cifs autofs krb5i

cifs autofs krb5i

[sergio.conrad]

Hi,

I am using a test computer
kernel 2.6.32-279.11.1.el6.x86_64
joined to an Active directory with winbind

I am getting A kerberos Ticket with the authentication with 
/etc/security/pam_winbind.conf
krb5_auth = yes
krb5_ccache_type = FILE

/etc/request-key.conf is configured like this :
create cifs.spnego * * /usr/sbin/cifs.upcall %k
create dns_resolver * * /usr/sbin/cifs.upcall %k


I got the ticket from kerberos
[conrad3@centad5 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_16777217
Default principal: conrad3-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org

Valid starting Expires Service principal
11/07/12 00:33:48 11/07/12 10:33:48 krbtgt/DOMAIN.LOCAL-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
renew until 11/14/12 00:33:48
11/07/12 00:33:48 11/07/12 10:33:48 CENTAD5$@DOMAIN.LOCAL
renew until 11/14/12 00:33:48
11/07/12 00:33:48 11/07/12 10:33:48 CENTAD5$@DOMAIN.LOCAL
renew until 11/14/12 00:33:48
11/07/12 00:41:57 11/07/12 10:33:48 cifs/figue-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
renew until 11/14/12 00:33:48


When i put a entry in fstab, everything is working when i do mount /partage as a user
FSTAB
//figue/data/conrad4 /partage cifs 
sec=krb5i,user,nounix,file_mode=0700,dir_mode=0700,noauto 
fs/cifs/cifs_spnego.c: key description = 
ver=0x2;host=figue;ip4=130.120.x.xx;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
;pid=0xc2d


Howether i got a problem with fstab, it seems to not pass the creduid options,and i 
obtain 
CIFS VFS: cifs_mount failed w/return code = -126

Hereis my different autofs configuration, with the result in dmesg

AUTOFS
* -fstype=cifs,sec=krb5i,user=& ://figue/data/&
fs/cifs/cifs_spnego.c: key description = 
ver=0x2;host=figue;ip4=130.120.xx.xx;sec=krb5;uid=0x0;creduid=0x0;user=conrad3;pid=0xc6e

* -fstype=cifs,sec=krb5i,user=&,uid=& ://figue/data/&
fs/cifs/cifs_spnego.c: key description = 
ver=0x2;host=figue;ip4=130.120.xx.xx;sec=krb5;uid=0x1000001;creduid=0x0;user=conrad3;pid=
0xd02

* -fstype=cifs,sec=krb5i,user=&,uid=&,creduid=& ://figue/data/&
fs/cifs/cifs_spnego.c: key description = 
ver=0x2;host=figue;ip4=130.120.xx.xx;sec=krb5;uid=0x1000001;creduid=0x0;user=conrad3;pid=
0xd02

What could be done to use autofs ??

Regards Serge


FULL DEBUG TRACE :

fs/cifs/cifsfs.c: Devname: //figue/data/conrad3 flags: 0
fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 99 with uid: 0
fs/cifs/connect.c: prefix path /conrad3
fs/cifs/connect.c: Username: conrad3
fs/cifs/connect.c: UNC: \\figue\data ip: 130.120.xx.xx
fs/cifs/connect.c: Socket created
fs/cifs/connect.c: sndbuf 23720 rcvbuf 87380 rcvtimeo 0x1b58
fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 100 with uid: 0
fs/cifs/connect.c: Existing smb sess not found
fs/cifs/cifssmb.c: secFlags 0x1009
fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security
fs/cifs/transport.c: For smb_command 114
fs/cifs/transport.c: Sending smb: total_len 82
fs/cifs/connect.c: Demultiplex PID: 3332
fs/cifs/connect.c: rfc1002 length 0xc5
fs/cifs/transport.c: cifs_sync_mid_result: cmd=114 mid=1 state=4
fs/cifs/cifssmb.c: Dialect: 2
fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92
fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
fs/cifs/asn1.c: Need to call asn1_octets_decode() function for 
not_defined_in_RFC4178@please_ignore
fs/cifs/cifssmb.c: Must sign - secFlags 0x1009
fs/cifs/cifssmb.c: negprot rc 0
fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x8001f3fd TimeAdjust: -3600
fs/cifs/sess.c: sess setup type 4
fs/cifs/cifs_spnego.c: key description = 
ver=0x2;host=figue;ip4=130.120.xx.xx;sec=krb5;uid=0x1000001;creduid=0x0;user=conrad3;pid=
0xd02
fs/cifs/sess.c: ssetup freeing small buf ffff88003da91140
CIFS VFS: Send error in SessSetup = -126
fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 100) rc = -126
fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 99) rc = -126
CIFS VFS: cifs_mount failed w/return code = -126


Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net

Re: cifs autofs krb5i

[Jeff Layton]

On Wed, 07 Nov 2012 01:33:17 +0100
"sergio.conrad" <sergio.conrad-QFKgK+z4sOrR7s880joybQ@public.gmane.org> wrote:

> Hi,
> 
> I am using a test computer
> kernel 2.6.32-279.11.1.el6.x86_64
> joined to an Active directory with winbind
> 
> I am getting A kerberos Ticket with the authentication with 
> /etc/security/pam_winbind.conf
> krb5_auth = yes
> krb5_ccache_type = FILE
> 
> /etc/request-key.conf is configured like this :
> create cifs.spnego * * /usr/sbin/cifs.upcall %k
> create dns_resolver * * /usr/sbin/cifs.upcall %k
> 
> 
> I got the ticket from kerberos
> [conrad3@centad5 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_16777217
> Default principal: conrad3-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> 
> Valid starting Expires Service principal
> 11/07/12 00:33:48 11/07/12 10:33:48 krbtgt/DOMAIN.LOCAL-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> renew until 11/14/12 00:33:48
> 11/07/12 00:33:48 11/07/12 10:33:48 CENTAD5$@DOMAIN.LOCAL
> renew until 11/14/12 00:33:48
> 11/07/12 00:33:48 11/07/12 10:33:48 CENTAD5$@DOMAIN.LOCAL
> renew until 11/14/12 00:33:48
> 11/07/12 00:41:57 11/07/12 10:33:48 cifs/figue-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> renew until 11/14/12 00:33:48
> 
> 
> When i put a entry in fstab, everything is working when i do mount /partage as a user
> FSTAB
> //figue/data/conrad4 /partage cifs 
> sec=krb5i,user,nounix,file_mode=0700,dir_mode=0700,noauto 
> fs/cifs/cifs_spnego.c: key description = 
> ver=0x2;host=figue;ip4=130.120.x.xx;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> ;pid=0xc2d
> 
> 
> Howether i got a problem with fstab, it seems to not pass the creduid options,and i 
> obtain 
> CIFS VFS: cifs_mount failed w/return code = -126
> 
> Hereis my different autofs configuration, with the result in dmesg
> 
> AUTOFS
> * -fstype=cifs,sec=krb5i,user=& ://figue/data/&
> fs/cifs/cifs_spnego.c: key description = 
> ver=0x2;host=figue;ip4=130.120.xx.xx;sec=krb5;uid=0x0;creduid=0x0;user=conrad3;pid=0xc6e
> 
> * -fstype=cifs,sec=krb5i,user=&,uid=& ://figue/data/&
> fs/cifs/cifs_spnego.c: key description = 
> ver=0x2;host=figue;ip4=130.120.xx.xx;sec=krb5;uid=0x1000001;creduid=0x0;user=conrad3;pid=
> 0xd02
> 
> * -fstype=cifs,sec=krb5i,user=&,uid=&,creduid=& ://figue/data/&

That option should be "cruid=&". "creduid=" isn't a mount option.

