Bug 713009

Summary: mount.cifs not working with a Kerberos mount using sec=krb5i
Product: Red Hat Enterprise Linux 6 Reporter: Joshua McClintock <jmcclintock>
Component: cifs-utilsAssignee: Jeff Layton <jlayton>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1CC: steved
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-14 16:19:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Joshua McClintock 2011-06-13 21:43:53 UTC 
Description of problem:

Trying to mount a share using mount.cifs.  smbclient -k works.

Version-Release number of selected component (if applicable):


cifs-utils-4.8.1-2.el6.i686

How reproducible:

Always

Steps to Reproduce:
1. Setup share on Windows 2003 Server
2. Login on RHEL6 box as an AD user and get a TGT
3. Try to mount cifs share: 

-sh-4.1$ sudo mount -t cifs --verbose -o nodev,nosuid,sec=krb5i,user=jmcclintock //lwdemodc01.lwdemo.com/netshare /tmp/mount

  
Actual results:

[sudo] password for jmcclintock:
mount.cifs kernel mount options: ip=10.100.2.249,unc=\\lwdemodc01.lwdemo.com\netshare,nosuid,nodev,sec=krb5i,ver=1,user=jmcclintock,pass=********
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)



Expected results:

Mounted CIFS share


Additional info:

Jun 13 14:31:11 rhel6 cifs.upcall: key description: cifs.spnego;0;0;3f000000;ver=0x2;host=lwdemodc01.lwdemo.com;ip4=10.100.2.249;sec=krb5;uid=0x0;creduid=0x0;user=jmcclintock;pid=0x767
Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_0
Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is not a valid credcache.
Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_2027947099
Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: /tmp/krb5cc_2027947099 is owned by 2027947099, not 0
Jun 13 14:31:11 rhel6 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/lwdemodc01.lwdemo.com
Jun 13 14:31:11 rhel6 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to ccache
Jun 13 14:31:11 rhel6 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328245)
Jun 13 14:31:11 rhel6 cifs.upcall: handle_krb5_mech: getting service ticket for host/lwdemodc01.lwdemo.com
Jun 13 14:31:11 rhel6 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to ccache
Jun 13 14:31:11 rhel6 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328245)


Ticket cache: FILE:/tmp/krb5cc_2027947099
Default principal: jmcclintock

Valid starting     Expires            Service principal
06/13/11 14:39:04  06/14/11 00:39:15  krbtgt/LWDEMO.COM
        renew until 06/14/11 02:39:04
06/13/11 14:39:15  06/14/11 00:39:15  host/rhel6.lwdemo.com@
        renew until 06/14/11 02:39:04
06/13/11 14:39:15  06/14/11 00:39:15  host/rhel6.lwdemo.com
        renew until 06/14/11 02:39:04
06/13/11 14:05:19  06/14/11 00:00:40  cifs/lwdemodc01.lwdemo.com
        renew until 06/14/11 02:00:33
-sh-4.1$


Something I'm noticing is that in the SMB negotiate exchange, Kerberos is not listed in the 'Requested Dialects'.

...N.SMBr............................+..LM1.2X002..LANMAN2.1..NT LM 0.12..POSIX
Comment 2 Jeff Layton 2011-06-14 10:13:01 UTC 
You have these options:

     nodev,nosuid,sec=krb5i,user=jmcclintock

...and are doing the mount as root. I'm guessing from this:

Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is not a
valid credcache.
Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: considering
/tmp/krb5cc_2027947099
Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: /tmp/krb5cc_2027947099 is
owned by 2027947099, not 0

...that you got a krb5 ticket as user jmcclintock. If you intend to use that credcache to mount then you need to set the "creduid=" mount option to the uid that owns the credcache here.

I'm going to go ahead and set this as NOTABUG. Please reopen it if you want to discuss it further.
Comment 3 Joshua McClintock 2011-06-14 14:57:45 UTC 
Hello Jeff, thank you for the tip, sorry about that.


