Description of problem: I have configured samba mount using sec=krb5i since samba-client 3.3.2. It stopped working after upgrading to 3.4.5-0.47.fc11. I'm not sure if it works with 3.4.5-0.46.fc11 but definetely it worked with samba-client-3.4.2-0.42.fc11.i586 The error message is: # mount.cifs //proliant10.office.hci/home /mnt -o username=finstrle,domain=OFFICE.HCI,uid=500,file_mode=0777,iocharset=utf8,nosuid,nodev,sec=krb5i mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) it work ok without configuration change when I downgrade back to the 3.3.2 (yum disablerepo=updates). So I think there is no mistake in configuration. /etc/request-key.conf: create cifs.spnego * * /usr/sbin/cifs.upcall %k %d create dns_resolver * * /usr/sbin/cifs.upcall %k %d Version-Release number of selected component (if applicable): Broken krb5i: 3.4.5-0.47.fc11 Last (sure) ok: 3.4.2-0.42.fc11.i586 How reproducible: Try to use krb5i to mount cifs share againist AD (I think we have win 2003R2 server). My linux box isn't part of domain. Steps to Reproduce: 1.install samba packages 2.configure /etc/krb5.conf 3.add these lines to /etc/request-key.conf: create cifs.spnego * * /usr/sbin/cifs.upcall %k %d create dns_resolver * * /usr/sbin/cifs.upcall %k %d 4.as root: kinit <login@REALM> 5.as root: mount.cifs //<server>/<share> /mnt -o username=<username>,domain=<domain realm>,iocharset=utf8,nosuid,nodev,sec=krb5i Actual results: mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Expected results: mount the share to the /mnt Additional info:
I found that last working (even test version) is 3.4.3-0.44.fc11. I also get better trace using: echo 3 > /proc/fs/cifs/cifsFYI and then dmesg. The working verison 3.4.3-0.44.fc11 dmesg: fs/cifs/cifsfs.c: Devname: //proliant10.office.hci/home flags: 64 fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 235 with uid: 0 fs/cifs/connect.c: Domain name set fs/cifs/connect.c: iocharset set to utf8 fs/cifs/connect.c: Username: finstrle fs/cifs/connect.c: UNC: \\proliant10.office.hci\home ip: 192.168.33.2 fs/cifs/connect.c: Socket created fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58 fs/cifs/connect.c: Existing smb sess not found fs/cifs/cifssmb.c: secFlags 0x1009 fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security fs/cifs/transport.c: For smb_command 114 fs/cifs/connect.c: Demultiplex PID: 6669 fs/cifs/transport.c: Sending smb: total_len 82 fs/cifs/connect.c: rfc1002 length 0xb7 fs/cifs/cifssmb.c: Dialect: 2 fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92 fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 fs/cifs/asn1.c: Need to call asn1_octets_decode() function for proliant10$@OFFICE.HCI fs/cifs/cifssmb.c: Must sign - secFlags 0x1009 fs/cifs/cifssmb.c: negprot rc 0 fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x8001f3fd TimeAdjust: -3600 fs/cifs/sess.c: sess setup type 7 fs/cifs/cifs_spnego.c: key description = ver=0x2;host=proliant10.office.hci;ip4=192.168.33.2;sec=mskrb5;uid=0x1f4;user=finstrle fs/cifs/transport.c: For smb_command 115 fs/cifs/transport.c: Sending smb: total_len 4018 fs/cifs/connect.c: rfc1002 length 0xd5 fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release fs/cifs/sess.c: ssetup rc from sendrecv2 is 0 fs/cifs/sess.c: UID = 4098 fs/cifs/sess.c: bleft 139 fs/cifs/sess.c: serverOS=Windows Server 2003 R2 3790 Service Pack 2 fs/cifs/sess.c: serverNOS=Windows Server 2003 R2 5.2 fs/cifs/sess.c: ssetup freeing small buf f66d6e00 fs/cifs/connect.c: CIFS Session Established successfully fs/cifs/connect.c: file mode: 0x1ff dir mode: 0x1ff fs/cifs/transport.c: For smb_command 117 fs/cifs/transport.c: Sending smb: total_len 112 fs/cifs/connect.c: rfc1002 length 0x42 fs/cifs/connect.c: disk share connection fs/cifs/connect.c: nativeFileSystem=NTFS fs/cifs/connect.c: Tcon flags: 0x1 fs/cifs/connect.c: CIFS Tcon rc = 0 fs/cifs/cifssmb.c: In QFSDeviceInfo fs/cifs/transport.c: For smb_command 50 fs/cifs/transport.c: Sending smb: total_len 72 fs/cifs/connect.c: rfc1002 length 0x44 fs/cifs/cifssmb.c: In QFSAttributeInfo fs/cifs/transport.c: For smb_command 50 