646223 – cifs: multiuser mount support

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 646223 - cifs: multiuser mount support

Summary: cifs: multiuser mount support

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jeff Layton
QA Contact:	Jian Li
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	677189 1077979
TreeView+	depends on / blocked

Reported:	2010-10-25 01:02 UTC by Jeff Layton
Modified:	2014-03-19 03:09 UTC (History)
CC List:	7 users (show)
Fixed In Version:	kernel-2.6.32-112.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	677189 1077979 (view as bug list)
Environment:
Last Closed:	2011-05-23 20:27:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0542	0	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Linux 6.1 kernel security, bug fix and enhancement update	2011-05-19 11:58:07 UTC

Description Jeff Layton 2010-10-25 01:02:43 UTC

Support for multiuser mounts in cifs are going upstream for 2.6.37. Backport it for RHEL6.

Comment 1 RHEL Program Management 2010-11-18 18:19:36 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.

Comment 2 yanfu,wang 2010-11-23 02:25:39 UTC

pls help to provide how to test, thanks.

Comment 3 Jeff Layton 2010-12-02 13:44:31 UTC

Sure. The basic idea behind this patchset is to make it so that users use their own credentials to access the server. The idea is to make sure that when users access the server that the resulting accesses are done as those users and not with the credentials used originally on the mount.

Currently this is limited to krb5 auth, so to test...

First, you'll need a kerberized CIFS server. There's an example of how to set one up in RHTS under "kernel-tests/filesystems/cifs/krb5".

Once you set one up, you'll need 2 users set up on the client and server. UID/GIDs should be the same on both machines for the two users and they should have principals in the KDC.

The share exported by the server should be writable by both users.

The client should also have /etc/request-key.conf set up in accordance with the cifs.upcall manpage:

create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k

...as root on the client, kinit as the first user:

root@client# kinit user1
Password for user1:

Then, mount the share from the server using krb5 auth and the "multiuser" mount option:

root@client# mount //server.example.com/share /mnt/cifs -o sec=krb5,multiuser

Be sure to use the FQDN of the server. That will mount the server using the credentials in root's credcache.

Now, "su" to user2 and run kdestroy to delete the credential cache:

user2@client$ kdestroy

Then try to access /mnt/cifs. It should fail with an EACCES error (Permission denied). This is because user2 has no credentials. Next, kinit as user2:

user2@client$ kinit
Password for user2:

Now, try to access /mnt/cifs. It should then work. You can then do any number of operations to make sure that this works as expected:

o Create a file in /mnt/cifs and it should be owned by "user2" (verify it on client and server).

o Go onto the server and create a file in the directory that's only readable by "user1". Try to have user2 read it. That should fail. Then try to have root read it, that should work (since root is using user1's credentials).

Contrast how this works with krb5 auth without the multiuser option. There, every access to the server is done using the same (mount) credentials. So creating files as "user2" in the test above will show files being created on the server as "user1".

Comment 6 Aristeu Rozanski 2011-02-03 15:28:44 UTC

Patch(es) available on kernel-2.6.32-112.el6

Comment 12 Jian Li 2011-03-28 06:34:44 UTC

Jeff hi, 
I have run this case in reserved machine with RHEL6.1, and I also have an environment:

1. two machines: kdc.lijian.com and host.lijian.com using RHEL6.0
hostnames have been added to /etc/hosts

2. kerberos working rightly (tested by sserver/sclient in host.lijian)
  principals :
root
cifs/host.lijian.com@EXAMPLE

3. /etc/samba/smb.conf:
[global]
        workgroup = EXAMPLE
        use kerberos keydtab = yes
        realm = EXAMPLE.COM
        security = ads
        #security = user
        server signing = auto
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = dedicated keytab
[export]
        path = /mnt/smb
        read only = no

4. messages in /var/log/samba/log.smbd:

[2011/03/25 21:16:54.483380,  0] libads/kerberos_verify.c:72(ads_dedicated_keytab_verify_ticket)
  krb5_rd_req failed (Permission denied)
[2011/03/25 21:16:54.484035,  1] smbd/sesssetup.c:332(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

5. mount command : (root$) mount.cifs //host.lijian.com/export /mnt -o sec=krb5
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

6. klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root

Valid starting     Expires            Service principal
03/25/11 21:14:46  03/26/11 21:14:35  krbtgt/EXAMPLE.COM
03/25/11 21:16:24  03/26/11 21:14:35  cifs/host.lijian.com

Comment 14 Jeff Layton 2011-03-28 11:54:01 UTC

(In reply to comment #12)

> 
> 4. messages in /var/log/samba/log.smbd:
> 
> [2011/03/25 21:16:54.483380,  0]
> libads/kerberos_verify.c:72(ads_dedicated_keytab_verify_ticket)
>   krb5_rd_req failed (Permission denied)
> [2011/03/25 21:16:54.484035,  1] smbd/sesssetup.c:332(reply_spnego_kerberos)
>   Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
> 

Sounds like smbd doesn't have permission to access /etc/krb5.keytab.

