is to make sure that when users access the server that the resulting accesses are done as those users and not with the credentials used originally on the mount.
Currently this is limited to krb5 auth, so to test...
First, you'll need a kerberized CIFS server. There's an example of how to set one up in RHTS under "kernel-tests/filesystems/cifs/krb5".
Once you set one up, you'll need 2 users set up on the client and server. UID/GIDs should be the same on both machines for the two users and they should have principals in the KDC.
The share exported by the server should be writable by both users.
The client should also have /etc/request-key.conf set up in accordance with the cifs.upcall manpage:
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
...as root on the client, kinit as the first user:
root@client# kinit user1
Password for user1:
Then, mount the share from the server using krb5 auth and the "multiuser" mount option:
root@client# mount //server.example.com/share /mnt/cifs -o sec=krb5,multiuser
Be sure to use the FQDN of the server. That will mount the server using the credentials in root's credcache.
Now, "su" to user2 and run kdestroy to delete the credential cache:
user2@client$ kdestroy
Then try to access /mnt/cifs. It should fail with an EACCES error (Permission denied). This is because user2 has no credentials. Next, kinit as user2:
user2@client$ kinit
Password for user2:
Now, try to access /mnt/cifs. It should then work. You can then do any number of operations to make sure that this works as expected:
o Create a file in /mnt/cifs and it should be owned by "user2" (verify it on client and server).
o Go onto the server and create a file in the directory that's only readable by "user1". Try to have user2 read it. That should fail. Then try to have root read it, that should work (since root is using user1's credentials).
Contrast how this works with krb5 auth without the multiuser option. There, every access to the server is done using the same (mount) credentials. So creating files as "user2" in the test above will show files being created on the server as "user1".
Patch(es) available on kernel-2.6.32-112.el6 Jeff hi,
I have run this case in reserved machine with RHEL6.1, and I also have an environment:
1. two machines: kdc.lijian.com and host.lijian.com using RHEL6.0
hostnames have been added to /etc/hosts
2. kerberos working rightly (tested by sserver/sclient in host.lijian)
principals :
root
cifs/host.lijian.com@EXAMPLE
3. /etc/samba/smb.conf:
[global]
workgroup = EXAMPLE
use kerberos keydtab = yes
realm = EXAMPLE.COM
security = ads
#security = user
server signing = auto
dedicated keytab file = /etc/krb5.keytab
kerberos method = dedicated keytab
[export]
path = /mnt/smb
read only = no
4. messages in /var/log/samba/log.smbd:
[2011/03/25 21:16:54.483380, 0] libads/kerberos_verify.c:72(ads_dedicated_keytab_verify_ticket)
krb5_rd_req failed (Permission denied)
[2011/03/25 21:16:54.484035, 1] smbd/sesssetup.c:332(reply_spnego_kerberos)
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
5. mount command : (root$) mount.cifs //host.lijian.com/export /mnt -o sec=krb5
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
6. klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root
Valid starting Expires Service principal
03/25/11 21:14:46 03/26/11 21:14:35 krbtgt/EXAMPLE.COM
03/25/11 21:16:24 03/26/11 21:14:35 cifs/host.lijian.com
(In reply to comment #12) > > 4. messages in /var/log/samba/log.smbd: > > [2011/03/25 21:16:54.483380, 0] > libads/kerberos_verify.c:72(ads_dedicated_keytab_verify_ticket) > krb5_rd_req failed (Permission denied) > [2011/03/25 21:16:54.484035, 1] smbd/sesssetup.c:332(reply_spnego_kerberos) > Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! > Sounds like smbd doesn't have permission to access /etc/krb5.keytab. (In reply to comment #14) > > Sounds like smbd doesn't have permission to access /etc/krb5.keytab. Yes, I think I didn't config smb with krb5 correctly, If you have built such environment, would you give me some tips? hi jeff, I test with janfu's advertise (https://bugzilla.redhat.com/show_bug.cgi?id=669377#c10), find that: 1. smb server and kdc stay together (running on a machine), mount.cifs success; 2. they are running on two machine, mount.cifs fail. kdc: dell-per910-02.lab.bos.redhat.com