cifs-utils VFS errors

cifs-utils VFS errors

[steve]

Hi
I have a s3 fileserver joined to a s4 DC
Here is smb.conf on the fileserver:
[global]
workgroup = HH3
realm = HH3.SITE
security = ADS
kerberos method = system keytab
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 3000-4000
idmap config HH3:backend = ad
idmap config HH3:range = 20000-40000000
idmap config HH3:schema_mode = rfc2307
winbind nss info = rfc2307
winbind expand groups = 2
winbind nested groups = yes
winbind use default domain = Yes

[users]
path = /home/users
read only = No

getent passwd works fine and shows AD users. But cifs mount fails:
  sudo mount -t cifs //oliva/users --verbose /mnt -osec=krb5
mount.cifs kernel mount options: ip=127.0.0.1,unc=\\oliva
\users,sec=krb5,user=root,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

the log gives:
May 26 12:35:05 oliva cifs.upcall: key description:
cifs.spnego;0;0;39010000;ver=0x2;host=oliva;ip4=127.0.0.1;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6f3
May 26 12:35:05 oliva cifs.upcall: ver=2
May 26 12:35:05 oliva cifs.upcall: host=oliva
May 26 12:35:05 oliva cifs.upcall: ip=127.0.0.1
May 26 12:35:05 oliva cifs.upcall: sec=1
May 26 12:35:05 oliva cifs.upcall: uid=0
May 26 12:35:05 oliva cifs.upcall: creduid=0
May 26 12:35:05 oliva cifs.upcall: user=root
May 26 12:35:05 oliva cifs.upcall: pid=1779
May 26 12:35:05 oliva cifs.upcall: find_krb5_cc:
considering /tmp/krb5cc_0
May 26 12:35:05 oliva cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is
valid ccache
May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: getting service
ticket for oliva
May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: obtained service
ticket
May 26 12:35:05 oliva kernel: [  612.342045] Status code returned
0xc000006d NT_STATUS_LOGON_FAILURE
May 26 12:35:05 oliva kernel: [  612.342109] CIFS VFS: Send error in
SessSetup = -13
May 26 12:35:05 oliva kernel: [  612.343323] CIFS VFS: cifs_mount failed
w/return code = -13

smbd fails with this:
Maximum core file size limits now 16777216(soft) -1(hard)
smbd version 3.6.9 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
uid=0 gid=0 euid=0 egid=0
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[users]"
adding IPC service
added interface eth0 ip=fe80::a00:27ff:fe7c:2d50%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.1.110 bcast=192.168.1.255
netmask=255.255.255.0
loaded services
Initialise the svcctl registry keys if needed.
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Initialise the eventlog registry keys if needed.
Closed policy
get_dc_list: preferred server list: "hh16.hh3.site, *"
Successfully contacted LDAP server 192.168.1.16
get_dc_list: preferred server list: "hh16.hh3.site, *"
get_dc_list: preferred server list: "hh16.hh3.site, *"
Successfully contacted LDAP server 192.168.1.16
Connected to LDAP server hh16.hh3.site
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178@please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
expiration dom, 26 may 2013 22:46:04 CEST
ads_krb5_mk_req: server marked as OK to delegate to, building
forwardable TGT
reloading printcap cache
reload status: ok
waiting for connections
Unable to connect to CUPS server localhost:631 - Transport endpoint is
not connected
failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
Could not find child 1808 -- ignoring
Allowed connection from 127.0.0.1 (127.0.0.1)
init_oplocks: initializing messages.
Linux kernel oplocks enabled
Transaction 0 of length 82 (0 toread)
switch message SMBnegprot (pid 1807) conn 0x0
Requested protocol [LM1.2X002]
Requested protocol [LANMAN2.1]
Requested protocol [NT LM 0.12]
Requested protocol [POSIX 2]
using SPNEGO
Selected protocol NT LM 0.12
Transaction 1 of length 1450 (0 toread)
switch message SMBsesssetupX (pid 1807) conn 0x0
wct=12 flg2=0xd801
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
Doing spnego session setup
NativeOS=[Linux version 3.8.0-22-generic] NativeLanMan=[CIFS VFS Client
for Linux] PrimaryDomain=[]
reply_spnego_negotiate: Got secblob of size 1227
libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab
succeeded for principal host/oliva.hh3.site-UiqEU/D402Y@public.gmane.org
Found account name from PAC: Administrator []
Kerberos ticket principal name is [Administrator-UiqEU/D402Y@public.gmane.org]
Username HH3\Administrator is invalid on this system
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Server exit (failed to receive smb request)

Anyone please? In particular, why ntlm authentication? Why Username HH3
\Administrator is invalid on this system? I've tried without winbind use
default domain =  but nada.

Cheers,
Steve

Re: cifs-utils VFS errors

[Jeff Layton]

On Mon, 27 May 2013 11:02:15 +0200
steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> Hi
> I have a s3 fileserver joined to a s4 DC
> Here is smb.conf on the fileserver:
> [global]
> workgroup = HH3
> realm = HH3.SITE
> security = ADS
> kerberos method = system keytab
> winbind enum users = Yes
> winbind enum groups = Yes
> idmap config *:backend = tdb
> idmap config *:range = 3000-4000
> idmap config HH3:backend = ad
> idmap config HH3:range = 20000-40000000
> idmap config HH3:schema_mode = rfc2307
> winbind nss info = rfc2307
> winbind expand groups = 2
> winbind nested groups = yes
> winbind use default domain = Yes
> 
> [users]
> path = /home/users
> read only = No
> 
> getent passwd works fine and shows AD users. But cifs mount fails:
>   sudo mount -t cifs //oliva/users --verbose /mnt -osec=krb5
> mount.cifs kernel mount options: ip=127.0.0.1,unc=\\oliva
> \users,sec=krb5,user=root,pass=********
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> 
> the log gives:
> May 26 12:35:05 oliva cifs.upcall: key description:
> cifs.spnego;0;0;39010000;ver=0x2;host=oliva;ip4=127.0.0.1;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6f3
> May 26 12:35:05 oliva cifs.upcall: ver=2
> May 26 12:35:05 oliva cifs.upcall: host=oliva
> May 26 12:35:05 oliva cifs.upcall: ip=127.0.0.1
> May 26 12:35:05 oliva cifs.upcall: sec=1
> May 26 12:35:05 oliva cifs.upcall: uid=0
> May 26 12:35:05 oliva cifs.upcall: creduid=0
> May 26 12:35:05 oliva cifs.upcall: user=root
> May 26 12:35:05 oliva cifs.upcall: pid=1779
> May 26 12:35:05 oliva cifs.upcall: find_krb5_cc:
> considering /tmp/krb5cc_0
> May 26 12:35:05 oliva cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is
> valid ccache
> May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: getting service
> ticket for oliva
> May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: obtained service
> ticket
> May 26 12:35:05 oliva kernel: [  612.342045] Status code returned
> 0xc000006d NT_STATUS_LOGON_FAILURE

Looks like the server doesn't like your ticket.