Comment 15 Jian Li 2011-04-06 02:53:30 UTC

(In reply to comment #14)

> 
> Sounds like smbd doesn't have permission to access /etc/krb5.keytab.
Yes, I think I didn't config smb with krb5 correctly, If you have built such environment, would you give me some tips?

Comment 16 Jian Li 2011-04-06 08:20:37 UTC

hi jeff, I test with janfu's advertise (https://bugzilla.redhat.com/show_bug.cgi?id=669377#c10), find that:
 1. smb server and kdc stay together (running on a machine), mount.cifs success;
 2. they are running on two machine, mount.cifs fail.

kdc: dell-per910-02.lab.bos.redhat.com
kadmin.local:  list_principals 
K/M.REDHAT.COM
host/dell-per910-02.lab.bos.redhat.com.REDHAT.COM
host/ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com.REDHAT.COM
kadmin/admin.REDHAT.COM
kadmin/changepw.REDHAT.COM
kadmin/dell-per910-02.lab.bos.redhat.com.REDHAT.COM
krbtgt/LAB.BOS.REDHAT.COM.REDHAT.COM
user1.REDHAT.COM
user2.REDHAT.COM

====test commands on both machines with the same result.
$mount.cifs -o user=user1,uid=user1,sec=krb5 //dell-per910-02.lab.bos.redhat.com/public /mnt
#######success
$mount.cifs -o user=user1,uid=user1,sec=krb5 //ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com/public /mnt
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)


#dell-per910-02.lab.bos.redhat.com
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1.REDHAT.COM

Valid starting     Expires            Service principal
04/06/11 02:24:38  04/07/11 02:24:38  krbtgt/LAB.BOS.REDHAT.COM.REDHAT.COM
   ...........
04/06/11 02:25:52  04/07/11 02:24:38  host/dell-per910-02.lab.bos.redhat.com.REDHAT.COM
	renew until 04/06/11 02:24:38
04/06/11 02:37:23  04/07/11 02:24:38  host/ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com.REDHAT.COM
	renew until 04/06/11 02:24:38

#ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1.REDHAT.COM

Valid starting     Expires            Service principal
04/06/11 02:27:34  04/07/11 02:27:34  krbtgt/LAB.BOS.REDHAT.COM.REDHAT.COM
	renew until 04/06/11 02:27:34
04/06/11 02:27:55  04/07/11 02:27:34  host/dell-per910-02.lab.bos.redhat.com.REDHAT.COM
	renew until 04/06/11 02:27:34
04/06/11 02:39:58  04/07/11 02:27:34  host/ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com.REDHAT.COM
	renew until 04/06/11 02:27:34

Comment 17 Jian Li 2011-04-06 08:33:23 UTC

Hi Jeff, now I am confused of how to test and what to test. This is what I do:

server(smb/kdc): dell-per910-02.lab.bos.redhat.com
	test0:x:10000:10000::/home/test0:/bin/bash
	test1:x:10001:10001::/home/test1:/bin/bash

	smb export : /tmp/test
	[root@dell-per910-02 ~]# ls /tmp/test -la
	total 12
	drwxrwxrwx. 2 root  root  4096 Apr  6 04:04 .
	drwxrwxrwt. 4 root  root  4096 Apr  6 03:59 ..

	principals 
	test0 test1(keytab is hold by both machines)

client: ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com
	test0:x:10000:10000::/home/test0:/bin/bash
	test1:x:10001:10001::/home/test1:/bin/bash

	root$ kinit -k test0
	root$ mount.cifs -o sec=krb5,multiuser //dell-per910-02.lab.bos.redhat.com/public /mnt

	root$ ls -l /
	drwxrwxrwx.   2 root  root      0 Apr  6 04:04 mnt

	[root@ibm-x3655-03 ~]# cd /mnt; ls
	ls: reading directory .: Permission denied
 
	[root@ibm-x3655-03 mnt]# su test1
	[test1@ibm-x3655-03 mnt]$ pwd; ls
	/mnt
	ls: reading directory .: Permission denied