-- 
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

Re: cifs autofs krb5i

[sergio.conrad]

> Message du 07/11/12 12:56
> De : "Jeff Layton" 
> A : "sergio.conrad" 
> Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Objet : Re: cifs autofs krb5i
>
> On Wed, 07 Nov 2012 01:33:17 +0100
> "sergio.conrad"  wrote:
> 
> > Hi,
> > 
> > I am using a test computer
> > kernel 2.6.32-279.11.1.el6.x86_64
> > joined to an Active directory with winbind
> > 
> > I am getting A kerberos Ticket with the authentication with 
> > /etc/security/pam_winbind.conf
> > krb5_auth = yes
> > krb5_ccache_type = FILE
> > 
> > /etc/request-key.conf is configured like this :
> > create cifs.spnego * * /usr/sbin/cifs.upcall %k
> > create dns_resolver * * /usr/sbin/cifs.upcall %k
> > 
> > 
> > I got the ticket from kerberos
> > [conrad3@centad5 ~]$ klist
> > Ticket cache: FILE:/tmp/krb5cc_16777217
> > Default principal: conrad3-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> > 
> > Valid starting Expires Service principal
> > 11/07/12 00:33:48 11/07/12 10:33:48 krbtgt/DOMAIN.LOCAL-10W9mfrL9XkN2LvcTqJorw@public.gmane.orgL
> > renew until 11/14/12 00:33:48
> > 11/07/12 00:33:48 11/07/12 10:33:48 CENTAD5$@DOMAIN.LOCAL
> > renew until 11/14/12 00:33:48
> > 11/07/12 00:33:48 11/07/12 10:33:48 CENTAD5$@DOMAIN.LOCAL
> > renew until 11/14/12 00:33:48
> > 11/07/12 00:41:57 11/07/12 10:33:48 cifs/figue-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> > renew until 11/14/12 00:33:48
> > 
> > 
> > When i put a entry in fstab, everything is working when i do mount /partage as a user
> > FSTAB
> > //figue/data/conrad4 /partage cifs 
> > sec=krb5i,user,nounix,file_mode=0700,dir_mode=0700,noauto 
> > fs/cifs/cifs_spnego.c: key description = 
> > 
ver=0x2;host=figue;ip4=130.120.x.xx;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > ;pid=0xc2d
> > 
> > 
> > Howether i got a problem with fstab, it seems to not pass the creduid options,and i 
> > obtain 
> > CIFS VFS: cifs_mount failed w/return code = -126
> > 
> > Hereis my different autofs configuration, with the result in dmesg
> > 
> > AUTOFS
> > * -fstype=cifs,sec=krb5i,user=& ://figue/data/&
> > fs/cifs/cifs_spnego.c: key description = 
> > 
ver=0x2;host=figue;ip4=130.120.xx.xx;sec=krb5;uid=0x0;creduid=0x0;user=conrad3;pid=0xc6e
> > 
> > * -fstype=cifs,sec=krb5i,user=&,uid=& ://figue/data/&
> > fs/cifs/cifs_spnego.c: key description = 
> > 
ver=0x2;host=figue;ip4=130.120.xx.xx;sec=krb5;uid=0x1000001;creduid=0x0;user=conrad3;pid=
> > 0xd02
> > 
> > * -fstype=cifs,sec=krb5i,user=&,uid=&,creduid=& ://figue/data/&
> 
> That option should be "cruid=&". "creduid=" isn't a mount option.
> 
> -- 
> Jeff Layton 
> 

Thanks it is working. You saved my time.
There is a lack of documentation about these options on the internet.

Serge Conrad

Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net

Re: cifs autofs krb5i

[sergio.conrad]

Hi,

I am able to connect to cifs share on Windows 2008 with Kerberos security via autofs with 
this map : 
* -
fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
o ://figue/data/&

Is it working fine with alpha numeric login 
fs/cifs/cifs_spnego.c: key description = 
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
;pid=0xd331


But if i use numeric only login like 12345678 i have a problem :
fs/cifs/cifs_spnego.c: key description = 
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
pid=0xe5db
fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
CIFS VFS: Send error in SessSetup = -126
fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
CIFS VFS: cifs_mount failed w/return code = -126

