CIFS mounts become inaccessible with "Send error in SessSetup = -128"

CIFS mounts become inaccessible with "Send error in SessSetup = -128"

[Doug Clow]

Hello,

I am having some trouble with using krb5, autofs, and cifs together.  I have my credentials set to auto-renew using k5start and when I ssh to the machine I can mount the share after restarting autofs.  The principal used is the computer from Active Directory ie "hostname$".  I've verifed my tgt is always fresh.  However, my scheduled cron job to do rsync to that share always fails.  Often with the error "Key has been revoked".  In my syslog there is the message "CIFS VFS: cifs_mount failed w/return code = -128".  After doing some Googling, I found this link:

https://access.redhat.com/site/solutions/275933

I'm on CentOS (6.4) so I don't have access to the posting.  If you have an idea for a fix I would very much appreciate it.

Thanks,
Doug

Re: CIFS mounts become inaccessible with "Send error in SessSetup = -128"

[steve]

On Fri, 2013-07-12 at 13:38 -0700, Doug Clow wrote:
> Hello,
> 
> I am having some trouble with using krb5, autofs, and cifs together.  I have my credentials set to auto-renew using k5start and when I ssh to the machine I can mount the share after restarting autofs.  The principal used is the computer from Active Directory ie "hostname$".  I've verifed my tgt is always fresh.  However, my scheduled cron job to do rsync to that share always fails.  Often with the error "Key has been revoked".  In my syslog there is the message "CIFS VFS: cifs_mount failed w/return code = -128".  After doing some Googling, I found this link:
> 
> https://access.redhat.com/site/solutions/275933
> 
> I'm on CentOS (6.4) so I don't have access to the posting.  If you have an idea for a fix I would very much appreciate it.
> 
> Thanks,
> Doug

Hi
You don't need to cron your tgt requests. cifs.upcall will look for the
key as and when it needs it:
-Put hostname$ in /etc/krb5.keytab
-kill k5start
-make sure you have username=hostname$ as a cifs option in the autofs
map file
-make sure you have the line in /etc/reqest-key.conf:
create  cifs.spnego     *       *               /usr/sbin/cifs.upcall  %
k

hth,
Steve

Re: CIFS mounts become inaccessible with "Send error in SessSetup = -128"

[Doug Clow]

Hi Steve,

Thanks for the help.  So here's where I'm at now:

- I already had hostname$ in my keytab and both cifs.spnego and dns_resolver in my /etc/request-key.d
- I tried stopping k5start but if I kdestroy and then try to connect it fails so it seems for my setup I do need to have the tgt active to connect
- Before I had cruid=0 so I changed that to username=hostname$ and I will see if it works when the job runs tonight

There was one other odd thing I noticed.  There is a strange looking service principal when I klist after connecting to the share.  Its a dfs share so after connecting I have the following service principals active:

cifs/dfs-server.domain.com@
cifs/dfs-server.domain.-Cx6ELD3zwl1XrIkS9f7CXA@public.gmane.org
cifs/cifs-server.domain.@
cifs/cifs-server.domain.-Cx6ELD3zwl1XrIkS9f7CXA@public.gmane.org

Should I be getting those principals with the blank realm?

It does work now if I access the share, but just not when the cron jobs run which is strange.

Regards,
Doug


On Jul 12, 2013, at 2:36 PM, steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> On Fri, 2013-07-12 at 13:38 -0700, Doug Clow wrote:
>> Hello,
>> 
>> I am having some trouble with using krb5, autofs, and cifs together.  I have my credentials set to auto-renew using k5start and when I ssh to the machine I can mount the share after restarting autofs.  The principal used is the computer from Active Directory ie "hostname$".  I've verifed my tgt is always fresh.  However, my scheduled cron job to do rsync to that share always fails.  Often with the error "Key has been revoked".  In my syslog there is the message "CIFS VFS: cifs_mount failed w/return code = -128".  After doing some Googling, I found this link:
>> 
>> https://access.redhat.com/site/solutions/275933
>> 
>> I'm on CentOS (6.4) so I don't have access to the posting.  If you have an idea for a fix I would very much appreciate it.
>> 
>> Thanks,
>> Doug
> 
> Hi
> You don't need to cron your tgt requests. cifs.upcall will look for the
> key as and when it needs it:
> -Put hostname$ in /etc/krb5.keytab
> -kill k5start
> -make sure you have username=hostname$ as a cifs option in the autofs
> map file
> -make sure you have the line in /etc/reqest-key.conf:
> create  cifs.spnego     *       *               /usr/sbin/cifs.upcall  %
> k
> 
> hth,
> Steve
> 
> 

Re: CIFS mounts become inaccessible with "Send error in SessSetup = -128"

[steve]

On Fri, 2013-07-12 at 16:50 -0700, Doug Clow wrote:
> Hi Steve,
> 
> Thanks for the help.  So here's where I'm at now:
> 
> - I already had hostname$ in my keytab and both cifs.spnego and dns_resolver in my /etc/request-key.d
> - I tried stopping k5start but if I kdestroy and then try to connect it fails so it seems for my setup I do need to have the tgt active to connect
> - Before I had cruid=0 so I changed that to username=hostname$ and I will see if it works when the job runs tonight
> 
I think the user running the cron will need tickets too. Maybe give
hostname$ a posixAccount and uidNumber, and add him to group root? (or
whoever runs the cron)

