Bug 605650 - cifs-mounting DFS shares w/ Kerberos still problematic
Summary: cifs-mounting DFS shares w/ Kerberos still problematic
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: samba3x (Show other bugs)
(Show other bugs)
Version: 5.5
Hardware: All Linux
low
medium
Target Milestone: rc
: ---
Assignee: Jeff Layton
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-18 13:25 UTC by Harald Milz
Modified: 2014-06-18 07:40 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-02 19:04:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
daemon.log from 605650 (1.05 KB, application/x-gzip)
2010-06-24 11:55 UTC, Harald Milz
no flags Details
cifsFYI from 605650 (2.34 KB, application/x-gzip)
2010-06-24 11:56 UTC, Harald Milz
no flags Details

Description Harald Milz 2010-06-18 13:25:32 UTC
Description of problem:

We're trying to 

mount.cifs //R0803/DFSROOT/foo/bar /mount/point -o sec=krb5i

but we get the infamous mount error 126 "Required key not available". Tried "cifs.upcall -t" as suggested by Jeff on the linux-cifs-client ml last january (see http://old.nabble.com/Re%3A-Handling-Kerberos-principals-that-don%27t-match-hostnames-p27075033.html) but no luck. The fqdn of the DFS root server is r0803.ads.customer.de, the SPN is the same all uppercase. 

Mounts against "normal" Windows 2008 shares work reliably fine, e.g. 

mount.cifs //FS00GHJK/foo/bar /mount/point -o sec=krb5i

Mounting the DFS shares using sec=ntlmv2i and username / password works fine too. 


Version-Release number of selected component (if applicable):

samba-3x-3.3.8-50 as on the CD / DVD


How reproducible:

always. 


Steps to Reproduce:
1. see above
2.
3.
  
Actual results:

error 126 "Required key does not exist"

Expected results:

mount should work. 


Additional info:

Comment 1 Guenther Deschner 2010-06-18 13:35:33 UTC
Does that mean that dfs shares with kerberos work against Windows 2008 and not against Samba3x server ?

Comment 2 Jeff Layton 2010-06-18 14:34:04 UTC
It would probably be helpful to make syslog log daemon.debug and then try your mount attempt. That should give us more information about what cifs.upcall is actually doing.

Comment 3 Harald Milz 2010-06-21 16:06:44 UTC
@Günther: No, this is samba3x-winbind and samba3x-client against Windows 2008R2. Sorry for the missing precision ;-) 

@Jeff: yup, will try to get this info this week. I have no permanent access to the affected machine.

Comment 4 Harald Milz 2010-06-24 11:55:47 UTC
Created attachment 426541 [details]
daemon.log from 605650

Comment 5 Harald Milz 2010-06-24 11:56:16 UTC
Created attachment 426542 [details]
cifsFYI from 605650

Comment 6 Harald Milz 2010-06-24 11:58:54 UTC
Hi, I attached the logs for this case. As you can see, for the DFS shares, cifs.upcall seems unable to find the right TGT. 

Strange thing is, if I invoke the mount command manually on the command line, it works, while if I invoke the mount script calling the exact same command from the very same command line as the very same user, it does not. I would rather not attach the script here because it contains customer and Red Hat IP - if you get me an address to mail it to I'd be willing to send it. 

TIA!

Comment 7 Jeff Layton 2010-06-30 18:05:44 UTC
Grabbing from Gunther until we determine what the problem is...

Comment 8 Jeff Layton 2010-06-30 19:00:48 UTC
From dmesg log, here's the upcall string:

 fs/cifs/cifs_spnego.c: key description = ver=0x2;host=R0803;ip4=10.128.133.253;sec=mskrb5;uid=0x2e82;user=yc0t37d
 fs/cifs/sess.c: ssetup freeing small buf f3f22040
 CIFS VFS: Send error in SessSetup = -126

...here's the log from daemon.log:

Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/R0803
Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Jun 22 13:15:58 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for host/R0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: ip_to_fqdn: resolved 10.128.133.253 to r0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/r0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: getting service ticket for host/r0803
Jun 22 13:15:59 fsnxsrv3 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)

That error is:

/usr/include/krb5/krb5.h:#define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN          (-1765328377L)

...so it looks like the KDC doesn't have service principals that match cifs/r0803 or host/r0803, or those with the hostname part capitalised.

I think you should have a hard look at your name resolution on this client. It appears that it's reverse resolving that IP address to a short name, and you probably want it to resolve to a FQDN. Alternately, you could consider adding service principals for the short names to the KDC and teach the fileserver about them.

Comment 9 Jeff Layton 2010-07-01 15:22:08 UTC
Harald, can you fix your name resolution so that you get FQDN back when trying to resolve the IP address to name? If so, then I suspect that will fix this.

Comment 10 Jeff Layton 2010-08-02 19:04:04 UTC
No response in over a month. I'm going to go ahead and close this as NOTABUG. Please reopen if you're still having problems with it.


Note You need to log in before you can comment on or make changes to this bug.