What can I do to solve this issue ?
Thanks in advance,
Serge

> Message du 07/11/12 12:57
> De : "Jeff Layton" 
> A : "sergio.conrad" 
> Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Objet : Re: cifs autofs krb5i
>
> On Wed, 07 Nov 2012 01:33:17 +0100
> "sergio.conrad"  wrote:
> 
> > Hi,
> > 
> > I am using a test computer
> > kernel 2.6.32-279.11.1.el6.x86_64
> > joined to an Active directory with winbind
> > 
> > I am getting A kerberos Ticket with the authentication with 
> > /etc/security/pam_winbind.conf
> > krb5_auth = yes
> > krb5_ccache_type = FILE
> > 
> > /etc/request-key.conf is configured like this :
> > create cifs.spnego * * /usr/sbin/cifs.upcall %k
> > create dns_resolver * * /usr/sbin/cifs.upcall %k
> > 
> > 
> > I got the ticket from kerberos
> > [conrad3@centad5 ~]$ klist
> > Ticket cache: FILE:/tmp/krb5cc_16777217
> > Default principal: conrad3-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> > 
> > Valid starting Expires Service principal
> > 11/07/12 00:33:48 11/07/12 10:33:48 krbtgt/DOMAIN.LOCAL-10W9mfrL9XkN2LvcTqJorw@public.gmane.orgL
> > renew until 11/14/12 00:33:48
> > 11/07/12 00:33:48 11/07/12 10:33:48 CENTAD5$@DOMAIN.LOCAL
> > renew until 11/14/12 00:33:48
> > 11/07/12 00:33:48 11/07/12 10:33:48 CENTAD5$@DOMAIN.LOCAL
> > renew until 11/14/12 00:33:48
> > 11/07/12 00:41:57 11/07/12 10:33:48 cifs/figue-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> > renew until 11/14/12 00:33:48
> > 
> > 
> > When i put a entry in fstab, everything is working when i do mount /partage as a user
> > FSTAB
> > //figue/data/conrad4 /partage cifs 
> > sec=krb5i,user,nounix,file_mode=0700,dir_mode=0700,noauto 
> > fs/cifs/cifs_spnego.c: key description = 
> > 
ver=0x2;host=figue;ip4=130.120.x.xx;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > ;pid=0xc2d
> > 
> > 
> > Howether i got a problem with fstab, it seems to not pass the creduid options,and i 
> > obtain 
> > CIFS VFS: cifs_mount failed w/return code = -126
> > 
> > Hereis my different autofs configuration, with the result in dmesg
> > 
> > AUTOFS
> > * -fstype=cifs,sec=krb5i,user=& ://figue/data/&
> > fs/cifs/cifs_spnego.c: key description = 
> > 
ver=0x2;host=figue;ip4=130.120.xx.xx;sec=krb5;uid=0x0;creduid=0x0;user=conrad3;pid=0xc6e
> > 
> > * -fstype=cifs,sec=krb5i,user=&,uid=& ://figue/data/&
> > fs/cifs/cifs_spnego.c: key description = 
> > 
ver=0x2;host=figue;ip4=130.120.xx.xx;sec=krb5;uid=0x1000001;creduid=0x0;user=conrad3;pid=
> > 0xd02
> > 
> > * -fstype=cifs,sec=krb5i,user=&,uid=&,creduid=& ://figue/data/&
> 
> That option should be "cruid=&". "creduid=" isn't a mount option.
> 
> -- 
> Jeff Layton 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> 

Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net

Re: cifs autofs krb5i

[Jeff Layton]

On Fri, 16 Nov 2012 23:37:52 +0100
"sergio.conrad" <sergio.conrad-QFKgK+z4sOrR7s880joybQ@public.gmane.org> wrote:

> Hi,
> 
> I am able to connect to cifs share on Windows 2008 with Kerberos security via autofs with 
> this map : 
> * -
> fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> o ://figue/data/&
> 
> Is it working fine with alpha numeric login 
> fs/cifs/cifs_spnego.c: key description = 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> ;pid=0xd331
> 
> 
> But if i use numeric only login like 12345678 i have a problem :
> fs/cifs/cifs_spnego.c: key description = 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> pid=0xe5db
> fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> CIFS VFS: Send error in SessSetup = -126
> fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
> fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> CIFS VFS: cifs_mount failed w/return code = -126
> 
> What can I do to solve this issue ?


cifs.upcall logs at daemon.debug level. Set up syslog to log that and
you'll get some details about what it's doing.

-- 
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

Re: cifs autofs krb5i

[sergio.conrad]

> Message du 17/11/12 03:01
> De : "Jeff Layton" 
> A : "sergio.conrad" 
> Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Objet : Re: cifs autofs krb5i
>
> On Fri, 16 Nov 2012 23:37:52 +0100
> "sergio.conrad"  wrote:
> 
> > Hi,
> > 
> > I am able to connect to cifs share on Windows 2008 with Kerberos security via autofs 
with 
> > this map : 
> > * -
> > 
fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> > o ://figue/data/&
> > 
> > Is it working fine with alpha numeric login 
> > fs/cifs/cifs_spnego.c: key description = 
> > 
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > ;pid=0xd331
> > 
> > 
> > But if i use numeric only login like 12345678 i have a problem :
> > fs/cifs/cifs_spnego.c: key description = 
> > 
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> > pid=0xe5db
> > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> > CIFS VFS: Send error in SessSetup = -126
> > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
> > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> > CIFS VFS: cifs_mount failed w/return code = -126
> > 
> > What can I do to solve this issue ?
> 
> 
> cifs.upcall logs at daemon.debug level. Set up syslog to log that and
> you'll get some details about what it's doing.
> 
> -- 
> Jeff Layton 
> 

Thanks for your response, 
I got the error 
Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
16777221, not 12345678

Perhaps it is a confusion about the uid and the login in a numeric value

[12345678@centad5 ~]$ id
uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
groupes=16777216(utilisateurs du domaine),16777217(profs)

The full log is :

Nov 17 08:42:53 centad5 cifs.upcall: key description: 
cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui
d=0xbc614e;user=12345678;pid=0x9b5
Nov 17 08:42:53 centad5 cifs.upcall: ver=2
Nov 17 08:42:53 centad5 cifs.upcall: host=figue
Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11
Nov 17 08:42:53 centad5 cifs.upcall: sec=1
Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678
Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678
Nov 17 08:42:53 centad5 cifs.upcall: user=12345678
Nov 17 08:42:53 centad5 cifs.upcall: pid=2485
Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777221
Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
16777221, not 12345678
Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777216
Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is owned by 
16777216, not 12345678
Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13
Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service ticket for figue
Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to 
ccache
@

Bye,
Serge Conrad



Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net

Re: cifs autofs krb5i

[Jeff Layton]

On Sat, 17 Nov 2012 08:53:02 +0100
"sergio.conrad" <sergio.conrad-QFKgK+z4sOrR7s880joybQ@public.gmane.org> wrote:

> 
> 
> 
> > Message du 17/11/12 03:01
> > De : "Jeff Layton" 
> > A : "sergio.conrad" 
> > Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > Objet : Re: cifs autofs krb5i
> >
> > On Fri, 16 Nov 2012 23:37:52 +0100
> > "sergio.conrad"  wrote:
> > 
> > > Hi,
> > > 
> > > I am able to connect to cifs share on Windows 2008 with Kerberos security via autofs 
> with 
> > > this map : 
> > > * -
> > > 
> fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> > > o ://figue/data/&
> > > 
> > > Is it working fine with alpha numeric login 
> > > fs/cifs/cifs_spnego.c: key description = 
> > > 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > > ;pid=0xd331
> > > 
> > > 
> > > But if i use numeric only login like 12345678 i have a problem :
> > > fs/cifs/cifs_spnego.c: key description = 
> > > 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> > > pid=0xe5db
> > > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> > > CIFS VFS: Send error in SessSetup = -126
> > > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
> > > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> > > CIFS VFS: cifs_mount failed w/return code = -126
> > > 
> > > What can I do to solve this issue ?
> > 
> > 
> > cifs.upcall logs at daemon.debug level. Set up syslog to log that and
> > you'll get some details about what it's doing.
> > 
> > -- 
> > Jeff Layton 
> > 
> 
> Thanks for your response, 
> I got the error 
> Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
> 16777221, not 12345678
> 
> Perhaps it is a confusion about the uid and the login in a numeric value
> 
> [12345678@centad5 ~]$ id
> uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> groupes=16777216(utilisateurs du domaine),16777217(profs)
> 
> The full log is :
> 
> Nov 17 08:42:53 centad5 cifs.upcall: key description: 
> cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui
> d=0xbc614e;user=12345678;pid=0x9b5
> Nov 17 08:42:53 centad5 cifs.upcall: ver=2
> Nov 17 08:42:53 centad5 cifs.upcall: host=figue
> Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11
> Nov 17 08:42:53 centad5 cifs.upcall: sec=1
> Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678
> Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678
> Nov 17 08:42:53 centad5 cifs.upcall: user=12345678
> Nov 17 08:42:53 centad5 cifs.upcall: pid=2485
> Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777221
> Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
> 16777221, not 12345678
> Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777216
> Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is owned by 
> 16777216, not 12345678
> Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13
> Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service ticket for figue
> Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to 
> ccache
> @