> May 26 12:35:05 oliva kernel: [  612.342109] CIFS VFS: Send error in
> SessSetup = -13
> May 26 12:35:05 oliva kernel: [  612.343323] CIFS VFS: cifs_mount failed
> w/return code = -13
> 
> smbd fails with this:
> Maximum core file size limits now 16777216(soft) -1(hard)
> smbd version 3.6.9 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2011
> uid=0 gid=0 euid=0 egid=0
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> Processing section "[users]"
> adding IPC service
> added interface eth0 ip=fe80::a00:27ff:fe7c:2d50%eth0
> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> added interface eth0 ip=192.168.1.110 bcast=192.168.1.255
> netmask=255.255.255.0
> loaded services
> Initialise the svcctl registry keys if needed.
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Initialise the eventlog registry keys if needed.
> Closed policy
> get_dc_list: preferred server list: "hh16.hh3.site, *"
> Successfully contacted LDAP server 192.168.1.16
> get_dc_list: preferred server list: "hh16.hh3.site, *"
> get_dc_list: preferred server list: "hh16.hh3.site, *"
> Successfully contacted LDAP server 192.168.1.16
> Connected to LDAP server hh16.hh3.site
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name =
> not_defined_in_RFC4178@please_ignore
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> found)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
> expiration dom, 26 may 2013 22:46:04 CEST
> ads_krb5_mk_req: server marked as OK to delegate to, building
> forwardable TGT
> reloading printcap cache
> reload status: ok
> waiting for connections
> Unable to connect to CUPS server localhost:631 - Transport endpoint is
> not connected
> failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
> Could not find child 1808 -- ignoring
> Allowed connection from 127.0.0.1 (127.0.0.1)
> init_oplocks: initializing messages.
> Linux kernel oplocks enabled
> Transaction 0 of length 82 (0 toread)
> switch message SMBnegprot (pid 1807) conn 0x0
> Requested protocol [LM1.2X002]
> Requested protocol [LANMAN2.1]
> Requested protocol [NT LM 0.12]
> Requested protocol [POSIX 2]
> using SPNEGO
> Selected protocol NT LM 0.12
> Transaction 1 of length 1450 (0 toread)
> switch message SMBsesssetupX (pid 1807) conn 0x0
> wct=12 flg2=0xd801
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> Doing spnego session setup
> NativeOS=[Linux version 3.8.0-22-generic] NativeLanMan=[CIFS VFS Client
> for Linux] PrimaryDomain=[]
> reply_spnego_negotiate: Got secblob of size 1227
> libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab
> succeeded for principal host/oliva.hh3.site-UiqEU/D402Y@public.gmane.org
> Found account name from PAC: Administrator []
> Kerberos ticket principal name is [Administrator-UiqEU/D402Y@public.gmane.org]
> Username HH3\Administrator is invalid on this system
> error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> Server exit (failed to receive smb request)
> 
> Anyone please? In particular, why ntlm authentication? Why Username HH3
> \Administrator is invalid on this system? I've tried without winbind use
> default domain =  but nada.
> 

I'm not sure I understand the question about NTLM auth. It doesn't look
like it's being used here.

As far as why Administrator is being rejected, that's probaly a better
question for one of the samba lists. If I had to guess though, maybe
Samba doesn't know how to map Administrator to a local unix user on the
server?

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: cifs-utils VFS errors

[steve]

On Tue, 2013-05-28 at 06:35 -0400, Jeff Layton wrote:
> On Mon, 27 May 2013 11:02:15 +0200
> steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
> 
> > Hi
> > I have a s3 fileserver joined to a s4 DC
> > Here is smb.conf on the fileserver:
> > [global]
> > workgroup = HH3
> > realm = HH3.SITE
> > security = ADS
> > kerberos method = system keytab
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > idmap config *:backend = tdb
> > idmap config *:range = 3000-4000
> > idmap config HH3:backend = ad
> > idmap config HH3:range = 20000-40000000
> > idmap config HH3:schema_mode = rfc2307
> > winbind nss info = rfc2307
> > winbind expand groups = 2
> > winbind nested groups = yes
> > winbind use default domain = Yes
> > 
> > [users]
> > path = /home/users
> > read only = No
> > 
> > getent passwd works fine and shows AD users. But cifs mount fails:
> >   sudo mount -t cifs //oliva/users --verbose /mnt -osec=krb5
> > mount.cifs kernel mount options: ip=127.0.0.1,unc=\\oliva
> > \users,sec=krb5,user=root,pass=********
> > mount error(13): Permission denied
> > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> > 
> > the log gives:
> > May 26 12:35:05 oliva cifs.upcall: key description:
> > cifs.spnego;0;0;39010000;ver=0x2;host=oliva;ip4=127.0.0.1;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6f3
> > May 26 12:35:05 oliva cifs.upcall: ver=2
> > May 26 12:35:05 oliva cifs.upcall: host=oliva
> > May 26 12:35:05 oliva cifs.upcall: ip=127.0.0.1
> > May 26 12:35:05 oliva cifs.upcall: sec=1
> > May 26 12:35:05 oliva cifs.upcall: uid=0
> > May 26 12:35:05 oliva cifs.upcall: creduid=0
> > May 26 12:35:05 oliva cifs.upcall: user=root
> > May 26 12:35:05 oliva cifs.upcall: pid=1779
> > May 26 12:35:05 oliva cifs.upcall: find_krb5_cc:
> > considering /tmp/krb5cc_0
> > May 26 12:35:05 oliva cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is
> > valid ccache
> > May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: getting service
> > ticket for oliva
> > May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: obtained service
> > ticket
> > May 26 12:35:05 oliva kernel: [  612.342045] Status code returned
> > 0xc000006d NT_STATUS_LOGON_FAILURE
> 
> Looks like the server doesn't like your ticket.
> 
> > May 26 12:35:05 oliva kernel: [  612.342109] CIFS VFS: Send error in
> > SessSetup = -13
> > May 26 12:35:05 oliva kernel: [  612.343323] CIFS VFS: cifs_mount failed
> > w/return code = -13
> > 
> > smbd fails with this:
> > Maximum core file size limits now 16777216(soft) -1(hard)
> > smbd version 3.6.9 started.
> > Copyright Andrew Tridgell and the Samba Team 1992-2011
> > uid=0 gid=0 euid=0 egid=0
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384)
> > params.c:pm_process() - Processing configuration file
> > "/etc/samba/smb.conf"
> > Processing section "[global]"
> > Registered MSG_REQ_POOL_USAGE
> > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > lp_load_ex: refreshing parameters
> > Initialising global parameters
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384)
> > params.c:pm_process() - Processing configuration file
> > "/etc/samba/smb.conf"
> > Processing section "[global]"
> > Processing section "[users]"
> > adding IPC service
> > added interface eth0 ip=fe80::a00:27ff:fe7c:2d50%eth0
> > bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> > added interface eth0 ip=192.168.1.110 bcast=192.168.1.255
> > netmask=255.255.255.0
> > loaded services
> > Initialise the svcctl registry keys if needed.
> > Closed policy
> > Closed policy
> > Closed policy
> > Closed policy
> > Closed policy
> > Closed policy
> > Closed policy
> > Closed policy
> > Closed policy
> > Initialise the eventlog registry keys if needed.
> > Closed policy
> > get_dc_list: preferred server list: "hh16.hh3.site, *"
> > Successfully contacted LDAP server 192.168.1.16
> > get_dc_list: preferred server list: "hh16.hh3.site, *"
> > get_dc_list: preferred server list: "hh16.hh3.site, *"
> > Successfully contacted LDAP server 192.168.1.16
> > Connected to LDAP server hh16.hh3.site
> > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> > ads_sasl_spnego_bind: got server principal name =
> > not_defined_in_RFC4178@please_ignore
> > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> > found)
> > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
> > expiration dom, 26 may 2013 22:46:04 CEST
> > ads_krb5_mk_req: server marked as OK to delegate to, building
> > forwardable TGT
> > reloading printcap cache
> > reload status: ok
> > waiting for connections
> > Unable to connect to CUPS server localhost:631 - Transport endpoint is
> > not connected
> > failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
> > Could not find child 1808 -- ignoring
> > Allowed connection from 127.0.0.1 (127.0.0.1)
> > init_oplocks: initializing messages.
> > Linux kernel oplocks enabled
> > Transaction 0 of length 82 (0 toread)
> > switch message SMBnegprot (pid 1807) conn 0x0
> > Requested protocol [LM1.2X002]
> > Requested protocol [LANMAN2.1]
> > Requested protocol [NT LM 0.12]
> > Requested protocol [POSIX 2]
> > using SPNEGO
> > Selected protocol NT LM 0.12
> > Transaction 1 of length 1450 (0 toread)
> > switch message SMBsesssetupX (pid 1807) conn 0x0
> > wct=12 flg2=0xd801
> > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> > all old resources.
> > Doing spnego session setup
> > NativeOS=[Linux version 3.8.0-22-generic] NativeLanMan=[CIFS VFS Client
> > for Linux] PrimaryDomain=[]
> > reply_spnego_negotiate: Got secblob of size 1227
> > libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab
> > succeeded for principal host/oliva.hh3.site-UiqEU/D402Y@public.gmane.org
> > Found account name from PAC: Administrator []
> > Kerberos ticket principal name is [Administrator-UiqEU/D402Y@public.gmane.org]
> > Username HH3\Administrator is invalid on this system
> > error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
> > NT_STATUS_LOGON_FAILURE
> > Server exit (failed to receive smb request)
> > 
> > Anyone please? In particular, why ntlm authentication? Why Username HH3
> > \Administrator is invalid on this system? I've tried without winbind use
> > default domain =  but nada.
> > 
> 
> I'm not sure I understand the question about NTLM auth. It doesn't look
> like it's being used here.
> 
> As far as why Administrator is being rejected, that's probaly a better
> question for one of the samba lists. If I had to guess though, maybe
> Samba doesn't know how to map Administrator to a local unix user on the
> server?
> 