fs/cifs/transport.c: Sending smb: total_len 72 fs/cifs/connect.c: rfc1002 length 0x50 fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 235) rc = 0 fs/cifs/inode.c: CIFS VFS: in cifs_iget as Xid: 236 with uid: 0 fs/cifs/inode.c: Getting info on fs/cifs/transport.c: For smb_command 50 fs/cifs/transport.c: Sending smb: total_len 78 fs/cifs/connect.c: rfc1002 length 0x92 fs/cifs/inode.c: Old time 0 fs/cifs/inode.c: New time 6536948 The broken version 3.4.4-0.45.fc11 dmesg: fs/cifs/cifsfs.c: Devname: //proliant10.office.hci/home flags: 64 fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 234 with uid: 0 fs/cifs/connect.c: Domain name set fs/cifs/connect.c: iocharset set to utf8 fs/cifs/connect.c: Username: finstrle fs/cifs/connect.c: UNC: \\proliant10.office.hci\home ip: 192.168.33.2 fs/cifs/connect.c: Socket created fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58 fs/cifs/connect.c: Existing smb sess not found fs/cifs/connect.c: Demultiplex PID: 6623 fs/cifs/cifssmb.c: secFlags 0x1009 fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security fs/cifs/transport.c: For smb_command 114 fs/cifs/transport.c: Sending smb: total_len 82 fs/cifs/connect.c: rfc1002 length 0xb7 fs/cifs/cifssmb.c: Dialect: 2 fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92 fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 fs/cifs/asn1.c: Need to call asn1_octets_decode() function for proliant10$@OFFICE.HCI fs/cifs/cifssmb.c: Must sign - secFlags 0x1009 fs/cifs/cifssmb.c: negprot rc 0 fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x8001f3fd TimeAdjust: -3600 fs/cifs/sess.c: sess setup type 7 fs/cifs/cifs_spnego.c: key description = ver=0x2;host=proliant10.office.hci;ip4=192.168.33.2;sec=mskrb5;uid=0x1f4;user=finstrle fs/cifs/sess.c: ssetup freeing small buf f4972540 CIFS VFS: Send error in SessSetup = -126 fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 234) rc = -126 CIFS VFS: cifs_mount failed w/return code = -126
After you run the kinit above, can you run 'klist' and paste the output into this bug?
Actually, even better would be a kinit after a mount attempt.
...I mean a klist after a mount attempt, not a kinit...
klist before and after the mount command is the same (with broken version): # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: finstrle Valid starting Expires Service principal 02/15/10 13:17:42 02/15/10 23:17:47 krbtgt/OFFICE.HCI renew until 02/16/10 13:17:42 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached How can I trace which host/xxx it tries? # kvno host/proliant10.office.hci host/proliant10.office.hci: kvno = 25 This kvno command add also (klist) 02/15/10 13:20:41 02/15/10 23:17:47 host/proliant10.office.hci renew until 02/16/10 13:17:42 But the mount command still failed.
Hmmm...looks like that should be working. cifs.upcall will log at the daemon.debug level. What might be good is to configure syslog to log that to a separate file. Something like this in syslog.conf: daemon.debug /var/log/daemon.debug ...reload syslog and reattempt the mount and then check and see if there's anything interesting in that file.
Nothing interesting: Feb 16 09:23:44 finstrle cifs.upcall: key description: cifs.spnego;0;0;3f000000;ver=0x2;host=proliant10.office.hci;ip4=192.168.33.2;sec=mskrb5;uid=0x1f4;user=finstrle Feb 16 09:23:44 finstrle cifs.upcall: find_krb5_cc: considering /tmp/<file> Any idea what's wrong? Can I get more detailed debug info?
For complete information. The change to get it working/not working is only this: # here I have non function version of samba: libsmbclient, samba-common, samba-client, samba-winbind $ rpm -Uvh ~luf/Download/samba/*.rpm $ mount.cifs //proliant10.office.hci/home /mnt -o username=finstrle,domain=OFFICE,uid=500,file_mode=0777,iocharset=utf8,nosuid,nodev,sec=krb5i mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) # here I have older version of samba packages rpm -Uvh ~luf/Download/samba.working-latest/* --force mount.cifs //proliant10.office.hci/home /mnt -o username=finstrle,domain=OFFICE,uid=500,file_mode=0777,iocharset=utf8,nosuid,nodev,sec=krb5i # this worked ...