After adding 'creduid=2027947099' now I'm getting this, also tried with my username:

error -1 (Unknown error 4294967295) opening credential file 2027947099
Comment 4 Jeff Layton 2011-06-14 15:44:43 UTC 
oops, my bad... that option should be "cruid="
Comment 5 Joshua McClintock 2011-06-14 15:55:57 UTC 
OK, gave that a try, but still seem to be getting close to the same result.  Do you know why it's saying (null) in the cifs_krb5_get_req?

Jun 14 08:49:07 rhel6 cifs.upcall: key description: cifs.spnego;0;0;3f000000;ver=0x2;host=lwdemodc01.lwdemo.com;ip4=10.100.2.249;sec=krb5;uid=0x0;creduid=0x0;user=jmcclintock;pid=0x8bf
Jun 14 08:49:07 rhel6 cifs.upcall: ver=2
Jun 14 08:49:07 rhel6 cifs.upcall: host=lwdemodc01.lwdemo.com
Jun 14 08:49:07 rhel6 cifs.upcall: ip=10.100.2.249
Jun 14 08:49:07 rhel6 cifs.upcall: sec=1
Jun 14 08:49:07 rhel6 cifs.upcall: uid=0
Jun 14 08:49:07 rhel6 cifs.upcall: creduid=0
Jun 14 08:49:07 rhel6 cifs.upcall: user=jmcclintock
Jun 14 08:49:07 rhel6 cifs.upcall: pid=2239
Jun 14 08:49:07 rhel6 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_0
Jun 14 08:49:07 rhel6 cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is not a valid credcache.
Jun 14 08:49:07 rhel6 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_2027947099
Jun 14 08:49:07 rhel6 cifs.upcall: find_krb5_cc: /tmp/krb5cc_2027947099 is owned by 2027947099, not 0
Jun 14 08:49:07 rhel6 cifs.upcall: krb5_get_init_creds_keytab: -1765328203
Jun 14 08:49:07 rhel6 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/lwdemodc01.lwdemo.com
Jun 14 08:49:07 rhel6 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to ccache
Jun 14 08:49:07 rhel6 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328245)
Jun 14 08:49:07 rhel6 cifs.upcall: handle_krb5_mech: getting service ticket for host/lwdemodc01.lwdemo.com
Jun 14 08:49:07 rhel6 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to ccache
Jun 14 08:49:07 rhel6 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328245)
Comment 6 Joshua McClintock 2011-06-14 15:58:16 UTC 
Also, when I do a strings on /usr/sbin/cifs.upcall for 'cruid', I don't see any matches.  Should I?
Comment 7 Jeff Layton 2011-06-14 16:07:52 UTC 
The kernel is still passing creduid=0x0 to the upcall. What kernel are you using?
Comment 8 Jeff Layton 2011-06-14 16:08:59 UTC 
(In reply to comment #6)
> Also, when I do a strings on /usr/sbin/cifs.upcall for 'cruid', I don't see any
> matches.  Should I?

No, cruid= is a mount option and has no direct relation on the string that the kernel passes to cifs.upcall to get krb5 tickets.
Comment 9 Jeff Layton 2011-06-14 16:10:09 UTC 
> Something I'm noticing is that in the SMB negotiate exchange, Kerberos is not
> listed in the 'Requested Dialects'.
> 

It wouldn't be -- krb5 is an authentication mechanism (and is wrapped inside of SPNEGO and GSSAPI), not a SMB dialect.
Comment 10 Joshua McClintock 2011-06-14 16:14:34 UTC 
Kernel:

2.6.32-71.el6.i686
Comment 11 Joshua McClintock 2011-06-14 16:17:24 UTC 
Viola!  Hadn't rebooted yet to get the kernel in 6.1, the command works now.  Thank you for your time Jeff!

Running this one now:

2.6.32-131.0.15.el6.i686