To mount the cifs share _you_ don't need a ticket. To access it, yes.
e.g. if you logged in and tried to access the share but it wasn't
mounted, it would mount using hostname$, then you would get your cifs
ticket. I'm not sure what you mean when you say 'try to connect'. There
seem to be 2 issues, accessing via ssh and the automounter.
Cheers

Re: CIFS mounts become inaccessible with "Send error in SessSetup = -128"

[Doug Clow]

After doing some experimentation I found a workaround, but I still don't understand the underlying problem.  I put in a cron job that touches a file on the share every minute and now my other cron jobs run correctly.  I have to touch the file periodically or else the share will "go bad" until I restart autofs.


On Jul 13, 2013, at 12:45 AM, steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> On Fri, 2013-07-12 at 16:50 -0700, Doug Clow wrote:
>> Hi Steve,
>> 
>> Thanks for the help.  So here's where I'm at now:
>> 
>> - I already had hostname$ in my keytab and both cifs.spnego and dns_resolver in my /etc/request-key.d
>> - I tried stopping k5start but if I kdestroy and then try to connect it fails so it seems for my setup I do need to have the tgt active to connect
>> - Before I had cruid=0 so I changed that to username=hostname$ and I will see if it works when the job runs tonight
>> 
> I think the user running the cron will need tickets too. Maybe give
> hostname$ a posixAccount and uidNumber, and add him to group root? (or
> whoever runs the cron)
> 
> To mount the cifs share _you_ don't need a ticket. To access it, yes.
> e.g. if you logged in and tried to access the share but it wasn't
> mounted, it would mount using hostname$, then you would get your cifs
> ticket. I'm not sure what you mean when you say 'try to connect'. There
> seem to be 2 issues, accessing via ssh and the automounter.
> Cheers
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: CIFS mounts become inaccessible with "Send error in SessSetup = -128"

[steve]

On Mon, 2013-07-15 at 12:38 -0700, Doug Clow wrote:
> After doing some experimentation I found a workaround, but I still don't understand the underlying problem.  I put in a cron job that touches a file on the share every minute and now my other cron jobs run correctly.  I have to touch the file periodically or else the share will "go bad" until I restart autofs.
> 
Hi
cifs.upcall should take care of that without the cron. If you have
sec=krb5 it will automatically look for the key of the user specified
for the mount in the keytab so that even if the ticket has expired 'gone
bad', it refreshes it for you when you need to access the mounted share.

I too thought that I had to keep a root cache alive for cifs until I had
a long conversation about this on the cifs list. I even suggested they
add a switch to cifs.upcall to specify a keytab other
than /etc/krb5.keytab. It's the -d option to cifs.upcall included as of
cifs-utils 6.1

Maybe I've not understood your problem but it certainly is not necessary
to use cron to keep tickets alive for cifs as you are doing at present.
Do let me have any details which you don't understand as it really has
made our domain a lot easier to maintain.
Cheers,
Steve

Re: CIFS mounts become inaccessible with "Send error in SessSetup = -128"

[Doug Clow]

Hi Steve,

I guess my system is not behaving as it is supposed to.  Here is what I have in /etc/request-key.d/cifs.spnego.conf

create  cifs.spnego    * * /usr/sbin/cifs.upcall %k

However, I definitely must kinit -k and get a tgt in order to connect.  It doesn't seem to work automatically as you described.  That's not a problem, I can just kinit automatically.  But the problem I'm having is that without periodically accessing the share, CIFS stops being able to access the share and I get "Key has been revoked" and "CIFS VFS: cifs_mount failed w/return code = -128".  

So maybe the issue is related to what you say, CIFS is not doing the kinit/getting the service principal on its own except right when autofs is started.  It doesn't seem to renew its service principals.

Thanks,
Doug



On Jul 15, 2013, at 1:21 PM, steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> On Mon, 2013-07-15 at 12:38 -0700, Doug Clow wrote:
>> After doing some experimentation I found a workaround, but I still don't understand the underlying problem.  I put in a cron job that touches a file on the share every minute and now my other cron jobs run correctly.  I have to touch the file periodically or else the share will "go bad" until I restart autofs.
>> 
> Hi
> cifs.upcall should take care of that without the cron. If you have
> sec=krb5 it will automatically look for the key of the user specified
> for the mount in the keytab so that even if the ticket has expired 'gone
> bad', it refreshes it for you when you need to access the mounted share.
> 
> I too thought that I had to keep a root cache alive for cifs until I had
> a long conversation about this on the cifs list. I even suggested they
> add a switch to cifs.upcall to specify a keytab other
> than /etc/krb5.keytab. It's the -d option to cifs.upcall included as of
> cifs-utils 6.1
> 
> Maybe I've not understood your problem but it certainly is not necessary
> to use cron to keep tickets alive for cifs as you are doing at present.
> Do let me have any details which you don't understand as it really has
> made our domain a lot easier to maintain.
> Cheers,
> Steve
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html