What a bizarre setup you have. I imagine all sorts of things get
confused by numeric usernames. Many programs will assume that when
given a numeric username that it's a uid, not a name. You might
reconsider that setup -- maybe prefix the numbers with a letter or
something...

In any case, it does seem like there is confusion somewhere with
numeric uids, but I don't think that confusion is with cifs.upcall. If
that is the correct credcache for this user, then it looks like its
being created with the wrong ownership.

What does the output of "klist" look like when you're logged in as this
user?

How about the output of "stat /tmp/krb5cc_16777216" ?

-- 
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

Re: cifs autofs krb5i

[sergio.conrad]

> Message du 17/11/12 11:44
> De : "Jeff Layton" 
> A : "sergio.conrad" 
> Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Objet : Re: cifs autofs krb5i
>
> On Sat, 17 Nov 2012 08:53:02 +0100
> "sergio.conrad"  wrote:
> 
> > 
> > 
> > 
> > > Message du 17/11/12 03:01
> > > De : "Jeff Layton" 
> > > A : "sergio.conrad" 
> > > Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > > Objet : Re: cifs autofs krb5i
> > >
> > > On Fri, 16 Nov 2012 23:37:52 +0100
> > > "sergio.conrad" wrote:
> > > 
> > > > Hi,
> > > > 
> > > > I am able to connect to cifs share on Windows 2008 with Kerberos security via 
autofs 
> > with 
> > > > this map : 
> > > > * -
> > > > 
> > 
fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> > > > o ://figue/data/&
> > > > 
> > > > Is it working fine with alpha numeric login 
> > > > fs/cifs/cifs_spnego.c: key description = 
> > > > 
> > 
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > > > ;pid=0xd331
> > > > 
> > > > 
> > > > But if i use numeric only login like 12345678 i have a problem :
> > > > fs/cifs/cifs_spnego.c: key description = 
> > > > 
> > 
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> > > > pid=0xe5db
> > > > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> > > > CIFS VFS: Send error in SessSetup = -126
> > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
> > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> > > > CIFS VFS: cifs_mount failed w/return code = -126
> > > > 
> > > > What can I do to solve this issue ?
> > > 
> > > 
> > > cifs.upcall logs at daemon.debug level. Set up syslog to log that and
> > > you'll get some details about what it's doing.
> > > 
> > > -- 
> > > Jeff Layton 
> > > 
> > 
> > Thanks for your response, 
> > I got the error 
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
> > 16777221, not 12345678
> > 
> > Perhaps it is a confusion about the uid and the login in a numeric value
> > 
> > [12345678@centad5 ~]$ id
> > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> > groupes=16777216(utilisateurs du domaine),16777217(profs)
> > 
> > The full log is :
> > 
> > Nov 17 08:42:53 centad5 cifs.upcall: key description: 
> > 
cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui
> > d=0xbc614e;user=12345678;pid=0x9b5
> > Nov 17 08:42:53 centad5 cifs.upcall: ver=2
> > Nov 17 08:42:53 centad5 cifs.upcall: host=figue
> > Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11
> > Nov 17 08:42:53 centad5 cifs.upcall: sec=1
> > Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: user=12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: pid=2485
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777221
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
> > 16777221, not 12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777216
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is owned by 
> > 16777216, not 12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13
> > Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service ticket for 
figue
> > Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to 
> > ccache
> > @
> 
> What a bizarre setup you have. I imagine all sorts of things get
> confused by numeric usernames. Many programs will assume that when
> given a numeric username that it's a uid, not a name. You might
> reconsider that setup -- maybe prefix the numbers with a letter or
> something...
> 
It seems it is a little late for this, we are already in a production state with Active 
Directory and winbind for authentication, Windows 2008 as a cifs server, Fedora 15 for 
client and using pam_mount for mounting partition.
As we are experiencing some CIFS VFS: Unexpected SMB signature with this 
I am testing some others ways...

> In any case, it does seem like there is confusion somewhere with
> numeric uids, but I don't think that confusion is with cifs.upcall. If
> that is the correct credcache for this user, then it looks like its
> being created with the wrong ownership.
> 
> What does the output of "klist" look like when you're logged in as this
> user?
> 

[12345678@centad5 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_16777221
Default principal: 12345678-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org

Valid starting Expires Service principal
11/17/12 14:34:04 11/18/12 00:34:04 krbtgt/DOMAIN.LOCAL-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
renew until 11/24/12 14:34:04
11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
renew until 11/24/12 14:34:04
11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
renew until 11/24/12 14:34:04
[12345678@centad5 ~]$

> How about the output of "stat /tmp/krb5cc_16777216" ?

16777216 or 16777221 ? 
I did it for the two files 

[12345678@centad5 ~]$ id
uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
groupes=16777216(utilisateurs du domaine),16777217(profs)
[12345678@centad5 ~]$


[12345678@centad5 ~]$ stat /tmp/krb5cc_16777221 
File: « /tmp/krb5cc_16777221 »
Size: 3830 Blocks: 8 IO Block: 4096 fichier
Device: 801h/2049d Inode: 1985377 Links: 1
Access: (0600/-rw-------) Uid: (16777221/12345678) Gid: ( 0/ root)
Access: 2012-11-17 14:41:37.056868612 +0100
Modify: 2012-11-17 14:41:32.251850184 +0100
Change: 2012-11-17 14:41:32.251850184 +0100