Comment 18 Jeff Layton 2011-04-07 00:26:27 UTC

(In reply to comment #17)
> Hi Jeff, now I am confused of how to test and what to test. This is what I do:
> 
> server(smb/kdc): dell-per910-02.lab.bos.redhat.com
>  test0:x:10000:10000::/home/test0:/bin/bash
>  test1:x:10001:10001::/home/test1:/bin/bash
> 
>  smb export : /tmp/test
>  [root@dell-per910-02 ~]# ls /tmp/test -la
>  total 12
>  drwxrwxrwx. 2 root  root  4096 Apr  6 04:04 .
>  drwxrwxrwt. 4 root  root  4096 Apr  6 03:59 ..
> 
>  principals 
>  test0 test1(keytab is hold by both machines)
> 
> client: ibm-x3655-03.ovirt.rhts.eng.bos.redhat.com
>  test0:x:10000:10000::/home/test0:/bin/bash
>  test1:x:10001:10001::/home/test1:/bin/bash
> 
>  root$ kinit -k test0
>  root$ mount.cifs -o sec=krb5,multiuser
> //dell-per910-02.lab.bos.redhat.com/public /mnt
> 
>  root$ ls -l /
>  drwxrwxrwx.   2 root  root      0 Apr  6 04:04 mnt
> 

Nothing else under '/' ? That's odd...

>  [root@ibm-x3655-03 ~]# cd /mnt; ls
>  ls: reading directory .: Permission denied
> 

So, the prompt changed here. Does this mean that you switched users or machines?

>  [root@ibm-x3655-03 mnt]# su test1
>  [test1@ibm-x3655-03 mnt]$ pwd; ls
>  /mnt
>  ls: reading directory .: Permission denied

Does 'test1' have a krb5 ticket in his credcache here? IOW, did you kinit as test1?

Comment 21 Jian Li 2011-04-11 06:06:04 UTC

Question is resolved, I am confused by SELINUX.

This bug is verified on this environment:

1. SERVER: [test0@intel-sugarbay-dh-01 test]$ uname -a
Linux intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com 2.6.32-130.el6.x86_64 #1 SMP Tue Apr 5 19:58:31 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

2. CLIENT: [test1@hp-xw6600-01 test]$ uname -a
Linux hp-xw6600-01.rhts.eng.bos.redhat.com 2.6.32-130.el6.x86_64 #1 SMP Tue Apr 5 19:58:31 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux

3. packages
samba-winbind-clients-3.5.6-86.el6.x86_64
samba-3.5.6-86.el6.x86_64
samba-common-3.5.6-86.el6.x86_64
krb5-devel-1.9-8.el6.x86_64
krb5-libs-1.9-8.el6.x86_64
krb5-workstation-1.9-8.el6.x86_64
krb5-server-1.9-8.el6.x86_64
cifs-utils-4.8.1-1.el6.x86_64

4. SELINUX is closed on both machines.
5. krb5.conf & smb.conf 
===krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = LAB.BOS.REDHAT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 allow_weak_crypto = true

[realms]
 LAB.BOS.REDHAT.COM = {
  kdc = intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com
  admin_server = intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com
 }

[domain_realm]
 .lab.bos.redhat.com = LAB.BOS.REDHAT.COM
 lab.bos.redhat.com = LAB.BOS.REDHAT.COM
======smb.conf
[global]
        workgroup = EXAMPLE
        realm =LAB.BOS.REDHAT.COM
        security = ads
        server signing = auto
        kerberos method = system keytab
[public]
        path = /tmp/test
        read only = no
        writable = yes
6. principals on kdc and users on both machins
======
kadmin.local:  list_principals 
K/M.REDHAT.COM
host/hp-xw6600-01.rhts.eng.bos.redhat.com.REDHAT.COM
host/intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com.REDHAT.COM
kadmin/admin.REDHAT.COM
kadmin/changepw.REDHAT.COM
kadmin/intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com.REDHAT.COM
krbtgt/LAB.BOS.REDHAT.COM.REDHAT.COM
test0.REDHAT.COM
test1.REDHAT.COM
======
test0:x:10000:10000::/home/test0:/bin/bash
test1:x:10001:10001::/home/test1:/bin/bash

test steps:
1. prepare a directory exported on SERVER
[root@intel-sugarbay-dh-01 test]# ls -la /mnt/test
total 4
drwxrwxrwx. 2 root root    0 Apr 11 01:59 .
drwxr-xr-x. 6 root root 4096 Apr 10 23:57 ..