kadmin.local: list_principals K/M.REDHAT.COM host/dell-per910-02.lab.bos.redhat.com.REDHAT.COM host/ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com.REDHAT.COM kadmin/admin.REDHAT.COM kadmin/changepw.REDHAT.COM kadmin/dell-per910-02.lab.bos.redhat.com.REDHAT.COM krbtgt/LAB.BOS.REDHAT.COM.REDHAT.COM user1.REDHAT.COM user2.REDHAT.COM ====test commands on both machines with the same result. $mount.cifs -o user=user1,uid=user1,sec=krb5 //dell-per910-02.lab.bos.redhat.com/public /mnt #######success $mount.cifs -o user=user1,uid=user1,sec=krb5 //ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com/public /mnt mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) #dell-per910-02.lab.bos.redhat.com $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user1.REDHAT.COM Valid starting Expires Service principal 04/06/11 02:24:38 04/07/11 02:24:38 krbtgt/LAB.BOS.REDHAT.COM.REDHAT.COM ........... 04/06/11 02:25:52 04/07/11 02:24:38 host/dell-per910-02.lab.bos.redhat.com.REDHAT.COM renew until 04/06/11 02:24:38 04/06/11 02:37:23 04/07/11 02:24:38 host/ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com.REDHAT.COM renew until 04/06/11 02:24:38 #ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user1.REDHAT.COM Valid starting Expires Service principal 04/06/11 02:27:34 04/07/11 02:27:34 krbtgt/LAB.BOS.REDHAT.COM.REDHAT.COM renew until 04/06/11 02:27:34 04/06/11 02:27:55 04/07/11 02:27:34 host/dell-per910-02.lab.bos.redhat.com.REDHAT.COM renew until 04/06/11 02:27:34 04/06/11 02:39:58 04/07/11 02:27:34 host/ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com.REDHAT.COM renew until 04/06/11 02:27:34 Hi Jeff, now I am confused of how to test and what to test. This is what I do: server(smb/kdc): dell-per910-02.lab.bos.redhat.com test0:x:10000:10000::/home/test0:/bin/bash test1:x:10001:10001::/home/test1:/bin/bash smb export : /tmp/test [root@dell-per910-02 ~]# ls /tmp/test -la total 12 drwxrwxrwx. 2 root root 4096 Apr 6 04:04 . drwxrwxrwt. 4 root root 4096 Apr 6 03:59 .. principals test0 test1(keytab is hold by both machines) client: ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com test0:x:10000:10000::/home/test0:/bin/bash test1:x:10001:10001::/home/test1:/bin/bash root$ kinit -k test0 root$ mount.cifs -o sec=krb5,multiuser //dell-per910-02.lab.bos.redhat.com/public /mnt root$ ls -l / drwxrwxrwx. 2 root root 0 Apr 6 04:04 mnt [root@ibm-x3655-03 ~]# cd /mnt; ls ls: reading directory .: Permission denied [root@ibm-x3655-03 mnt]# su test1 [test1@ibm-x3655-03 mnt]$ pwd; ls /mnt ls: reading directory .: Permission denied (In reply to comment #17) > Hi Jeff, now I am confused of how to test and what to test. This is what I do: > > server(smb/kdc): dell-per910-02.lab.bos.redhat.com > test0:x:10000:10000::/home/test0:/bin/bash > test1:x:10001:10001::/home/test1:/bin/bash > > smb export : /tmp/test > [root@dell-per910-02 ~]# ls /tmp/test -la > total 12 > drwxrwxrwx. 2 root root 4096 Apr 6 04:04 . > drwxrwxrwt. 4 root root 4096 Apr 6 03:59 .. > > principals > test0 test1(keytab is hold by both machines) > > client: ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com > test0:x:10000:10000::/home/test0:/bin/bash > test1:x:10001:10001::/home/test1:/bin/bash > > root$ kinit -k test0 > root$ mount.cifs -o sec=krb5,multiuser > //dell-per910-02.lab.bos.redhat.com/public /mnt > > root$ ls -l / > drwxrwxrwx. 2 root root 0 Apr 6 04:04 mnt > Nothing else under '/' ? That's odd... > [root@ibm-x3655-03 ~]# cd /mnt; ls > ls: reading directory .: Permission denied > So, the prompt changed here. Does this mean that you switched users or machines? > [root@ibm-x3655-03 mnt]# su test1 > [test1@ibm-x3655-03 mnt]$ pwd; ls > /mnt > ls: reading directory .: Permission denied Does 'test1' have a krb5 ticket in his credcache here? IOW, did you kinit as test1? Question is resolved, I am confused by SELINUX.
This bug is verified on this environment:
1. SERVER: [test0@intel-sugarbay-dh-01 test]$ uname -a
Linux intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com 2.6.32-130.el6.x86_64 #1 SMP Tue Apr 5 19:58:31 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
2. CLIENT: [test1@hp-xw6600-01 test]$ uname -a
Linux hp-xw6600-01.rhts.eng.bos.redhat.com 2.6.32-130.el6.x86_64 #1 SMP Tue Apr 5 19:58:31 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