Hi
Sorry if I'm a bit off topic  but I'm sure you're right about
Administrator being unknown to the filesystem.

 How does this sound?
- I make a domain user called cifsuser with rfc2307 uidNumber and
gidNumber:
uid=3000025(cifsuser) gid=20513(Domain Users) groups=20513(Domain Users)

- I mount like this:
sudo kinit cifsuser
mount -t cifs //oliva/users /mnt -osec=krb5
(just tried it: fine)

-I stick cifsuser in the keytab and kinit -k it in a cron every few
hours or so to keep it alive.

Thanks so much for your time,
Steve

Re: cifs-utils VFS errors

[Jeff Layton]

On Tue, 28 May 2013 14:39:56 +0200
steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> On Tue, 2013-05-28 at 06:35 -0400, Jeff Layton wrote:
> > On Mon, 27 May 2013 11:02:15 +0200
> > steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
> > 
> > > Hi
> > > I have a s3 fileserver joined to a s4 DC
> > > Here is smb.conf on the fileserver:
> > > [global]
> > > workgroup = HH3
> > > realm = HH3.SITE
> > > security = ADS
> > > kerberos method = system keytab
> > > winbind enum users = Yes
> > > winbind enum groups = Yes
> > > idmap config *:backend = tdb
> > > idmap config *:range = 3000-4000
> > > idmap config HH3:backend = ad
> > > idmap config HH3:range = 20000-40000000
> > > idmap config HH3:schema_mode = rfc2307
> > > winbind nss info = rfc2307
> > > winbind expand groups = 2
> > > winbind nested groups = yes
> > > winbind use default domain = Yes
> > > 
> > > [users]
> > > path = /home/users
> > > read only = No
> > > 
> > > getent passwd works fine and shows AD users. But cifs mount fails:
> > >   sudo mount -t cifs //oliva/users --verbose /mnt -osec=krb5
> > > mount.cifs kernel mount options: ip=127.0.0.1,unc=\\oliva
> > > \users,sec=krb5,user=root,pass=********
> > > mount error(13): Permission denied
> > > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
> > > 
> > > the log gives:
> > > May 26 12:35:05 oliva cifs.upcall: key description:
> > > cifs.spnego;0;0;39010000;ver=0x2;host=oliva;ip4=127.0.0.1;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6f3
> > > May 26 12:35:05 oliva cifs.upcall: ver=2
> > > May 26 12:35:05 oliva cifs.upcall: host=oliva
> > > May 26 12:35:05 oliva cifs.upcall: ip=127.0.0.1
> > > May 26 12:35:05 oliva cifs.upcall: sec=1
> > > May 26 12:35:05 oliva cifs.upcall: uid=0
> > > May 26 12:35:05 oliva cifs.upcall: creduid=0
> > > May 26 12:35:05 oliva cifs.upcall: user=root
> > > May 26 12:35:05 oliva cifs.upcall: pid=1779
> > > May 26 12:35:05 oliva cifs.upcall: find_krb5_cc:
> > > considering /tmp/krb5cc_0
> > > May 26 12:35:05 oliva cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is
> > > valid ccache
> > > May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: getting service
> > > ticket for oliva
> > > May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: obtained service
> > > ticket
> > > May 26 12:35:05 oliva kernel: [  612.342045] Status code returned
> > > 0xc000006d NT_STATUS_LOGON_FAILURE
> > 
> > Looks like the server doesn't like your ticket.
> > 
> > > May 26 12:35:05 oliva kernel: [  612.342109] CIFS VFS: Send error in
> > > SessSetup = -13
> > > May 26 12:35:05 oliva kernel: [  612.343323] CIFS VFS: cifs_mount failed
> > > w/return code = -13
> > > 
> > > smbd fails with this:
> > > Maximum core file size limits now 16777216(soft) -1(hard)
> > > smbd version 3.6.9 started.
> > > Copyright Andrew Tridgell and the Samba Team 1992-2011
> > > uid=0 gid=0 euid=0 egid=0
> > > lp_load_ex: refreshing parameters
> > > Initialising global parameters
> > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > > (16384)
> > > params.c:pm_process() - Processing configuration file
> > > "/etc/samba/smb.conf"
> > > Processing section "[global]"
> > > Registered MSG_REQ_POOL_USAGE
> > > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> > > lp_load_ex: refreshing parameters
> > > Initialising global parameters
> > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > > (16384)
> > > params.c:pm_process() - Processing configuration file
> > > "/etc/samba/smb.conf"
> > > Processing section "[global]"
> > > Processing section "[users]"
> > > adding IPC service
> > > added interface eth0 ip=fe80::a00:27ff:fe7c:2d50%eth0
> > > bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> > > added interface eth0 ip=192.168.1.110 bcast=192.168.1.255
> > > netmask=255.255.255.0
> > > loaded services
> > > Initialise the svcctl registry keys if needed.
> > > Closed policy
> > > Closed policy
> > > Closed policy
> > > Closed policy
> > > Closed policy
> > > Closed policy
> > > Closed policy
> > > Closed policy
> > > Closed policy
> > > Initialise the eventlog registry keys if needed.
> > > Closed policy
> > > get_dc_list: preferred server list: "hh16.hh3.site, *"
> > > Successfully contacted LDAP server 192.168.1.16
> > > get_dc_list: preferred server list: "hh16.hh3.site, *"
> > > get_dc_list: preferred server list: "hh16.hh3.site, *"
> > > Successfully contacted LDAP server 192.168.1.16
> > > Connected to LDAP server hh16.hh3.site
> > > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> > > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> > > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> > > ads_sasl_spnego_bind: got server principal name =
> > > not_defined_in_RFC4178@please_ignore
> > > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
> > > found)
> > > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache]
> > > expiration dom, 26 may 2013 22:46:04 CEST
> > > ads_krb5_mk_req: server marked as OK to delegate to, building
> > > forwardable TGT
> > > reloading printcap cache
> > > reload status: ok
> > > waiting for connections
> > > Unable to connect to CUPS server localhost:631 - Transport endpoint is
> > > not connected
> > > failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
> > > Could not find child 1808 -- ignoring
> > > Allowed connection from 127.0.0.1 (127.0.0.1)
> > > init_oplocks: initializing messages.
> > > Linux kernel oplocks enabled
> > > Transaction 0 of length 82 (0 toread)
> > > switch message SMBnegprot (pid 1807) conn 0x0
> > > Requested protocol [LM1.2X002]
> > > Requested protocol [LANMAN2.1]
> > > Requested protocol [NT LM 0.12]
> > > Requested protocol [POSIX 2]
> > > using SPNEGO
> > > Selected protocol NT LM 0.12
> > > Transaction 1 of length 1450 (0 toread)
> > > switch message SMBsesssetupX (pid 1807) conn 0x0
> > > wct=12 flg2=0xd801
> > > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> > > all old resources.
> > > Doing spnego session setup
> > > NativeOS=[Linux version 3.8.0-22-generic] NativeLanMan=[CIFS VFS Client
> > > for Linux] PrimaryDomain=[]
> > > reply_spnego_negotiate: Got secblob of size 1227
> > > libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab
> > > succeeded for principal host/oliva.hh3.site-UiqEU/D402Y@public.gmane.org
> > > Found account name from PAC: Administrator []
> > > Kerberos ticket principal name is [Administrator-UiqEU/D402Y@public.gmane.org]
> > > Username HH3\Administrator is invalid on this system
> > > error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
> > > NT_STATUS_LOGON_FAILURE
> > > Server exit (failed to receive smb request)
> > > 
> > > Anyone please? In particular, why ntlm authentication? Why Username HH3
> > > \Administrator is invalid on this system? I've tried without winbind use
> > > default domain =  but nada.
> > > 
> > 
> > I'm not sure I understand the question about NTLM auth. It doesn't look
> > like it's being used here.
> > 
> > As far as why Administrator is being rejected, that's probaly a better
> > question for one of the samba lists. If I had to guess though, maybe
> > Samba doesn't know how to map Administrator to a local unix user on the
> > server?
> > 
> 
> Hi
> Sorry if I'm a bit off topic  but I'm sure you're right about
> Administrator being unknown to the filesystem.
> 
>  How does this sound?
> - I make a domain user called cifsuser with rfc2307 uidNumber and
> gidNumber:
> uid=3000025(cifsuser) gid=20513(Domain Users) groups=20513(Domain Users)
> 
> - I mount like this:
> sudo kinit cifsuser
> mount -t cifs //oliva/users /mnt -osec=krb5
> (just tried it: fine)
> 
> -I stick cifsuser in the keytab and kinit -k it in a cron every few
> hours or so to keep it alive.
> 
> Thanks so much for your time,
> Steve
> 