[12345678@centad5 ~]$ stat /tmp/krb5cc_16777216 
File: « /tmp/krb5cc_16777216 »
Size: 3751 Blocks: 8 IO Block: 4096 fichier
Device: 801h/2049d Inode: 1966082 Links: 1
Access: (0600/-rw-------) Uid: (16777216/ conrad5) Gid: ( 0/ root)
Access: 2012-11-16 23:11:47.948511483 +0100
Modify: 2012-11-16 23:11:47.948511483 +0100
Change: 2012-11-16 23:11:47.948511483 +0100
> 
> -- 
> Jeff Layton 
> 

Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net

Re: cifs autofs krb5i

[Jeff Layton]

On Sat, 17 Nov 2012 14:56:54 +0100
"sergio.conrad" <sergio.conrad-QFKgK+z4sOrR7s880joybQ@public.gmane.org> wrote:

> 
> 
> 
> > Message du 17/11/12 11:44
> > De : "Jeff Layton" 
> > A : "sergio.conrad" 
> > Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > Objet : Re: cifs autofs krb5i
> >
> > On Sat, 17 Nov 2012 08:53:02 +0100
> > "sergio.conrad"  wrote:
> > 
> > > 
> > > 
> > > 
> > > > Message du 17/11/12 03:01
> > > > De : "Jeff Layton" 
> > > > A : "sergio.conrad" 
> > > > Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > > > Objet : Re: cifs autofs krb5i
> > > >
> > > > On Fri, 16 Nov 2012 23:37:52 +0100
> > > > "sergio.conrad" wrote:
> > > > 
> > > > > Hi,
> > > > > 
> > > > > I am able to connect to cifs share on Windows 2008 with Kerberos security via 
> autofs 
> > > with 
> > > > > this map : 
> > > > > * -
> > > > > 
> > > 
> fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> > > > > o ://figue/data/&
> > > > > 
> > > > > Is it working fine with alpha numeric login 
> > > > > fs/cifs/cifs_spnego.c: key description = 
> > > > > 
> > > 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > > > > ;pid=0xd331
> > > > > 
> > > > > 
> > > > > But if i use numeric only login like 12345678 i have a problem :
> > > > > fs/cifs/cifs_spnego.c: key description = 
> > > > > 
> > > 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> > > > > pid=0xe5db
> > > > > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> > > > > CIFS VFS: Send error in SessSetup = -126
> > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
> > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> > > > > CIFS VFS: cifs_mount failed w/return code = -126
> > > > > 
> > > > > What can I do to solve this issue ?
> > > > 
> > > > 
> > > > cifs.upcall logs at daemon.debug level. Set up syslog to log that and
> > > > you'll get some details about what it's doing.
> > > > 
> > > > -- 
> > > > Jeff Layton 
> > > > 
> > > 
> > > Thanks for your response, 
> > > I got the error 
> > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
> > > 16777221, not 12345678
> > > 
> > > Perhaps it is a confusion about the uid and the login in a numeric value
> > > 
> > > [12345678@centad5 ~]$ id
> > > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> > > groupes=16777216(utilisateurs du domaine),16777217(profs)
> > > 
> > > The full log is :
> > > 
> > > Nov 17 08:42:53 centad5 cifs.upcall: key description: 
> > > 
> cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui
> > > d=0xbc614e;user=12345678;pid=0x9b5
> > > Nov 17 08:42:53 centad5 cifs.upcall: ver=2
> > > Nov 17 08:42:53 centad5 cifs.upcall: host=figue
> > > Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11
> > > Nov 17 08:42:53 centad5 cifs.upcall: sec=1
> > > Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678
> > > Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678
> > > Nov 17 08:42:53 centad5 cifs.upcall: user=12345678
> > > Nov 17 08:42:53 centad5 cifs.upcall: pid=2485
> > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777221
> > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned by 
> > > 16777221, not 12345678
> > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_16777216
> > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is owned by 
> > > 16777216, not 12345678
> > > Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13
> > > Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service ticket for 
> figue
> > > Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) to 
> > > ccache
> > > @
> > 
> > What a bizarre setup you have. I imagine all sorts of things get
> > confused by numeric usernames. Many programs will assume that when
> > given a numeric username that it's a uid, not a name. You might
> > reconsider that setup -- maybe prefix the numbers with a letter or
> > something...
> > 
> It seems it is a little late for this, we are already in a production state with Active 
> Directory and winbind for authentication, Windows 2008 as a cifs server, Fedora 15 for 
> client and using pam_mount for mounting partition.
> As we are experiencing some CIFS VFS: Unexpected SMB signature with this 
> I am testing some others ways...
> 
> > In any case, it does seem like there is confusion somewhere with
> > numeric uids, but I don't think that confusion is with cifs.upcall. If
> > that is the correct credcache for this user, then it looks like its
> > being created with the wrong ownership.
> > 
> > What does the output of "klist" look like when you're logged in as this
> > user?
> > 
> 
> [12345678@centad5 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_16777221
> Default principal: 12345678-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> 
> Valid starting Expires Service principal
> 11/17/12 14:34:04 11/18/12 00:34:04 krbtgt/DOMAIN.LOCAL-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> renew until 11/24/12 14:34:04
> 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
> renew until 11/24/12 14:34:04
> 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
> renew until 11/24/12 14:34:04
> [12345678@centad5 ~]$
> 
> > How about the output of "stat /tmp/krb5cc_16777216" ?
> 
> 16777216 or 16777221 ? 
> I did it for the two files 
> 
> [12345678@centad5 ~]$ id
> uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> groupes=16777216(utilisateurs du domaine),16777217(profs)
> [12345678@centad5 ~]$
> 
> 
> [12345678@centad5 ~]$ stat /tmp/krb5cc_16777221 
> File: « /tmp/krb5cc_16777221 »
> Size: 3830 Blocks: 8 IO Block: 4096 fichier
> Device: 801h/2049d Inode: 1985377 Links: 1
> Access: (0600/-rw-------) Uid: (16777221/12345678) Gid: ( 0/ root)
> Access: 2012-11-17 14:41:37.056868612 +0100
> Modify: 2012-11-17 14:41:32.251850184 +0100
> Change: 2012-11-17 14:41:32.251850184 +0100
> 
> 
> [12345678@centad5 ~]$ stat /tmp/krb5cc_16777216 
> File: « /tmp/krb5cc_16777216 »
> Size: 3751 Blocks: 8 IO Block: 4096 fichier
> Device: 801h/2049d Inode: 1966082 Links: 1
> Access: (0600/-rw-------) Uid: (16777216/ conrad5) Gid: ( 0/ root)
> Access: 2012-11-16 23:11:47.948511483 +0100
> Modify: 2012-11-16 23:11:47.948511483 +0100
> Change: 2012-11-16 23:11:47.948511483 +0100
> > 

Ok, I think I see now. I believe your problem is in the options you're
passing in at mount time:

    fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverino ://figue/data/&

...specifically, the 'uid=&' and 'cruid=&' options. When mount.cifs gets
a numeric value for those options, it assumes that it's a uid, not a
username. You should probably replace those options in your automount
map with something like:

    uid=$UID,cruid=$UID

...which will make it pass in the numeric uid instead (that should also
be slightly more efficient since you won't need to go to NSS to resolve
username to uid). You may also want to consider adding:

    gid=$GID

...but that depends on your needs. See the section on "Variable
Substitution" in autofs(5) for info on $UID and $GID.

