From: Jurjen Bokma <j.bokma-39IHFo8E5E0@public.gmane.org>
To: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Kerberized mount.cifs with SMB>1?
Date: Wed, 20 Aug 2014 16:08:13 +0200 [thread overview]
Message-ID: <53F4ABCD.5040909@rug.nl> (raw)
Hi,
could anyone please tell me whether the combination
mount.cifs+Kerberos+SMB2/SMB3 is supposed to work?
>From what I see, Linux doesn't even consider Kerberos when speaking SMB2
or SMB3. After the Negotiate Protocol Response from the server, the
client sends an ACK and then follows up with an NTLMSSP_NEGOTIATE. There
is no Kerberos at all in the conversation. At least not that Wireshark
finds.
These are the commands that fail with mount error(13): Permission denied
mount.cifs //ws.mydomain.com/ydrive /mnt/y
-omultiuser,sec=krb5,noexec,nosuid,vers=3.0
and
kinit n123456 mount -t cifs -overs=3.0,sec=krb5
//ws.mydomain.com/homedrive/staff/user3/N123456 /mnt/x -o
uid=10123456,gid=10123456
Particularities:
- Cifs.upcall is set to run with the option '-t' (because Kerberized
NFS4 breaks without it). Removing the option doesn't help.
- These are DFS shares (if that is a correct term) with several
referrals. (Simpler shares cannot be accessed either.)
- The Kerberos server is Microsoft Server 2012 AD. Msktutil (not
winbind) was used to join the host to the AD domain.
- /proc/fs/cifs/SecurityFlags is set to 0x8009. (The default 0x85
doesn't work either.)
Things that do help:
- Use vers=1.0.
- Leave out the sec=krb5. (Get asked for a password, NTLM* works.)
So this is the status:
SMB1 SMB2 SMB3
ntlm* work work work
krb5* work fail fail
Versions:
Kernel 3.17.0
Mount.cifs 6.4
I'll happily provide wireshark captures or try other situations.
FWIW, this is what the kernel ringbuffer says (after the first mount
command above):
[ 75.119448] /home/apw/COD/linux/fs/cifs/cifsfs.c: Devname:
//ws.mydomain.com/ydrive flags: 0
[ 75.119465] /home/apw/COD/linux/fs/cifs/connect.c: Username: root
[ 75.137511] /home/apw/COD/linux/fs/cifs/connect.c: file mode: 0x1ed
dir mode: 0x1ed
[ 75.137541] /home/apw/COD/linux/fs/cifs/connect.c: CIFS VFS: in
cifs_mount as Xid: 0 with uid: 0
[ 75.137543] /home/apw/COD/linux/fs/cifs/connect.c: UNC:
\\ws.mydomain.com\ydrive
[ 75.137548] /home/apw/COD/linux/fs/cifs/connect.c: Socket created
[ 75.137549] /home/apw/COD/linux/fs/cifs/connect.c: sndbuf 16384
rcvbuf 87380 rcvtimeo 0x6d6
[ 75.137964] /home/apw/COD/linux/fs/cifs/connect.c: Demultiplex PID: 1823
[ 75.137966] /home/apw/COD/linux/fs/cifs/fscache.c:
cifs_fscache_get_client_cookie: (0xffff8800c3060000/0xffff8800c3f0f000)
[ 75.137969] /home/apw/COD/linux/fs/cifs/connect.c: CIFS VFS: in
cifs_get_smb_ses as Xid: 1 with uid: 0
[ 75.137970] /home/apw/COD/linux/fs/cifs/connect.c: Existing smb sess
not found
[ 75.137972] /home/apw/COD/linux/fs/cifs/smb2pdu.c: Negotiate protocol
[ 75.137977] /home/apw/COD/linux/fs/cifs/transport.c: Sending smb:
smb_len=102
[ 75.138745] /home/apw/COD/linux/fs/cifs/connect.c: RFC1002 header 0xf8
[ 75.138748] /home/apw/COD/linux/fs/cifs/smb2misc.c:
smb2_check_message length: 0xfc, smb_buf_length: 0xf8
[ 75.138749] /home/apw/COD/linux/fs/cifs/smb2misc.c: SMB2 data length
120 offset 128
[ 75.138750] /home/apw/COD/linux/fs/cifs/smb2misc.c: SMB2 len 252
[ 75.138780] /home/apw/COD/linux/fs/cifs/transport.c:
cifs_sync_mid_result: cmd=0 mid=0 state=4
[ 75.138782] /home/apw/COD/linux/fs/cifs/misc.c: Null buffer passed to
cifs_small_buf_release
[ 75.138784] /home/apw/COD/linux/fs/cifs/smb2pdu.c: mode 0x3
[ 75.138785] /home/apw/COD/linux/fs/cifs/smb2pdu.c: negotiated smb3.0
dialect
[ 75.138786] /home/apw/COD/linux/fs/cifs/connect.c: Security Mode: 0x3