That sounds reasonable. Assuming that you don't actually do anything on
the mount as root, then you can give "cifsuser" very limited privileges
here too, essentially acting as a "squashed" user like under NFS.

Also, there's no need to do this crontab stuff either. If you mount
with "-o sec=krb5,username=cifsuser" then cifs.upcall will be able to
just use /etc/krb5.keytab without you needing to do anything special.

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: cifs-utils VFS errors

[steve]

On Tue, 2013-05-28 at 09:01 -0400, Jeff Layton wrote:

> > 
> 
> That sounds reasonable. Assuming that you don't actually do anything on
> the mount as root, then you can give "cifsuser" very limited privileges
> here too, essentially acting as a "squashed" user like under NFS.
> 
> Also, there's no need to do this crontab stuff either. If you mount
> with "-o sec=krb5,username=cifsuser" then cifs.upcall will be able to
> just use /etc/krb5.keytab without you needing to do anything special.
> 

So cifsuser doesn't need loginShell nor unixHomeDirectory or any of the
gecos stuff? I just tried with just posixAccount and uidNumber and
gidNumber. It works under test but am I missing something? We just need
cifsuser to be able to mount the share. He'll never need to do anything
else.
Cheers

Re: cifs-utils VFS errors

[Jeff Layton]

On Tue, 28 May 2013 15:42:16 +0200
steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> On Tue, 2013-05-28 at 09:01 -0400, Jeff Layton wrote:
> 
> > > 
> > 
> > That sounds reasonable. Assuming that you don't actually do anything on
> > the mount as root, then you can give "cifsuser" very limited privileges
> > here too, essentially acting as a "squashed" user like under NFS.
> > 
> > Also, there's no need to do this crontab stuff either. If you mount
> > with "-o sec=krb5,username=cifsuser" then cifs.upcall will be able to
> > just use /etc/krb5.keytab without you needing to do anything special.
> > 
> 
> So cifsuser doesn't need loginShell nor unixHomeDirectory or any of the
> gecos stuff? I just tried with just posixAccount and uidNumber and
> gidNumber. It works under test but am I missing something? We just need
> cifsuser to be able to mount the share. He'll never need to do anything
> else.
> Cheers
> 

Again, better question for the samba lists, but I'd assume that the
login shell and homedir don't matter since samba just needs to be able
to "become" that user when accessing files, not do a full login.

Note too that unless you add "-o multiuser" then all accesses to that
mount will be done with the credentials used to do the mount. Really,
with kerberos auth there's little reason to use single-user mounts.

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: cifs-utils VFS errors

[steve]

On Tue, 2013-05-28 at 09:01 -0400, Jeff Layton wrote:
> >  How does this sound?
> > - I make a domain user called cifsuser with rfc2307 uidNumber and
> > gidNumber:
> > uid=3000025(cifsuser) gid=20513(Domain Users) groups=20513(Domain Users)
> > 
> > - I mount like this:
> > sudo kinit cifsuser
> > mount -t cifs //oliva/users /mnt -osec=krb5
> > (just tried it: fine)
> > 
> > -I stick cifsuser in the keytab and kinit -k it in a cron every few
> > hours or so to keep it alive.
> > 
> > Thanks so much for your time,
> > Steve
> > 
> 
> That sounds reasonable. Assuming that you don't actually do anything on
> the mount as root, then you can give "cifsuser" very limited privileges
> here too, essentially acting as a "squashed" user like under NFS.
> 
> Also, there's no need to do this crontab stuff either. If you mount
> with "-o sec=krb5,username=cifsuser" then cifs.upcall will be able to
> just use /etc/krb5.keytab without you needing to do anything special.
> 


Hi
OK. Nearly done. I now have the automounter working:
/etc/auto.users
* -fstype=cifs,rw,sec=krb5,username=cifsuser,multiuser ://oliva/users/&

It works fine except I have 2 keytabs per client.
 /etc/krb5.keytab
produced by
 net ads join
It contains the host/client and MACHINE$ keys 
and 
 /etc/cifs.keytab
produced the DC and copied to the clients which contains the cifsuser
keys.

Question: will cifs only look in /etc/krb5.keytab? Can I get it to look
at /etc/cifs.keytab instead? OK, I can ktutil merge them but. . .

Thanks for your patience.

