Hide Forgot
Description of problem: Trying to mount a share using mount.cifs. smbclient -k works. Version-Release number of selected component (if applicable): cifs-utils-4.8.1-2.el6.i686 How reproducible: Always Steps to Reproduce: 1. Setup share on Windows 2003 Server 2. Login on RHEL6 box as an AD user and get a TGT 3. Try to mount cifs share: -sh-4.1$ sudo mount -t cifs --verbose -o nodev,nosuid,sec=krb5i,user=jmcclintock //lwdemodc01.lwdemo.com/netshare /tmp/mount Actual results: [sudo] password for jmcclintock: mount.cifs kernel mount options: ip=10.100.2.249,unc=\\lwdemodc01.lwdemo.com\netshare,nosuid,nodev,sec=krb5i,ver=1,user=jmcclintock,pass=******** mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Expected results: Mounted CIFS share Additional info: Jun 13 14:31:11 rhel6 cifs.upcall: key description: cifs.spnego;0;0;3f000000;ver=0x2;host=lwdemodc01.lwdemo.com;ip4=10.100.2.249;sec=krb5;uid=0x0;creduid=0x0;user=jmcclintock;pid=0x767 Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_0 Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is not a valid credcache. Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_2027947099 Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: /tmp/krb5cc_2027947099 is owned by 2027947099, not 0 Jun 13 14:31:11 rhel6 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/lwdemodc01.lwdemo.com Jun 13 14:31:11 rhel6 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to ccache Jun 13 14:31:11 rhel6 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328245) Jun 13 14:31:11 rhel6 cifs.upcall: handle_krb5_mech: getting service ticket for host/lwdemodc01.lwdemo.com Jun 13 14:31:11 rhel6 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to ccache Jun 13 14:31:11 rhel6 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328245) Ticket cache: FILE:/tmp/krb5cc_2027947099 Default principal: jmcclintock Valid starting Expires Service principal 06/13/11 14:39:04 06/14/11 00:39:15 krbtgt/LWDEMO.COM renew until 06/14/11 02:39:04 06/13/11 14:39:15 06/14/11 00:39:15 host/rhel6.lwdemo.com@ renew until 06/14/11 02:39:04 06/13/11 14:39:15 06/14/11 00:39:15 host/rhel6.lwdemo.com renew until 06/14/11 02:39:04 06/13/11 14:05:19 06/14/11 00:00:40 cifs/lwdemodc01.lwdemo.com renew until 06/14/11 02:00:33 -sh-4.1$ Something I'm noticing is that in the SMB negotiate exchange, Kerberos is not listed in the 'Requested Dialects'. ...N.SMBr............................+..LM1.2X002..LANMAN2.1..NT LM 0.12..POSIX
You have these options: nodev,nosuid,sec=krb5i,user=jmcclintock ...and are doing the mount as root. I'm guessing from this: Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is not a valid credcache. Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_2027947099 Jun 13 14:31:11 rhel6 cifs.upcall: find_krb5_cc: /tmp/krb5cc_2027947099 is owned by 2027947099, not 0 ...that you got a krb5 ticket as user jmcclintock. If you intend to use that credcache to mount then you need to set the "creduid=" mount option to the uid that owns the credcache here. I'm going to go ahead and set this as NOTABUG. Please reopen it if you want to discuss it further.
Hello Jeff, thank you for the tip, sorry about that. After adding 'creduid=2027947099' now I'm getting this, also tried with my username: error -1 (Unknown error 4294967295) opening credential file 2027947099
oops, my bad... that option should be "cruid="
OK, gave that a try, but still seem to be getting close to the same result. Do you know why it's saying (null) in the cifs_krb5_get_req? Jun 14 08:49:07 rhel6 cifs.upcall: key description: cifs.spnego;0;0;3f000000;ver=0x2;host=lwdemodc01.lwdemo.com;ip4=10.100.2.249;sec=krb5;uid=0x0;creduid=0x0;user=jmcclintock;pid=0x8bf Jun 14 08:49:07 rhel6 cifs.upcall: ver=2 Jun 14 08:49:07 rhel6 cifs.upcall: host=lwdemodc01.lwdemo.com Jun 14 08:49:07 rhel6 cifs.upcall: ip=10.100.2.249 Jun 14 08:49:07 rhel6 cifs.upcall: sec=1 Jun 14 08:49:07 rhel6 cifs.upcall: uid=0 Jun 14 08:49:07 rhel6 cifs.upcall: creduid=0 Jun 14 08:49:07 rhel6 cifs.upcall: user=jmcclintock Jun 14 08:49:07 rhel6 cifs.upcall: pid=2239 Jun 14 08:49:07 rhel6 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_0 Jun 14 08:49:07 rhel6 cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is not a valid credcache. Jun 14 08:49:07 rhel6 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_2027947099 Jun 14 08:49:07 rhel6 cifs.upcall: find_krb5_cc: /tmp/krb5cc_2027947099 is owned by 2027947099, not 0 Jun 14 08:49:07 rhel6 cifs.upcall: krb5_get_init_creds_keytab: -1765328203 Jun 14 08:49:07 rhel6 cifs.upcall: handle_krb5_mech: getting service ticket for cifs/lwdemodc01.lwdemo.com Jun 14 08:49:07 rhel6 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to ccache Jun 14 08:49:07 rhel6 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328245) Jun 14 08:49:07 rhel6 cifs.upcall: handle_krb5_mech: getting service ticket for host/lwdemodc01.lwdemo.com Jun 14 08:49:07 rhel6 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to ccache Jun 14 08:49:07 rhel6 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328245)
Also, when I do a strings on /usr/sbin/cifs.upcall for 'cruid', I don't see any matches. Should I?
The kernel is still passing creduid=0x0 to the upcall. What kernel are you using?
(In reply to comment #6) > Also, when I do a strings on /usr/sbin/cifs.upcall for 'cruid', I don't see any > matches. Should I? No, cruid= is a mount option and has no direct relation on the string that the kernel passes to cifs.upcall to get krb5 tickets.
> Something I'm noticing is that in the SMB negotiate exchange, Kerberos is not > listed in the 'Requested Dialects'. > It wouldn't be -- krb5 is an authentication mechanism (and is wrapped inside of SPNEGO and GSSAPI), not a SMB dialect.
Kernel: 2.6.32-71.el6.i686
Viola! Hadn't rebooted yet to get the kernel in 6.1, the command works now. Thank you for your time Jeff! Running this one now: 2.6.32-131.0.15.el6.i686