2. mount on CLIENT
[root@hp-xw6600-01 mnt]# kinit -k test0
[root@hp-xw6600-01 mnt]# mount.cifs //intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com/public /mnt/test -o sec=krb5,multiuser

3. create a file on CLIENT and check on SERVER
[root@hp-xw6600-01 mnt]# echo "hello from root(test0)" > test/test0
======CHANGE MACHINE
[root@intel-sugarbay-dh-01 test]# ls -l
total 4
-rw-r--r--. 1 test0 test0 23 Apr 11 02:02 test0
[root@intel-sugarbay-dh-01 test]# cat test0
hello from root(test0)

4. change to test1 on CLIENT and do sth without any pricipals
[test1@hp-xw6600-01 mnt]$ kdestroy
[test1@hp-xw6600-01 mnt]$ ls test
ls: cannot access test: Permission denied

5. get principal test1 on CLIENT and create a file and check on SERVER
[test1@hp-xw6600-01 mnt]$ kinit -k test1
[test1@hp-xw6600-01 mnt]$ echo "hello from test1" >> test/test1
======CHANGE MACHINE
[root@intel-sugarbay-dh-01 test]# ls -la
total 16
drwxrwxrwx. 2 root  root  4096 Apr 11 02:05 .
drwxrwxrwt. 4 root  root  4096 Apr 10 23:56 ..
-rw-r--r--. 1 test0 test0   23 Apr 11 02:02 test0
-rw-r--r--. 1 test1 test1   17 Apr 11 02:05 test1
[root@intel-sugarbay-dh-01 test]# cat test1 
hello from test1

Comment 22 Jian Li 2011-04-11 06:15:43 UTC

Another test is performed: 
1. 
[root@intel-sugarbay-dh-01 test]# echo "only test0" > onlytest0
[root@intel-sugarbay-dh-01 test]# chown test0:test0 onlytest0 
[root@intel-sugarbay-dh-01 test]# chmod 600 onlytest0 
[root@intel-sugarbay-dh-01 test]# ls -l
total 12
-rw-------. 1 test0 test0 11 Apr 11 02:08 onlytest0
-rw-r--r--. 1 test0 test0 23 Apr 11 02:02 test0
-rw-r--r--. 1 test1 test1 17 Apr 11 02:05 test1
========CHANGE MACHINE
[test1@hp-xw6600-01 test]$ cat onlytest0 
cat: onlytest0: Permission denied

2. mount without multiuser
[root@hp-xw6600-01 mnt]# mount.cifs //$SERVER/public /mnt/test -o sec=krb5
[test1@hp-xw6600-01 test]$ echo "hello from test1 without multiuser" > test1withoutmultiuser
bash: test1withoutmultiuser: Permission denied
=======CHANGE MACHINE
[root@intel-sugarbay-dh-01 test]# ls -la
total 20
drwxrwxrwx. 2 root  root  4096 Apr 11 02:13 .
drwxrwxrwt. 4 root  root  4096 Apr 10 23:56 ..
-rw-------. 1 test0 test0   11 Apr 11 02:08 onlytest0
-rw-r--r--. 1 test0 test0    0 Apr 11 02:13 test
-rw-r--r--. 1 test0 test0   23 Apr 11 02:02 test0
-rw-r--r--. 1 test1 test1   17 Apr 11 02:05 test1
-rw-r--r--. 1 test0 test0    0 Apr 11 02:12 test1withoutmultiuser

Comment 23 Jeff Layton 2011-04-11 11:27:08 UTC

Ok, so I take it this is resolved then?

It is correct that if you want to export data via samba with selinux enabled then you need to label the data correctly. See the samba_selinux(8) manpage for info on how to do this.

Comment 24 Jian Li 2011-04-12 05:59:14 UTC

Yes, I think the result is correct according to comment 0.
But there is still one problem:
  When kerberos'kdc and samba's server is NOT running on the same machine, mount.cifs will fail, just as comment 16 said.

(In reply to comment #23)
> Ok, so I take it this is resolved then?
> 
> It is correct that if you want to export data via samba with selinux enabled
> then you need to label the data correctly. See the samba_selinux(8) manpage for
> info on how to do this.

Comment 25 Jeff Layton 2011-04-12 11:06:35 UTC

I'm not sure why that would be, it sounds like maybe you had something misconfigured in that setup? It's a little unclear from the description. Either way, I don't think that's an issue with the client.

Comment 26 errata-xmlrpc 2011-05-23 20:27:15 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0542.html

Note You need to log in before you can comment on or make changes to this bug.