Re: cifs-utils VFS errors

[Jeff Layton]

On Wed, 29 May 2013 17:52:25 +0200
steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> On Tue, 2013-05-28 at 09:01 -0400, Jeff Layton wrote:
> > >  How does this sound?
> > > - I make a domain user called cifsuser with rfc2307 uidNumber and
> > > gidNumber:
> > > uid=3000025(cifsuser) gid=20513(Domain Users) groups=20513(Domain Users)
> > > 
> > > - I mount like this:
> > > sudo kinit cifsuser
> > > mount -t cifs //oliva/users /mnt -osec=krb5
> > > (just tried it: fine)
> > > 
> > > -I stick cifsuser in the keytab and kinit -k it in a cron every few
> > > hours or so to keep it alive.
> > > 
> > > Thanks so much for your time,
> > > Steve
> > > 
> > 
> > That sounds reasonable. Assuming that you don't actually do anything on
> > the mount as root, then you can give "cifsuser" very limited privileges
> > here too, essentially acting as a "squashed" user like under NFS.
> > 
> > Also, there's no need to do this crontab stuff either. If you mount
> > with "-o sec=krb5,username=cifsuser" then cifs.upcall will be able to
> > just use /etc/krb5.keytab without you needing to do anything special.
> > 
> 
> 
> Hi
> OK. Nearly done. I now have the automounter working:
> /etc/auto.users
> * -fstype=cifs,rw,sec=krb5,username=cifsuser,multiuser ://oliva/users/&
> 
> It works fine except I have 2 keytabs per client.
>  /etc/krb5.keytab
> produced by
>  net ads join
> It contains the host/client and MACHINE$ keys 
> and 
>  /etc/cifs.keytab
> produced the DC and copied to the clients which contains the cifsuser
> keys.
> 
> Question: will cifs only look in /etc/krb5.keytab? Can I get it to look
> at /etc/cifs.keytab instead? OK, I can ktutil merge them but. . .
> 
> Thanks for your patience.
> 
> 

Yes, it currently only looks at /etc/krb5.keytab. It probably wouldn't
be very hard to add a new command-line option to give it an alternate
one if that helps.

I do have a question here though. Why are you bothering with the
automounter at all? Why not instead just mount //oliva/users via fstab
at the point where auto.users is currently mounted?

That should give you the same effect with a much smaller mount table
and no automounter overhead. Something like this in /etc/fstab ought to
do it:

    //oliva/users  /path/to/top/of/users/dir   cifs  sec=krb5,username=cifsuser,multiuser 0 0

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: cifs-utils VFS errors

[steve]

On Wed, 2013-05-29 at 14:45 -0400, Jeff Layton wrote:
> On Wed, 29 May 2013 17:52:25 +0200
> steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
> 
> > On Tue, 2013-05-28 at 09:01 -0400, Jeff Layton wrote:
> > > >  How does this sound?
> > > > - I make a domain user called cifsuser with rfc2307 uidNumber and
> > > > gidNumber:
> > > > uid=3000025(cifsuser) gid=20513(Domain Users) groups=20513(Domain Users)
> > > > 
> > > > - I mount like this:
> > > > sudo kinit cifsuser
> > > > mount -t cifs //oliva/users /mnt -osec=krb5
> > > > (just tried it: fine)
> > > > 
> > > > -I stick cifsuser in the keytab and kinit -k it in a cron every few
> > > > hours or so to keep it alive.
> > > > 
> > > > Thanks so much for your time,
> > > > Steve
> > > > 
> > > 
> > > That sounds reasonable. Assuming that you don't actually do anything on
> > > the mount as root, then you can give "cifsuser" very limited privileges
> > > here too, essentially acting as a "squashed" user like under NFS.
> > > 
> > > Also, there's no need to do this crontab stuff either. If you mount
> > > with "-o sec=krb5,username=cifsuser" then cifs.upcall will be able to
> > > just use /etc/krb5.keytab without you needing to do anything special.
> > > 
> > 
> > 
> > Hi
> > OK. Nearly done. I now have the automounter working:
> > /etc/auto.users
> > * -fstype=cifs,rw,sec=krb5,username=cifsuser,multiuser ://oliva/users/&
> > 
> > It works fine except I have 2 keytabs per client.
> >  /etc/krb5.keytab
> > produced by
> >  net ads join
> > It contains the host/client and MACHINE$ keys 
> > and 
> >  /etc/cifs.keytab
> > produced the DC and copied to the clients which contains the cifsuser
> > keys.
> > 
> > Question: will cifs only look in /etc/krb5.keytab? Can I get it to look
> > at /etc/cifs.keytab instead? OK, I can ktutil merge them but. . .
> > 
> > Thanks for your patience.
> > 
> > 
> 
> Yes, it currently only looks at /etc/krb5.keytab. It probably wouldn't
> be very hard to add a new command-line option to give it an alternate
> one if that helps.
> 
> I do have a question here though. Why are you bothering with the
> automounter at all? Why not instead just mount //oliva/users via fstab
> at the point where auto.users is currently mounted?
> 
> That should give you the same effect with a much smaller mount table
> and no automounter overhead. Something like this in /etc/fstab ought to
> do it:
> 
>     //oliva/users  /path/to/top/of/users/dir   cifs  sec=krb5,username=cifsuser,multiuser 0 0
> 
Hi
Without the automounter, the fileserver grinds to a halt after around 20
users connect. A lot of our hardware is around 10 years old.

Adding an option to select a different keytab for mount.cifs would be
great. e.g. a bit like the -t in:
 kinit -k cifsuser -t /etc/cifs.keytab

Re: cifs-utils VFS errors

[Jeff Layton]

On Wed, 29 May 2013 22:40:07 +0200
steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> On Wed, 2013-05-29 at 14:45 -0400, Jeff Layton wrote:
> > On Wed, 29 May 2013 17:52:25 +0200
> > steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
> > 
> > > On Tue, 2013-05-28 at 09:01 -0400, Jeff Layton wrote:
> > > > >  How does this sound?
> > > > > - I make a domain user called cifsuser with rfc2307 uidNumber and
> > > > > gidNumber:
> > > > > uid=3000025(cifsuser) gid=20513(Domain Users) groups=20513(Domain Users)
> > > > > 
> > > > > - I mount like this:
> > > > > sudo kinit cifsuser
> > > > > mount -t cifs //oliva/users /mnt -osec=krb5
> > > > > (just tried it: fine)
> > > > > 
> > > > > -I stick cifsuser in the keytab and kinit -k it in a cron every few
> > > > > hours or so to keep it alive.
> > > > > 
> > > > > Thanks so much for your time,
> > > > > Steve
> > > > > 
> > > > 
> > > > That sounds reasonable. Assuming that you don't actually do anything on
> > > > the mount as root, then you can give "cifsuser" very limited privileges
> > > > here too, essentially acting as a "squashed" user like under NFS.
> > > > 
> > > > Also, there's no need to do this crontab stuff either. If you mount
> > > > with "-o sec=krb5,username=cifsuser" then cifs.upcall will be able to
> > > > just use /etc/krb5.keytab without you needing to do anything special.
> > > > 
> > > 
> > > 
> > > Hi
> > > OK. Nearly done. I now have the automounter working:
> > > /etc/auto.users
> > > * -fstype=cifs,rw,sec=krb5,username=cifsuser,multiuser ://oliva/users/&
> > > 
> > > It works fine except I have 2 keytabs per client.
> > >  /etc/krb5.keytab
> > > produced by
> > >  net ads join
> > > It contains the host/client and MACHINE$ keys 
> > > and 
> > >  /etc/cifs.keytab
> > > produced the DC and copied to the clients which contains the cifsuser
> > > keys.
> > > 
> > > Question: will cifs only look in /etc/krb5.keytab? Can I get it to look
> > > at /etc/cifs.keytab instead? OK, I can ktutil merge them but. . .
> > > 
> > > Thanks for your patience.
> > > 
> > > 
> > 
> > Yes, it currently only looks at /etc/krb5.keytab. It probably wouldn't
> > be very hard to add a new command-line option to give it an alternate
> > one if that helps.
> > 
> > I do have a question here though. Why are you bothering with the
> > automounter at all? Why not instead just mount //oliva/users via fstab
> > at the point where auto.users is currently mounted?
> > 
> > That should give you the same effect with a much smaller mount table
> > and no automounter overhead. Something like this in /etc/fstab ought to
> > do it:
> > 
> >     //oliva/users  /path/to/top/of/users/dir   cifs  sec=krb5,username=cifsuser,multiuser 0 0
> > 
> Hi
> Without the automounter, the fileserver grinds to a halt after around 20
> users connect. A lot of our hardware is around 10 years old.
> 

None of that should matter. The cifs client aggressively shares
connections, so the server should see little difference either way in
how the network traffic looks whether you have multiple mounts like
this or a single multiuser mount.