Best of luck!
-- 
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

Re: cifs autofs krb5i

[sergio.conrad]

> Message du 17/11/12 16:28
> De : "Jeff Layton" 
> A : "sergio.conrad" 
> Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Objet : Re: cifs autofs krb5i
>
> On Sat, 17 Nov 2012 14:56:54 +0100
> "sergio.conrad"  wrote:
> 
> > 
> > 
> > 
> > > Message du 17/11/12 11:44
> > > De : "Jeff Layton" 
> > > A : "sergio.conrad" 
> > > Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > > Objet : Re: cifs autofs krb5i
> > >
> > > On Sat, 17 Nov 2012 08:53:02 +0100
> > > "sergio.conrad" wrote:
> > > 
> > > > 
> > > > 
> > > > 
> > > > > Message du 17/11/12 03:01
> > > > > De : "Jeff Layton" 
> > > > > A : "sergio.conrad" 
> > > > > Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > > > > Objet : Re: cifs autofs krb5i
> > > > >
> > > > > On Fri, 16 Nov 2012 23:37:52 +0100
> > > > > "sergio.conrad" wrote:
> > > > > 
> > > > > > Hi,
> > > > > > 
> > > > > > I am able to connect to cifs share on Windows 2008 with Kerberos security via 
> > autofs 
> > > > with 
> > > > > > this map : 
> > > > > > * -
> > > > > > 
> > > > 
> > 
fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> > > > > > o ://figue/data/&
> > > > > > 
> > > > > > Is it working fine with alpha numeric login 
> > > > > > fs/cifs/cifs_spnego.c: key description = 
> > > > > > 
> > > > 
> > 
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > > > > > ;pid=0xd331
> > > > > > 
> > > > > > 
> > > > > > But if i use numeric only login like 12345678 i have a problem :
> > > > > > fs/cifs/cifs_spnego.c: key description = 
> > > > > > 
> > > > 
> > 
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> > > > > > pid=0xe5db
> > > > > > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> > > > > > CIFS VFS: Send error in SessSetup = -126
> > > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
> > > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> > > > > > CIFS VFS: cifs_mount failed w/return code = -126
> > > > > > 
> > > > > > What can I do to solve this issue ?
> > > > > 
> > > > > 
> > > > > cifs.upcall logs at daemon.debug level. Set up syslog to log that and
> > > > > you'll get some details about what it's doing.
> > > > > 
> > > > > -- 
> > > > > Jeff Layton 
> > > > > 
> > > > 
> > > > Thanks for your response, 
> > > > I got the error 
> > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned 
by 
> > > > 16777221, not 12345678
> > > > 
> > > > Perhaps it is a confusion about the uid and the login in a numeric value
> > > > 
> > > > [12345678@centad5 ~]$ id
> > > > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> > > > groupes=16777216(utilisateurs du domaine),16777217(profs)
> > > > 
> > > > The full log is :
> > > > 
> > > > Nov 17 08:42:53 centad5 cifs.upcall: key description: 
> > > > 
> > 
cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui
> > > > d=0xbc614e;user=12345678;pid=0x9b5
> > > > Nov 17 08:42:53 centad5 cifs.upcall: ver=2
> > > > Nov 17 08:42:53 centad5 cifs.upcall: host=figue
> > > > Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11
> > > > Nov 17 08:42:53 centad5 cifs.upcall: sec=1
> > > > Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678
> > > > Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678
> > > > Nov 17 08:42:53 centad5 cifs.upcall: user=12345678
> > > > Nov 17 08:42:53 centad5 cifs.upcall: pid=2485
> > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering 
/tmp/krb5cc_16777221
> > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned 
by 
> > > > 16777221, not 12345678
> > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering 
/tmp/krb5cc_16777216
> > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is owned 
by 
> > > > 16777216, not 12345678
> > > > Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13
> > > > Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service ticket for 
> > figue
> > > > Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) 
to 
> > > > ccache
> > > > @
> > > 
> > > What a bizarre setup you have. I imagine all sorts of things get
> > > confused by numeric usernames. Many programs will assume that when
> > > given a numeric username that it's a uid, not a name. You might
> > > reconsider that setup -- maybe prefix the numbers with a letter or
> > > something...
> > > 
> > It seems it is a little late for this, we are already in a production state with 
Active 
> > Directory and winbind for authentication, Windows 2008 as a cifs server, Fedora 15 
for 
> > client and using pam_mount for mounting partition.
> > As we are experiencing some CIFS VFS: Unexpected SMB signature with this 
> > I am testing some others ways...
> > 
> > > In any case, it does seem like there is confusion somewhere with
> > > numeric uids, but I don't think that confusion is with cifs.upcall. If
> > > that is the correct credcache for this user, then it looks like its
> > > being created with the wrong ownership.
> > > 
> > > What does the output of "klist" look like when you're logged in as this
> > > user?
> > > 
> > 
> > [12345678@centad5 ~]$ klist
> > Ticket cache: FILE:/tmp/krb5cc_16777221
> > Default principal: 12345678-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> > 
> > Valid starting Expires Service principal
> > 11/17/12 14:34:04 11/18/12 00:34:04 krbtgt/DOMAIN.LOCAL-10W9mfrL9XkN2LvcTqJorw@public.gmane.orgL
> > renew until 11/24/12 14:34:04
> > 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
> > renew until 11/24/12 14:34:04
> > 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
> > renew until 11/24/12 14:34:04
> > [12345678@centad5 ~]$
> > 
> > > How about the output of "stat /tmp/krb5cc_16777216" ?
> > 
> > 16777216 or 16777221 ? 
> > I did it for the two files 
> > 
> > [12345678@centad5 ~]$ id
> > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> > groupes=16777216(utilisateurs du domaine),16777217(profs)
> > [12345678@centad5 ~]$
> > 
> > 
> > [12345678@centad5 ~]$ stat /tmp/krb5cc_16777221 
> > File: « /tmp/krb5cc_16777221 »
> > Size: 3830 Blocks: 8 IO Block: 4096 fichier
> > Device: 801h/2049d Inode: 1985377 Links: 1
> > Access: (0600/-rw-------) Uid: (16777221/12345678) Gid: ( 0/ root)
> > Access: 2012-11-17 14:41:37.056868612 +0100
> > Modify: 2012-11-17 14:41:32.251850184 +0100
> > Change: 2012-11-17 14:41:32.251850184 +0100
> > 
> > 
> > [12345678@centad5 ~]$ stat /tmp/krb5cc_16777216 
> > File: « /tmp/krb5cc_16777216 »
> > Size: 3751 Blocks: 8 IO Block: 4096 fichier
> > Device: 801h/2049d Inode: 1966082 Links: 1
> > Access: (0600/-rw-------) Uid: (16777216/ conrad5) Gid: ( 0/ root)
> > Access: 2012-11-16 23:11:47.948511483 +0100
> > Modify: 2012-11-16 23:11:47.948511483 +0100
> > Change: 2012-11-16 23:11:47.948511483 +0100
> > > 
> 
> Ok, I think I see now. I believe your problem is in the options you're
> passing in at mount time:
> 
> 
fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
o ://figue/data/&
> 
> ...specifically, the 'uid=&' and 'cruid=&' options. When mount.cifs gets
> a numeric value for those options, it assumes that it's a uid, not a
> username. You should probably replace those options in your automount
> map with something like:
> 
> uid=$UID,cruid=$UID
> 
> ...which will make it pass in the numeric uid instead (that should also
> be slightly more efficient since you won't need to go to NSS to resolve
> username to uid). You may also want to consider adding:
> 
> gid=$GID
> 
> ...but that depends on your needs. See the section on "Variable
> Substitution" in autofs(5) for info on $UID and $GID.
> 
> Best of luck!