Capabilities: 0x300007 TimeAdjust: 0
[ 75.138787] /home/apw/COD/linux/fs/cifs/smb2pdu.c: Session Setup
[ 75.138789] /home/apw/COD/linux/fs/cifs/transport.c: Sending smb:
smb_len=120
[ 75.139346] /home/apw/COD/linux/fs/cifs/connect.c: RFC1002 header 0x142
[ 75.139350] /home/apw/COD/linux/fs/cifs/smb2misc.c:
smb2_check_message length: 0x146, smb_buf_length: 0x142
[ 75.139351] /home/apw/COD/linux/fs/cifs/smb2misc.c: SMB2 data length
250 offset 72
[ 75.139352] /home/apw/COD/linux/fs/cifs/smb2misc.c: SMB2 len 326
[ 75.139381] /home/apw/COD/linux/fs/cifs/transport.c:
cifs_sync_mid_result: cmd=1 mid=1 state=4
[ 75.139384] /home/apw/COD/linux/fs/cifs/smb2maperror.c: Mapping SMB2
status code -1073741802 to POSIX err -5
[ 75.139385] /home/apw/COD/linux/fs/cifs/misc.c: Null buffer passed to
cifs_small_buf_release
[ 75.156277] /home/apw/COD/linux/fs/cifs/transport.c: Sending smb:
smb_len=416
[ 75.157777] /home/apw/COD/linux/fs/cifs/connect.c: RFC1002 header 0x49
[ 75.157781] /home/apw/COD/linux/fs/cifs/smb2misc.c:
smb2_check_message length: 0x4d, smb_buf_length: 0x49
[ 75.157782] /home/apw/COD/linux/fs/cifs/smb2misc.c: SMB2 data length
0 offset 0
[ 75.157783] /home/apw/COD/linux/fs/cifs/smb2misc.c: SMB2 len 77
[ 75.157803] /home/apw/COD/linux/fs/cifs/transport.c:
cifs_sync_mid_result: cmd=1 mid=2 state=4
[ 75.157806] Status code returned 0xc000006d STATUS_LOGON_FAILURE
[ 75.157810] /home/apw/COD/linux/fs/cifs/smb2maperror.c: Mapping SMB2
status code -1073741715 to POSIX err -13
[ 75.157811] /home/apw/COD/linux/fs/cifs/misc.c: Null buffer passed to
cifs_small_buf_release
[ 75.157812] CIFS VFS: Send error in SessSetup = -13
[ 75.157815] /home/apw/COD/linux/fs/cifs/connect.c: CIFS VFS: leaving
cifs_get_smb_ses (xid = 1) rc = -13
[ 75.157817] /home/apw/COD/linux/fs/cifs/fscache.c:
cifs_fscache_release_client_cookie: (0xffff8800c3060000/0xffff8800c3f0f000)
[ 75.157864] /home/apw/COD/linux/fs/cifs/connect.c: CIFS VFS: leaving
cifs_mount (xid = 0) rc = -13
[ 75.157866] CIFS VFS: cifs_mount failed w/return code = -13
Many thanks!
Jurjen Bokma
next reply other threads:[~2014-08-20 14:08 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-20 14:08 Jurjen Bokma [this message]
[not found] ` <53F4ABCD.5040909-39IHFo8E5E0@public.gmane.org>
2014-08-20 14:43 ` Kerberized mount.cifs with SMB>1? steve
[not found] ` <1408545832.2071.6.camel-HkULYb+WTT7YCGPCin2YbQ@public.gmane.org>
2014-08-20 17:16 ` Jurjen Bokma
[not found] ` <53F4D7FC.8020405-39IHFo8E5E0@public.gmane.org>
2014-10-19 19:58 ` Jurjen Bokma
[not found] ` <544417CA.3000609-39IHFo8E5E0@public.gmane.org>
2014-10-19 20:25 ` steve
[not found] ` <54441E2A.6020809-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org>
2014-10-19 20:30 ` Jurjen Bokma
[not found] ` <54441F79.7040804-39IHFo8E5E0@public.gmane.org>
2014-10-19 20:42 ` steve
[not found] ` <54442233.4090801-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org>
2014-10-19 20:48 ` Jurjen Bokma
[not found] ` <54442399.5030100-39IHFo8E5E0@public.gmane.org>
2014-10-20 16:24 ` steve
[not found] ` <54453737.7040403-dZ4O0aZtNmBWk0Htik3J/w@public.gmane.org>
2014-10-20 16:37 ` Jurjen Bokma
[not found] ` <54453A48.1050208-39IHFo8E5E0@public.gmane.org>
2014-10-20 17:09 ` Steve French
[not found] ` <CAH2r5msA2D8upKSYVUEC1ygULe9oGa2x0XR5tGeF59bSmjKa3g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-10-20 17:19 ` Jurjen Bokma
2014-08-20 14:44 ` McCall, Andy (IT.PFMS)
2015-07-24 10:09 Noel Power
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53F4ABCD.5040909@rug.nl \
--to=j.bokma-39ihfo8e5e0@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.