The only thing I can think of that would be different would be that the
automounter might umount on a shorter schedule, and hence you might end
up with fewer SMB sessions to the server. If that's the case though,
then you're likely to see the same problems with the autofs setup
eventually. You just need a particularly busy period of the machine...

In any case, if you're seeing your server grind to a halt, then I think
you'd be well-advised to try to figure out why that is. autofs
shouldn't really be fixing anything here.

> Adding an option to select a different keytab for mount.cifs would be
> great. e.g. a bit like the -t in:
>  kinit -k cifsuser -t /etc/cifs.keytab
> 

Adding such an option is reasonably trivial. Does the following patch
work for you? If it does, it'll need a manpage update too.

--------------------[snip]----------------------

[PATCH] cifs.upcall: allow users to specify dedicated keytab on command-line

Currently cifs.upcall only looks at the default system keytab
(/etc/krb5.keytab). It's often the case however that a dedicated keytab
is desirable. Allow users to set one on the command-line.

Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
---
 cifs.upcall.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/cifs.upcall.c b/cifs.upcall.c
index 6c0b9de..5a6c7d7 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -805,13 +805,14 @@ lowercase_string(char *c)
 
 static void usage(void)
 {
-	fprintf(stderr, "Usage: %s [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog);
+	fprintf(stderr, "Usage: %s [ -d /path/to/keytab] [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog);
 }
 
 const struct option long_options[] = {
 	{"krb5conf", 1, NULL, 'k'},
 	{"legacy-uid", 0, NULL, 'l'},
 	{"trust-dns", 0, NULL, 't'},
+	{"dedicated-keytab", 1, NULL, 'd'},
 	{"version", 0, NULL, 'v'},
 	{NULL, 0, NULL, 0}
 };
@@ -839,11 +840,14 @@ int main(const int argc, char *const argv[])
 
 	openlog(prog, 0, LOG_DAEMON);
 
-	while ((c = getopt_long(argc, argv, "ck:ltv", long_options, NULL)) != -1) {
+	while ((c = getopt_long(argc, argv, "cd:k:ltv", long_options, NULL)) != -1) {
 		switch (c) {
 		case 'c':
 			/* legacy option -- skip it */
 			break;
+		case 'd':
+			keytab_name = optarg;
+			break;
 		case 't':
 			try_dns++;
 			break;
-- 
1.8.1.4

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: cifs-utils VFS errors

[steve]

On Sat, 2013-06-08 at 09:08 -0400, Jeff Layton wrote:
> On Wed, 29 May 2013 22:40:07 +0200
> steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
> 
> > On Wed, 2013-05-29 at 14:45 -0400, Jeff Layton wrote:
> > > On Wed, 29 May 2013 17:52:25 +0200
> > > steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:
> > > 
> > > > On Tue, 2013-05-28 at 09:01 -0400, Jeff Layton wrote:
> > > > > >  How does this sound?
> > > > > > - I make a domain user called cifsuser with rfc2307 uidNumber and
> > > > > > gidNumber:
> > > > > > uid=3000025(cifsuser) gid=20513(Domain Users) groups=20513(Domain Users)
> > > > > > 
> > > > > > - I mount like this:
> > > > > > sudo kinit cifsuser
> > > > > > mount -t cifs //oliva/users /mnt -osec=krb5
> > > > > > (just tried it: fine)
> > > > > > 
> > > > > > -I stick cifsuser in the keytab and kinit -k it in a cron every few
> > > > > > hours or so to keep it alive.
> > > > > > 
> > > > > > Thanks so much for your time,
> > > > > > Steve
> > > > > > 
> > > > > 
> > > > > That sounds reasonable. Assuming that you don't actually do anything on
> > > > > the mount as root, then you can give "cifsuser" very limited privileges
> > > > > here too, essentially acting as a "squashed" user like under NFS.
> > > > > 
> > > > > Also, there's no need to do this crontab stuff either. If you mount
> > > > > with "-o sec=krb5,username=cifsuser" then cifs.upcall will be able to
> > > > > just use /etc/krb5.keytab without you needing to do anything special.
> > > > > 
> > > > 
> > > > 
> > > > Hi
> > > > OK. Nearly done. I now have the automounter working:
> > > > /etc/auto.users
> > > > * -fstype=cifs,rw,sec=krb5,username=cifsuser,multiuser ://oliva/users/&
> > > > 
> > > > It works fine except I have 2 keytabs per client.
> > > >  /etc/krb5.keytab
> > > > produced by
> > > >  net ads join
> > > > It contains the host/client and MACHINE$ keys 
> > > > and 
> > > >  /etc/cifs.keytab
> > > > produced the DC and copied to the clients which contains the cifsuser
> > > > keys.
> > > > 
> > > > Question: will cifs only look in /etc/krb5.keytab? Can I get it to look
> > > > at /etc/cifs.keytab instead? OK, I can ktutil merge them but. . .
> > > > 
> > > > Thanks for your patience.
> > > > 
> > > > 
> > > 
> > > Yes, it currently only looks at /etc/krb5.keytab. It probably wouldn't
> > > be very hard to add a new command-line option to give it an alternate
> > > one if that helps.
> > > 
> > > I do have a question here though. Why are you bothering with the
> > > automounter at all? Why not instead just mount //oliva/users via fstab
> > > at the point where auto.users is currently mounted?
> > > 
> > > That should give you the same effect with a much smaller mount table
> > > and no automounter overhead. Something like this in /etc/fstab ought to
> > > do it:
> > > 
> > >     //oliva/users  /path/to/top/of/users/dir   cifs  sec=krb5,username=cifsuser,multiuser 0 0
> > > 
> > Hi
> > Without the automounter, the fileserver grinds to a halt after around 20
> > users connect. A lot of our hardware is around 10 years old.
> > 
> 
> None of that should matter. The cifs client aggressively shares
> connections, so the server should see little difference either way in
> how the network traffic looks whether you have multiple mounts like
> this or a single multiuser mount.
> 
> The only thing I can think of that would be different would be that the
> automounter might umount on a shorter schedule, and hence you might end
> up with fewer SMB sessions to the server. If that's the case though,
> then you're likely to see the same problems with the autofs setup
> eventually. You just need a particularly busy period of the machine...
> 
> In any case, if you're seeing your server grind to a halt, then I think
> you'd be well-advised to try to figure out why that is. autofs
> shouldn't really be fixing anything here.
> 
> > Adding an option to select a different keytab for mount.cifs would be
> > great. e.g. a bit like the -t in:
> >  kinit -k cifsuser -t /etc/cifs.keytab
> > 
> 
> Adding such an option is reasonably trivial. Does the following patch
> work for you? If it does, it'll need a manpage update too.
> 
> --------------------[snip]----------------------
> 
> [PATCH] cifs.upcall: allow users to specify dedicated keytab on command-line
> 
> Currently cifs.upcall only looks at the default system keytab
> (/etc/krb5.keytab). It's often the case however that a dedicated keytab
> is desirable. Allow users to set one on the command-line.
> 
> Signed-off-by: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
> ---
>  cifs.upcall.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/cifs.upcall.c b/cifs.upcall.c
> index 6c0b9de..5a6c7d7 100644
> --- a/cifs.upcall.c
> +++ b/cifs.upcall.c
> @@ -805,13 +805,14 @@ lowercase_string(char *c)
>  
>  static void usage(void)
>  {
> -	fprintf(stderr, "Usage: %s [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog);
> +	fprintf(stderr, "Usage: %s [ -d /path/to/keytab] [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog);
>  }
>  
>  const struct option long_options[] = {
>  	{"krb5conf", 1, NULL, 'k'},
>  	{"legacy-uid", 0, NULL, 'l'},
>  	{"trust-dns", 0, NULL, 't'},
> +	{"dedicated-keytab", 1, NULL, 'd'},
>  	{"version", 0, NULL, 'v'},
>  	{NULL, 0, NULL, 0}
>  };
> @@ -839,11 +840,14 @@ int main(const int argc, char *const argv[])
>  
>  	openlog(prog, 0, LOG_DAEMON);
>  
> -	while ((c = getopt_long(argc, argv, "ck:ltv", long_options, NULL)) != -1) {
> +	while ((c = getopt_long(argc, argv, "cd:k:ltv", long_options, NULL)) != -1) {
>  		switch (c) {
>  		case 'c':
>  			/* legacy option -- skip it */
>  			break;
> +		case 'd':
> +			keytab_name = optarg;
> +			break;
>  		case 't':
>  			try_dns++;
>  			break;
> -- 
> 1.8.1.4
> 