It works !
Thank you, you saved my day, as always !
I will post here if i resolve the unexpected smb signature with this technique
Serge

> -- 
> Jeff Layton 
> 

Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net

Re: cifs autofs krb5i

[Jeff Layton]

On Sat, 17 Nov 2012 18:22:57 +0100
"sergio.conrad" <sergio.conrad-QFKgK+z4sOrR7s880joybQ@public.gmane.org> wrote:

> 
> 
> 
> > Message du 17/11/12 16:28
> > De : "Jeff Layton" 
> > A : "sergio.conrad" 
> > Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > Objet : Re: cifs autofs krb5i
> >
> > On Sat, 17 Nov 2012 14:56:54 +0100
> > "sergio.conrad"  wrote:
> > 
> > > 
> > > 
> > > 
> > > > Message du 17/11/12 11:44
> > > > De : "Jeff Layton" 
> > > > A : "sergio.conrad" 
> > > > Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > > > Objet : Re: cifs autofs krb5i
> > > >
> > > > On Sat, 17 Nov 2012 08:53:02 +0100
> > > > "sergio.conrad" wrote:
> > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > > Message du 17/11/12 03:01
> > > > > > De : "Jeff Layton" 
> > > > > > A : "sergio.conrad" 
> > > > > > Copie à : linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> > > > > > Objet : Re: cifs autofs krb5i
> > > > > >
> > > > > > On Fri, 16 Nov 2012 23:37:52 +0100
> > > > > > "sergio.conrad" wrote:
> > > > > > 
> > > > > > > Hi,
> > > > > > > 
> > > > > > > I am able to connect to cifs share on Windows 2008 with Kerberos security via 
> > > autofs 
> > > > > with 
> > > > > > > this map : 
> > > > > > > * -
> > > > > > > 
> > > > > 
> > > 
> fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> > > > > > > o ://figue/data/&
> > > > > > > 
> > > > > > > Is it working fine with alpha numeric login 
> > > > > > > fs/cifs/cifs_spnego.c: key description = 
> > > > > > > 
> > > > > 
> > > 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > > > > > > ;pid=0xd331
> > > > > > > 
> > > > > > > 
> > > > > > > But if i use numeric only login like 12345678 i have a problem :
> > > > > > > fs/cifs/cifs_spnego.c: key description = 
> > > > > > > 
> > > > > 
> > > 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> > > > > > > pid=0xe5db
> > > > > > > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> > > > > > > CIFS VFS: Send error in SessSetup = -126
> > > > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
> > > > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> > > > > > > CIFS VFS: cifs_mount failed w/return code = -126
> > > > > > > 
> > > > > > > What can I do to solve this issue ?
> > > > > > 
> > > > > > 
> > > > > > cifs.upcall logs at daemon.debug level. Set up syslog to log that and
> > > > > > you'll get some details about what it's doing.
> > > > > > 
> > > > > > -- 
> > > > > > Jeff Layton 
> > > > > > 
> > > > > 
> > > > > Thanks for your response, 
> > > > > I got the error 
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned 
> by 
> > > > > 16777221, not 12345678
> > > > > 
> > > > > Perhaps it is a confusion about the uid and the login in a numeric value
> > > > > 
> > > > > [12345678@centad5 ~]$ id
> > > > > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> > > > > groupes=16777216(utilisateurs du domaine),16777217(profs)
> > > > > 
> > > > > The full log is :
> > > > > 
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: key description: 
> > > > > 
> > > 
> cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui
> > > > > d=0xbc614e;user=12345678;pid=0x9b5
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: ver=2
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: host=figue
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: sec=1
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: user=12345678
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: pid=2485
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering 
> /tmp/krb5cc_16777221
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned 
> by 
> > > > > 16777221, not 12345678
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering 
> /tmp/krb5cc_16777216
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is owned 
> by 
> > > > > 16777216, not 12345678
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service ticket for 
> > > figue
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) 
> to 
> > > > > ccache
> > > > > @
> > > > 
> > > > What a bizarre setup you have. I imagine all sorts of things get
> > > > confused by numeric usernames. Many programs will assume that when
> > > > given a numeric username that it's a uid, not a name. You might
> > > > reconsider that setup -- maybe prefix the numbers with a letter or
> > > > something...
> > > > 
> > > It seems it is a little late for this, we are already in a production state with 
> Active 
> > > Directory and winbind for authentication, Windows 2008 as a cifs server, Fedora 15 
> for 
> > > client and using pam_mount for mounting partition.
> > > As we are experiencing some CIFS VFS: Unexpected SMB signature with this 
> > > I am testing some others ways...
> > > 
> > > > In any case, it does seem like there is confusion somewhere with
> > > > numeric uids, but I don't think that confusion is with cifs.upcall. If
> > > > that is the correct credcache for this user, then it looks like its
> > > > being created with the wrong ownership.
> > > > 
> > > > What does the output of "klist" look like when you're logged in as this
> > > > user?
> > > > 
> > > 
> > > [12345678@centad5 ~]$ klist
> > > Ticket cache: FILE:/tmp/krb5cc_16777221
> > > Default principal: 12345678-10W9mfrL9XmlP7NgNAbZLA@public.gmane.org
> > > 
> > > Valid starting Expires Service principal
> > > 11/17/12 14:34:04 11/18/12 00:34:04 krbtgt/DOMAIN.LOCAL-10W9mfrL9XlgzlvP5gpW4g@public.gmane.orgCAL
> > > renew until 11/24/12 14:34:04
> > > 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
> > > renew until 11/24/12 14:34:04
> > > 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
> > > renew until 11/24/12 14:34:04
> > > [12345678@centad5 ~]$
> > > 
> > > > How about the output of "stat /tmp/krb5cc_16777216" ?
> > > 
> > > 16777216 or 16777221 ? 
> > > I did it for the two files 
> > > 
> > > [12345678@centad5 ~]$ id
> > > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> > > groupes=16777216(utilisateurs du domaine),16777217(profs)
> > > [12345678@centad5 ~]$
> > > 
> > > 
> > > [12345678@centad5 ~]$ stat /tmp/krb5cc_16777221 
> > > File: « /tmp/krb5cc_16777221 »
> > > Size: 3830 Blocks: 8 IO Block: 4096 fichier
> > > Device: 801h/2049d Inode: 1985377 Links: 1
> > > Access: (0600/-rw-------) Uid: (16777221/12345678) Gid: ( 0/ root)
> > > Access: 2012-11-17 14:41:37.056868612 +0100
> > > Modify: 2012-11-17 14:41:32.251850184 +0100
> > > Change: 2012-11-17 14:41:32.251850184 +0100
> > > 
> > > 
> > > [12345678@centad5 ~]$ stat /tmp/krb5cc_16777216 
> > > File: « /tmp/krb5cc_16777216 »
> > > Size: 3751 Blocks: 8 IO Block: 4096 fichier
> > > Device: 801h/2049d Inode: 1966082 Links: 1
> > > Access: (0600/-rw-------) Uid: (16777216/ conrad5) Gid: ( 0/ root)
> > > Access: 2012-11-16 23:11:47.948511483 +0100
> > > Modify: 2012-11-16 23:11:47.948511483 +0100
> > > Change: 2012-11-16 23:11:47.948511483 +0100
> > > > 
> > 
> > Ok, I think I see now. I believe your problem is in the options you're
> > passing in at mount time:
> > 
> > 
> fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> o ://figue/data/&
> > 
> > ...specifically, the 'uid=&' and 'cruid=&' options. When mount.cifs gets
> > a numeric value for those options, it assumes that it's a uid, not a
> > username. You should probably replace those options in your automount
> > map with something like:
> > 
> > uid=$UID,cruid=$UID
> > 
> > ...which will make it pass in the numeric uid instead (that should also
> > be slightly more efficient since you won't need to go to NSS to resolve
> > username to uid). You may also want to consider adding:
> > 
> > gid=$GID
> > 
> > ...but that depends on your needs. See the section on "Variable
> > Substitution" in autofs(5) for info on $UID and $GID.
> > 
> > Best of luck!
> 
> It works !
> Thank you, you saved my day, as always !
> I will post here if i resolve the unexpected smb signature with this technique
> Serge
> 