3. packages
samba-winbind-clients-3.5.6-86.el6.x86_64
samba-3.5.6-86.el6.x86_64
samba-common-3.5.6-86.el6.x86_64
krb5-devel-1.9-8.el6.x86_64
krb5-libs-1.9-8.el6.x86_64
krb5-workstation-1.9-8.el6.x86_64
krb5-server-1.9-8.el6.x86_64
cifs-utils-4.8.1-1.el6.x86_64
4. SELINUX is closed on both machines.
5. krb5.conf & smb.conf
===krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LAB.BOS.REDHAT.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
[realms]
LAB.BOS.REDHAT.COM = {
kdc = intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com
admin_server = intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com
}
[domain_realm]
.lab.bos.redhat.com = LAB.BOS.REDHAT.COM
lab.bos.redhat.com = LAB.BOS.REDHAT.COM
======smb.conf
[global]
workgroup = EXAMPLE
realm =LAB.BOS.REDHAT.COM
security = ads
server signing = auto
kerberos method = system keytab
[public]
path = /tmp/test
read only = no
writable = yes
6. principals on kdc and users on both machins
======
kadmin.local: list_principals
K/M.REDHAT.COM
host/hp-xw6600-01.rhts.eng.bos.redhat.com.REDHAT.COM
host/intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com.REDHAT.COM
kadmin/admin.REDHAT.COM
kadmin/changepw.REDHAT.COM
kadmin/intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com.REDHAT.COM
krbtgt/LAB.BOS.REDHAT.COM.REDHAT.COM
test0.REDHAT.COM
test1.REDHAT.COM
======
test0:x:10000:10000::/home/test0:/bin/bash
test1:x:10001:10001::/home/test1:/bin/bash
test steps:
1. prepare a directory exported on SERVER
[root@intel-sugarbay-dh-01 test]# ls -la /mnt/test
total 4
drwxrwxrwx. 2 root root 0 Apr 11 01:59 .
drwxr-xr-x. 6 root root 4096 Apr 10 23:57 ..
2. mount on CLIENT
[root@hp-xw6600-01 mnt]# kinit -k test0
[root@hp-xw6600-01 mnt]# mount.cifs //intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com/public /mnt/test -o sec=krb5,multiuser
3. create a file on CLIENT and check on SERVER
[root@hp-xw6600-01 mnt]# echo "hello from root(test0)" > test/test0
======CHANGE MACHINE
[root@intel-sugarbay-dh-01 test]# ls -l
total 4
-rw-r--r--. 1 test0 test0 23 Apr 11 02:02 test0
[root@intel-sugarbay-dh-01 test]# cat test0
hello from root(test0)
4. change to test1 on CLIENT and do sth without any pricipals
[test1@hp-xw6600-01 mnt]$ kdestroy
[test1@hp-xw6600-01 mnt]$ ls test
ls: cannot access test: Permission denied
5. get principal test1 on CLIENT and create a file and check on SERVER
[test1@hp-xw6600-01 mnt]$ kinit -k test1
[test1@hp-xw6600-01 mnt]$ echo "hello from test1" >> test/test1
======CHANGE MACHINE
[root@intel-sugarbay-dh-01 test]# ls -la
total 16
drwxrwxrwx. 2 root root 4096 Apr 11 02:05 .
drwxrwxrwt. 4 root root 4096 Apr 10 23:56 ..
-rw-r--r--. 1 test0 test0 23 Apr 11 02:02 test0
-rw-r--r--. 1 test1 test1 17 Apr 11 02:05 test1
[root@intel-sugarbay-dh-01 test]# cat test1
hello from test1
Another test is performed: 1. [root@intel-sugarbay-dh-01 test]# echo "only test0" > onlytest0 [root@intel-sugarbay-dh-01 test]# chown test0:test0 onlytest0 [root@intel-sugarbay-dh-01 test]# chmod 600 onlytest0 [root@intel-sugarbay-dh-01 test]# ls -l total 12 -rw-------. 1 test0 test0 11 Apr 11 02:08 onlytest0 -rw-r--r--. 1 test0 test0 23 Apr 11 02:02 test0 -rw-r--r--. 1 test1 test1 17 Apr 11 02:05 test1 ========CHANGE MACHINE [test1@hp-xw6600-01 test]$ cat onlytest0 cat: onlytest0: Permission denied 2. mount without multiuser [root@hp-xw6600-01 mnt]# mount.cifs //$SERVER/public /mnt/test -o sec=krb5 [test1@hp-xw6600-01 test]$ echo "hello from test1 without multiuser" > test1withoutmultiuser bash: test1withoutmultiuser: Permission denied =======CHANGE MACHINE [root@intel-sugarbay-dh-01 test]# ls -la total 20 drwxrwxrwx. 2 root root 4096 Apr 11 02:13 . drwxrwxrwt. 4 root root 4096 Apr 10 23:56 .. -rw-------. 1 test0 test0 11 Apr 11 02:08 onlytest0 -rw-r--r--. 1 test0 test0 0 Apr 11 02:13 test -rw-r--r--. 1 test0 test0 23 Apr 11 02:02 test0 -rw-r--r--. 1 test1 test1 17 Apr 11 02:05 test1 -rw-r--r--. 1 test0 test0 0 Apr 11 02:12 test1withoutmultiuser Ok, so I take it this is resolved then? It is correct that if you want to export data via samba with selinux enabled then you need to label the data correctly. See the samba_selinux(8) manpage for info on how to do this. Yes, I think the result is correct according to comment 0. But there is still one problem: When kerberos'kdc and samba's server is NOT running on the same machine, mount.cifs will fail, just as comment 16 said. (In reply to comment #23) > Ok, so I take it this is resolved then? > > It is correct that if you want to export data via samba with selinux enabled > then you need to label the data correctly. See the samba_selinux(8) manpage for > info on how to do this. I'm not sure why that would be, it sounds like maybe you had something misconfigured in that setup? It's a little unclear from the description. Either way, I don't think that's an issue with the client. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0542.html |