Hi
Brilliant.
I applied the patch, well, I edited cifs.upcall.c with the -'s and +'s
at least. I then, make clean, build and make install. I now have:
 cifs.upcall
Usage: cifs.upcall [ -d /path/to/keytab] [-k /path/to/krb5.conf] [-t]
[-v] [-l] key_serial

Looks good. Where do I put the -d in:
 mount -t cifs //altea/users /mnt -osec=krb5,multiuser,username=cifsuser
or don't I?
Cheers,
Steve

Re: cifs-utils VFS errors

[steve]

On Sat, 2013-06-08 at 16:28 +0200, steve wrote:
> On Sat, 2013-06-08 at 09:08 -0400, Jeff Layton wrote:
> >  cifs.upcall.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> > 
> > diff --git a/cifs.upcall.c b/cifs.upcall.c
> > index 6c0b9de..5a6c7d7 100644
> > --- a/cifs.upcall.c
> > +++ b/cifs.upcall.c
> > @@ -805,13 +805,14 @@ lowercase_string(char *c)
> >  
> >  static void usage(void)
> >  {
> > -	fprintf(stderr, "Usage: %s [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog);
> > +	fprintf(stderr, "Usage: %s [ -d /path/to/keytab] [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog);
> >  }
> >  
> >  const struct option long_options[] = {
> >  	{"krb5conf", 1, NULL, 'k'},
> >  	{"legacy-uid", 0, NULL, 'l'},
> >  	{"trust-dns", 0, NULL, 't'},
> > +	{"dedicated-keytab", 1, NULL, 'd'},
> >  	{"version", 0, NULL, 'v'},
> >  	{NULL, 0, NULL, 0}
> >  };
> > @@ -839,11 +840,14 @@ int main(const int argc, char *const argv[])
> >  
> >  	openlog(prog, 0, LOG_DAEMON);
> >  
> > -	while ((c = getopt_long(argc, argv, "ck:ltv", long_options, NULL)) != -1) {
> > +	while ((c = getopt_long(argc, argv, "cd:k:ltv", long_options, NULL)) != -1) {
> >  		switch (c) {
> >  		case 'c':
> >  			/* legacy option -- skip it */
> >  			break;
> > +		case 'd':
> > +			keytab_name = optarg;
> > +			break;
> >  		case 't':
> >  			try_dns++;
> >  			break;
> > -- 
> > 1.8.1.4
> > 
> 
> Hi
> Brilliant.
> I applied the patch, well, I edited cifs.upcall.c with the -'s and +'s
> at least. I then, make clean, build and make install. I now have:
>  cifs.upcall
> Usage: cifs.upcall [ -d /path/to/keytab] [-k /path/to/krb5.conf] [-t]
> [-v] [-l] key_serial
> 
> Looks good. Where do I put the -d in:
>  mount -t cifs //altea/users /mnt -osec=krb5,multiuser,username=cifsuser
> or don't I?
> Cheers,
> Steve

Here is /etc/request-key.conf:

create	cifs.spnego	*	*		/usr/sbin/cifs.upcall -c %k

Re: cifs-utils VFS errors

[Jeff Layton]

On Sat, 08 Jun 2013 16:49:35 +0200
steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> On Sat, 2013-06-08 at 16:28 +0200, steve wrote:
> > On Sat, 2013-06-08 at 09:08 -0400, Jeff Layton wrote:
> > >  cifs.upcall.c | 8 ++++++--
> > >  1 file changed, 6 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/cifs.upcall.c b/cifs.upcall.c
> > > index 6c0b9de..5a6c7d7 100644
> > > --- a/cifs.upcall.c
> > > +++ b/cifs.upcall.c
> > > @@ -805,13 +805,14 @@ lowercase_string(char *c)
> > >  
> > >  static void usage(void)
> > >  {
> > > -	fprintf(stderr, "Usage: %s [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog);
> > > +	fprintf(stderr, "Usage: %s [ -d /path/to/keytab] [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog);
> > >  }
> > >  
> > >  const struct option long_options[] = {
> > >  	{"krb5conf", 1, NULL, 'k'},
> > >  	{"legacy-uid", 0, NULL, 'l'},
> > >  	{"trust-dns", 0, NULL, 't'},
> > > +	{"dedicated-keytab", 1, NULL, 'd'},
> > >  	{"version", 0, NULL, 'v'},
> > >  	{NULL, 0, NULL, 0}
> > >  };
> > > @@ -839,11 +840,14 @@ int main(const int argc, char *const argv[])
> > >  
> > >  	openlog(prog, 0, LOG_DAEMON);
> > >  
> > > -	while ((c = getopt_long(argc, argv, "ck:ltv", long_options, NULL)) != -1) {
> > > +	while ((c = getopt_long(argc, argv, "cd:k:ltv", long_options, NULL)) != -1) {
> > >  		switch (c) {
> > >  		case 'c':
> > >  			/* legacy option -- skip it */
> > >  			break;
> > > +		case 'd':
> > > +			keytab_name = optarg;
> > > +			break;
> > >  		case 't':
> > >  			try_dns++;
> > >  			break;
> > > -- 
> > > 1.8.1.4
> > > 
> > 
> > Hi
> > Brilliant.
> > I applied the patch, well, I edited cifs.upcall.c with the -'s and +'s
> > at least. I then, make clean, build and make install. I now have:
> >  cifs.upcall
> > Usage: cifs.upcall [ -d /path/to/keytab] [-k /path/to/krb5.conf] [-t]
> > [-v] [-l] key_serial
> > 
> > Looks good. Where do I put the -d in:
> >  mount -t cifs //altea/users /mnt -osec=krb5,multiuser,username=cifsuser
> > or don't I?
> > Cheers,
> > Steve
> 
> Here is /etc/request-key.conf:
> 
> create	cifs.spnego	*	*		/usr/sbin/cifs.upcall -c %k
> 
> 

Yes, you'll need to add the new argument there.