Great! Now that I think about it though, there's a problem with my
suggestion. $UID and $GID represent the uid/gid of the user who's
triggering the mount, and that's not necessarily the same as the user
who owns the directory (which is what you were trying to do with your
original map).

What may make more sense is to reinstate your original autofs map, and
apply something like this (untested) patch something like this to
mount.cifs. Note too that you can use the '-v' option to the mount
command to see what options it's passing in.

Really though, what you may best off with is to consider setting
up //figue/data as a multiuser mount...

---------------------[snip]----------------------

mount.cifs: treat uid=,gid=,cruid= options as name before assuming they're a number

Sergio Conrad reported a problem trying to set up an autofs map to do
a krb5 mount. In his environment, many users have usernames that are
comprised entirely of numbers. While that's a bit odd, POSIX apparently
allows for it.

The current code assumes that when a numeric argument is passed to one
of the above options, that it's a uid or gid. Instead, try to treat the
argument as a user or group name first, and only try to treat it as a
number if that fails.

Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
---
 mount.cifs.c | 50 ++++++++++++++++++++++++--------------------------
 1 file changed, 24 insertions(+), 26 deletions(-)

diff --git a/mount.cifs.c b/mount.cifs.c
index a9632b4..9760d1f 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -1003,57 +1003,55 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info)
 				goto nocopy;
 
 			got_uid = 1;
+			pw = getpwnam(value);
+			if (pw) {
+				uid = pw->pw_uid;
+				goto nocopy;
+			}
+
 			errno = 0;
 			uid = strtoul(value, &ep, 10);
 			if (errno == 0 && *ep == '\0')
 				goto nocopy;
 
-			pw = getpwnam(value);
-			if (pw == NULL) {
-				fprintf(stderr, "bad user name \"%s\"\n", value);
-				return EX_USAGE;
-			}
-
-			uid = pw->pw_uid;
-			goto nocopy;
-
+			fprintf(stderr, "bad option uid=\"%s\"\n", value);
+			return EX_USAGE;
 		case OPT_CRUID:
 			if (!value || !*value)
 				goto nocopy;
 
 			got_cruid = 1;
+			pw = getpwnam(value);
+			if (pw) {
+				cruid = pw->pw_uid;
+				goto nocopy;
+			}
+
 			errno = 0;
 			cruid = strtoul(value, &ep, 10);
 			if (errno == 0 && *ep == '\0')
 				goto nocopy;
 
-			pw = getpwnam(value);
-			if (pw == NULL) {
-				fprintf(stderr, "bad user name \"%s\"\n", value);
-				return EX_USAGE;
-			}
-			cruid = pw->pw_uid;
-			goto nocopy;
-
+			fprintf(stderr, "bad option: cruid=\"%s\"\n", value);
+			return EX_USAGE;
 		case OPT_GID:
 			if (!value || !*value)
 				goto nocopy;
 
 			got_gid = 1;
+			gr = getgrnam(value);
+			if (gr) {
+				gid = gr->gr_gid;
+				goto nocopy;
+			}
+
 			errno = 0;
 			gid = strtoul(value, &ep, 10);
 			if (errno == 0 && *ep == '\0')
 				goto nocopy;
 
-			gr = getgrnam(value);
-			if (gr == NULL) {
-				fprintf(stderr, "bad group name \"%s\"\n", value);
-				return EX_USAGE;
-			}
-
-			gid = gr->gr_gid;
-			goto nocopy;
-
+			fprintf(stderr, "bad option: gid=\"%s\"\n", value);
+			return EX_USAGE;
 		/* fmask fall through to file_mode */
 		case OPT_FMASK:
 			fprintf(stderr,
-- 
1.7.11.7


-- 
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>