I tried the debug with working version of samba and I see that the debug continues with: Feb 16 10:06:27 finstrle cifs.upcall: find_krb5_cc: FILE:/tmp/<file> is valid ccache Feb 16 10:06:27 finstrle cifs.upcall: handle_krb5_mech: getting service ticket for cifs/proliant10.office.hci Feb 16 10:06:27 finstrle cifs.upcall: handle_krb5_mech: obtained service ticket Hmmm, why newer samba doesn't recognize the kerberos ccache as valid?
I take a look into source code and there is code change in cifs.upcall. It seems that cifs.upcall fails somewhere becouse there have to be some log entry after considering (it isn't so it has to fail the process). I'm looking deeper.
I think I find the bug. I have to verify it and then I'll upload the patch.
The basic problem is in source3/client/cifs.upcall.c (function get_tgt_time). It fails on TALLOC_FREE(name); When I remove the line it works ok. I tried switch lines from: krb5_free_cred_contents(context, &creds); TALLOC_FREE(name); to TALLOC_FREE(name); krb5_free_cred_contents(context, &creds); with no success.
Thanks for tracking it down that far. I'm not sure why that would fall down... Gunther, any ideas?
Also, Ludek...what version of libtalloc do you have installed?
I try put TALLOC_FREE(name); right below the if with smb_krb5_unparse_name and it failed again. So now I'm trying this change: if (smb_krb5_unparse_name(NULL, context, creds.server, &name)) { to if (smb_krb5_unparse_name(talloc_tos(), context, creds.server, &name)) { I do it becouse I see no other smb_krb5_unparse_name with NULL. Maybe use SAFE_FREE (when first arg is NULL) instead of TALLOC_FREE?
libtalloc 1.3.1-0.fc11
That's it! There is problem in NULL in smb_krb5_unparse_name. There is two ways: 1) use talloc_tos() instead of NULL 2) use SAFE_FREE(name) instead of TALLOC_FREE(name)
That's it - I mean I tried 1) use talloc_tos() instead of NULL (rebuild the samba-client RPM from src.rpm) and now it works ok. Do you need something else from me?
Interesting -- thanks for tracking it down. At this point I think we have it covered. I *thought* it was ok to do a talloc allocation with a null context, but maybe that's not the case with older talloc versions. At this point, I'll wait for GD to chime in since he's worked with talloc more than I have...
There is no problem in allocation at all but it's not (talloc?) in deeper function (convert_string_allocate) is: if (ctx) { ob = (char *)TALLOC_REALLOC(ctx, ob, destlen + 2); } else { ob = (char *)SMB_REALLOC(ob, destlen + 2); } Also in error handling in this function is: if (ctx) { TALLOC_FREE(ob); } else { SAFE_FREE(ob); } So this is the root of problem.
Created attachment 394540 [details] patch to this bug with change TALLOC_FREE to SAFE_FREE
Created attachment 394541 [details] patch to this bug with change smb_krb5_unparse_name first arg from NULL to talloc_tos()
Both patches also contains char *name = NULL; If you'll need more info please contact me directly by e-mail. I don't know why I don't receive e-mail notifications for comments.
Actually Simo piped in that he knows what the problem is: 08:38 < simo> jlayton, if you pass NULL down many calls into the conversion we do SMB_STRDUP() instead of talloc_strdup() 08:39 <@jlayton> ahh 08:39 < simo> jlayton, the fix is to either make sure we use SDAFE_FREE() or always pass a real context 08:39 < simo> I would say it is safer to passa real context here ...I'll spin up a patch to do that. I think that just means doing a talloc_init early in that function.
talloc_tos() is probably incorrect there too -- as gd points out: 08:29 <@gd> it would leak, as there is no talloc_stackframe around
Created attachment 394553 [details] patch -- allocate temporary talloc context to use in smb_krb5_unparse_name I think this patch does the right thing here. Ludek, would you be able to test it and let me know if it fixes the problem?
I'll test it tomorrow as I have to leave computer today.
Reassigning to GD to handle while I'm traveling...
I confirm Jeff's patch fix this problem. It works ok.
samba-3.4.5-56.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/samba-3.4.5-56.fc12
samba-3.4.5-0.48.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/samba-3.4.5-0.48.fc11
Thanks, Ludek, for testing. I prepared updates for f11/f12, once they are available to you, could you please give karma ?
I downloaded and updated to samba-3.4.5-0.48.fc11 and it works as expected. Thanks you and Jeff for fast reaction.
samba-3.4.5-0.48.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update samba'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1364
samba-3.4.5-56.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update samba'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1653
samba-3.4.6-0.49.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/samba-3.4.6-0.49.fc11
samba-3.4.6-0.49.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update samba'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-2900
This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.