Bug 605650 - cifs-mounting DFS shares w/ Kerberos still problematic
cifs-mounting DFS shares w/ Kerberos still problematic
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba3x (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Jeff Layton
qe-baseos-daemons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-18 09:25 EDT by Harald Milz
Modified: 2014-06-18 03:40 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-02 15:04:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
daemon.log from 605650 (1.05 KB, application/x-gzip)
2010-06-24 07:55 EDT, Harald Milz
no flags Details
cifsFYI from 605650 (2.34 KB, application/x-gzip)
2010-06-24 07:56 EDT, Harald Milz
no flags Details

  None (edit)
Description Harald Milz 2010-06-18 09:25:32 EDT
Description of problem:

We're trying to 

mount.cifs //R0803/DFSROOT/foo/bar /mount/point -o sec=krb5i

but we get the infamous mount error 126 "Required key not available". Tried "cifs.upcall -t" as suggested by Jeff on the linux-cifs-client ml last january (see http://old.nabble.com/Re%3A-Handling-Kerberos-principals-that-don%27t-match-hostnames-p27075033.html) but no luck. The fqdn of the DFS root server is r0803.ads.customer.de, the SPN is the same all uppercase. 

Mounts against "normal" Windows 2008 shares work reliably fine, e.g. 

mount.cifs //FS00GHJK/foo/bar /mount/point -o sec=krb5i

Mounting the DFS shares using sec=ntlmv2i and username / password works fine too. 


Version-Release number of selected component (if applicable):

samba-3x-3.3.8-50 as on the CD / DVD


How reproducible:

always. 


Steps to Reproduce:
1. see above
2.
3.
  
Actual results:

error 126 "Required key does not exist"

Expected results:

mount should work. 


Additional info:
Comment 1 Guenther Deschner 2010-06-18 09:35:33 EDT
Does that mean that dfs shares with kerberos work against Windows 2008 and not against Samba3x server ?
Comment 2 Jeff Layton 2010-06-18 10:34:04 EDT
It would probably be helpful to make syslog log daemon.debug and then try your mount attempt. That should give us more information about what cifs.upcall is actually doing.
Comment 3 Harald Milz 2010-06-21 12:06:44 EDT
@Günther: No, this is samba3x-winbind and samba3x-client against Windows 2008R2. Sorry for the missing precision ;-) 

@Jeff: yup, will try to get this info this week. I have no permanent access to the affected machine.
Comment 4 Harald Milz 2010-06-24 07:55:47 EDT
Created attachment 426541 [details]
daemon.log from 605650
Comment 5 Harald Milz 2010-06-24 07:56:16 EDT
Created attachment 426542 [details]
cifsFYI from 605650
Comment 6 Harald Milz 2010-06-24 07:58:54 EDT
Hi, I attached the logs for this case. As you can see, for the DFS shares, cifs.upcall seems unable to find the right TGT. 

Strange thing is, if I invoke the mount command manually on the command line, it works, while if I invoke the mount script calling the exact same command from the very same command line as the very same user, it does not. I would rather not attach the script here because it contains customer and Red Hat IP - if you get me an address to mail it to I'd be willing to send it. 

TIA!
Comment 7 Jeff Layton 2010-06-30 14:05:44 EDT
Grabbing from Gunther until we determine what the problem is...
Comment 8 Jeff Layton 2010-06-30 15:00:48 EDT
From dmesg log, here's the upcall string:

 fs/cifs/cifs_spnego.c: key description = ver=0x2;host=R0803;ip4=10.128.133.253;sec=mskrb5;uid=0x2e82;user=yc0t37d
 fs/cifs/sess.c: ssetup freeing small buf f3f22040
 CIFS VFS: Send error in SessSetup = -126

...here's the log from daemon.log:

Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/R0803
Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for host/R0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: ip_to_fqdn: resolved 10.128.133.253 to r0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/r0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for host/r0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)

That error is:

/usr/include/krb5/krb5.h:#define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN          (-1765328377L)

...so it looks like the KDC doesn't have service principals that match cifs/r0803 or host/r0803, or those with the hostname part capitalised.

I think you should have a hard look at your name resolution on this client. It appears that it's reverse resolving that IP address to a short name, and you probably want it to resolve to a FQDN. Alternately, you could consider adding service principals for the short names to the KDC and teach the fileserver about them.
Comment 9 Jeff Layton 2010-07-01 11:22:08 EDT
Harald, can you fix your name resolution so that you get FQDN back when trying to resolve the IP address to name? If so, then I suspect that will fix this.
Comment 10 Jeff Layton 2010-08-02 15:04:04 EDT
No response in over a month. I'm going to go ahead and close this as NOTABUG. Please reopen if you're still having problems with it.

Note You need to log in before you can comment on or make changes to this bug.