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: cifs-utils VFS errors

[steve]

On Sat, 2013-06-08 at 20:23 -0400, Jeff Layton wrote:
> On Sat, 08 Jun 2013 16:49:35 +0200
> steve <steve-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org> wrote:

> > > Hi
> > > Brilliant.
> > > I applied the patch, well, I edited cifs.upcall.c with the -'s and +'s
> > > at least. I then, make clean, build and make install. I now have:
> > >  cifs.upcall
> > > Usage: cifs.upcall [ -d /path/to/keytab] [-k /path/to/krb5.conf] [-t]
> > > [-v] [-l] key_serial
> > > 
> > > Looks good. Where do I put the -d in:
> > >  mount -t cifs //altea/users /mnt -osec=krb5,multiuser,username=cifsuser
> > > or don't I?
> > > Cheers,
> > > Steve
> > 
> > Here is /etc/request-key.conf:
> > 
> > create	cifs.spnego	*	*		/usr/sbin/cifs.upcall -c %k
> > 
> > 
> 
> Yes, you'll need to add the new argument there.
> 

Hi
Here is the keytab:
 klist -ke /etc/cifs.keytab
Keytab name: FILE:/etc/cifs.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 cifsuser-UiqEU/D402Y@public.gmane.org (arcfour-hmac) 
create	cifs.spnego * * /usr/sbin/cifs.upcall -d /etc/cifs.keytab -c %k

Unfortunately we are back to having to have a root cache in /tmp:
 mount -t cifs //altea/shared /home/shared
-osec=krb5,multiuser,username=cifsuser
mount error(126): Required key not available

/var/log/messages for the failed key:
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
2013-06-09T10:36:34.566409+02:00 catral cifs.upcall: user=cifsuser
2013-06-09T10:36:34.580279+02:00 catral cifs.upcall: pid=1396
2013-06-09T10:36:34.587159+02:00 catral cifs.upcall: find_krb5_cc:
scandir error on directory '/run/user/0': No such file or directory
2013-06-09T10:36:34.588382+02:00 catral cifs.upcall:
krb5_get_init_creds_keytab: -1765328174
2013-06-09T10:36:34.595349+02:00 catral cifs.upcall: handle_krb5_mech:
getting service ticket for altea
2013-06-09T10:36:34.596593+02:00 catral cifs.upcall: cifs_krb5_get_req:
unable to resolve (null) to ccache
2013-06-09T10:36:34.607253+02:00 catral cifs.upcall: handle_krb5_mech:
failed to obtain service ticket (-1765328245)
2013-06-09T10:36:34.608787+02:00 catral cifs.upcall: handle_krb5_mech:
getting service ticket for altea.hh3.site
2013-06-09T10:36:34.612720+02:00 catral cifs.upcall: cifs_krb5_get_req:
unable to resolve (null) to ccache
2013-06-09T10:36:34.614176+02:00 catral cifs.upcall: handle_krb5_mech:
failed to obtain service ticket (-1765328245)
2013-06-09T10:36:34.620231+02:00 catral cifs.upcall: Unable to obtain
service ticket
2013-06-09T10:36:34.621737+02:00 catral cifs.upcall: Exit status
-1765328245

If I now kinit cifsuser as root, it mounts fine:
 kinit cifsuser
Password for cifsuser-UiqEU/D402Y@public.gmane.org: 
catral:/home/steve # mount -t cifs //altea/shared /home/shared
-osec=krb5,multiuser,username=cifsuser
catral:/home/steve # mount | grep altea/shared
//altea/shared on /home/shared type cifs
(rw,relatime,vers=1.0,sec=krb5,cache=strict,unc=\\altea
\shared,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.100,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1)
ticket

/var/log/messages for the successful mount:
2013-06-09T10:36:34.621737+02:00 catral cifs.upcall: Exit status
-1765328245
2013-06-09T10:40:06.705799+02:00 catral cifs.upcall: key description:
cifs.spnego;0;0;3f000000;ver=0x2;host=altea;ip4=192.168.1.100;sec=krb5;uid=0x0;creduid=0x0;user=cifsuser;pid=0x587
2013-06-09T10:40:06.710173+02:00 catral cifs.upcall: ver=2
2013-06-09T10:40:06.721488+02:00 catral cifs.upcall: host=altea
2013-06-09T10:40:06.725720+02:00 catral cifs.upcall: ip=192.168.1.100
2013-06-09T10:40:06.733396+02:00 catral cifs.upcall: sec=1
2013-06-09T10:40:06.742668+02:00 catral cifs.upcall: uid=0
2013-06-09T10:40:06.744518+02:00 catral cifs.upcall: creduid=0
2013-06-09T10:40:06.746116+02:00 catral cifs.upcall: user=cifsuser
2013-06-09T10:40:06.747900+02:00 catral cifs.upcall: pid=1415
2013-06-09T10:40:06.749599+02:00 catral cifs.upcall: find_krb5_cc:
scandir error on directory '/run/user/0': No such file or directory
2013-06-09T10:40:06.751559+02:00 catral cifs.upcall: find_krb5_cc:
considering /tmp/krb5cc_0
2013-06-09T10:40:06.755205+02:00 catral cifs.upcall: find_krb5_cc:
FILE:/tmp/krb5cc_0 is valid ccache
2013-06-09T10:40:06.756825+02:00 catral cifs.upcall: handle_krb5_mech:
getting service ticket for altea
2013-06-09T10:40:06.758426+02:00 catral cifs.upcall: handle_krb5_mech:
obtained service ticket
2013-06-09T10:40:06.760770+02:00 catral cifs.upcall: Exit status 0

It seems that cifs.upcall ignores /etc/reqestkey.conf Unless there is a
root cache, nothing gets mounted. I've tested without the patch and
having the key in the defaul keytab instead. The same. 

This is nothing to do with the patch. cifs will not mount unless there
is a root cache available no matter which keytab is used: default keytab
or -d patch keytab.

Stuck.

Re: cifs-utils VFS errors

[steve]

> > > On Sat, 2013-06-08 at 09:08 -0400, Jeff Layton wrote:
> > > >  cifs.upcall.c | 8 ++++++--
> > > >  1 file changed, 6 insertions(+), 2 deletions(-)
> > > > 
> > > > diff --git a/cifs.upcall.c b/cifs.upcall.c
> > > > index 6c0b9de..5a6c7d7 100644
> > > > --- a/cifs.upcall.c
> > > > +++ b/cifs.upcall.c
> > > > @@ -805,13 +805,14 @@ lowercase_string(char *c)
> > > >  
> > > >  static void usage(void)
> > > >  {
> > > > -	fprintf(stderr, "Usage: %s [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog);
> > > > +	fprintf(stderr, "Usage: %s [ -d /path/to/keytab] [-k /path/to/krb5.conf] [-t] [-v] [-l] key_serial\n", prog);
> > > >  }
> > > >  
> > > >  const struct option long_options[] = {
> > > >  	{"krb5conf", 1, NULL, 'k'},
> > > >  	{"legacy-uid", 0, NULL, 'l'},
> > > >  	{"trust-dns", 0, NULL, 't'},
> > > > +	{"dedicated-keytab", 1, NULL, 'd'},
> > > >  	{"version", 0, NULL, 'v'},
> > > >  	{NULL, 0, NULL, 0}
> > > >  };
> > > > @@ -839,11 +840,14 @@ int main(const int argc, char *const argv[])
> > > >  
> > > >  	openlog(prog, 0, LOG_DAEMON);
> > > >  
> > > > -	while ((c = getopt_long(argc, argv, "ck:ltv", long_options, NULL)) != -1) {
> > > > +	while ((c = getopt_long(argc, argv, "cd:k:ltv", long_options, NULL)) != -1) {
> > > >  		switch (c) {
> > > >  		case 'c':
> > > >  			/* legacy option -- skip it */
> > > >  			break;
> > > > +		case 'd':
> > > > +			keytab_name = optarg;
> > > > +			break;
> > > >  		case 't':
> > > >  			try_dns++;
> > > >  			break;
> > > > -- 
> > > > 1.8.1.4
> > > > 
> > > 
> > > Hi
> > > Brilliant.
> > > I applied the patch, well, I edited cifs.upcall.c with the -'s and +'s
> > > at least. I then, make clean, build and make install. I now have:
> > >  cifs.upcall
> > > Usage: cifs.upcall [ -d /path/to/keytab] [-k /path/to/krb5.conf] [-t]
> > > [-v] [-l] key_serial


Hi Jeff
Would there be any possibility of including this patch in a cifs-utils
release? It's just that we're not allowed to use patched versions
outside the lab.
Thanks,
Steve