* Re: mount.cifs multiuser w/o krb5? How?
@ 2012-07-11 19:05 Milan Knížek
2012-07-11 19:56 ` Jeff Layton
0 siblings, 1 reply; 9+ messages in thread
From: Milan Knížek @ 2012-07-11 19:05 UTC (permalink / raw)
To: linux-cifs
sorry, sent from a wrong email address and probably silently rejected by
Majordomo...
-------- Přeposlaná zpráva --------
Předmět: Re: mount.cifs multiuser w/o krb5? How?
Datum: Tue, 10 Jul 2012 23:01:32 +0200
Jeff Layton writes:
>> cifscreds add is more or less equivalent to a command like this:
>
> $ keyctl add logon cifs:a:ip_address 'username:password' @s
>
There seems to be a general problem with adding keys (@s) to the default
"session" keyring. Adding user type keys (@u) works.
$ keyctl add logon description data @s
does not add anything to the _uid_ses:UID keyring, which is automatically
created after login.
Interestingly, when a new session keyring is added, then it works:
[root@client ~]# su - zmrzlinka
[zmrzlinka@client ~]$ keyctl show
Session Keyring
1037083570 --alswrv 1001 -1 keyring: _uid_ses.1001
578017679 --alswrv 1001 -1 \_ keyring: _uid.1001
[zmrzlinka@client ~]$ cifscreds add toillet
Password:
[zmrzlinka@client ~]$ keyctl show
Session Keyring
1037083570 --alswrv 1001 -1 keyring: _uid_ses.1001
578017679 --alswrv 1001 -1 \_ keyring: _uid.1001
[zmrzlinka@client ~]$ keyctl session new-session
Joined session keyring: 871855811
[zmrzlinka@client ~]$ keyctl show
Session Keyring
871855811 --alswrv 1001 100 keyring: new-session
[zmrzlinka@client ~]$ cifscreds add toillet
Password:
[zmrzlinka@client ~]$ keyctl show
Session Keyring
871855811 --alswrv 1001 100 keyring: new-session
244698182 ----sw-v 1001 100 \_ logon: cifs:a:192.168.1.3
Milan
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: mount.cifs multiuser w/o krb5? How?
2012-07-11 19:05 mount.cifs multiuser w/o krb5? How? Milan Knížek
@ 2012-07-11 19:56 ` Jeff Layton
0 siblings, 0 replies; 9+ messages in thread
From: Jeff Layton @ 2012-07-11 19:56 UTC (permalink / raw)
To: Milan Knížek, keyrings-6DNke4IJHB0gsBAKwltoeQ; +Cc: linux-cifs
On Wed, 11 Jul 2012 21:05:31 +0200
Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> sorry, sent from a wrong email address and probably silently rejected by
> Majordomo...
> -------- Přeposlaná zpráva --------
> Předmět: Re: mount.cifs multiuser w/o krb5? How?
> Datum: Tue, 10 Jul 2012 23:01:32 +0200
>
> Jeff Layton writes:
>
> >> cifscreds add is more or less equivalent to a command like this:
> >
> > $ keyctl add logon cifs:a:ip_address 'username:password' @s
> >
>
> There seems to be a general problem with adding keys (@s) to the default
> "session" keyring. Adding user type keys (@u) works.
>
> $ keyctl add logon description data @s
> does not add anything to the _uid_ses:UID keyring, which is automatically
> created after login.
>
> Interestingly, when a new session keyring is added, then it works:
>
> [root@client ~]# su - zmrzlinka
> [zmrzlinka@client ~]$ keyctl show
> Session Keyring
> 1037083570 --alswrv 1001 -1 keyring: _uid_ses.1001
> 578017679 --alswrv 1001 -1 \_ keyring: _uid.1001
> [zmrzlinka@client ~]$ cifscreds add toillet
> Password:
> [zmrzlinka@client ~]$ keyctl show
> Session Keyring
> 1037083570 --alswrv 1001 -1 keyring: _uid_ses.1001
> 578017679 --alswrv 1001 -1 \_ keyring: _uid.1001
> [zmrzlinka@client ~]$ keyctl session new-session
> Joined session keyring: 871855811
> [zmrzlinka@client ~]$ keyctl show
> Session Keyring
> 871855811 --alswrv 1001 100 keyring: new-session
> [zmrzlinka@client ~]$ cifscreds add toillet
> Password:
> [zmrzlinka@client ~]$ keyctl show
> Session Keyring
> 871855811 --alswrv 1001 100 keyring: new-session
> 244698182 ----sw-v 1001 100 \_ logon: cifs:a:192.168.1.3
>
[...]
> [root@client ~]# su - zmrzlinka
> [zmrzlinka@client ~]$ strace cifscreds add toillet
> execve("/usr/bin/cifscreds", ["cifscreds", "add", "toillet"], [/* 27 vars
> */]) = 0
> brk(0) = 0x64e000
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f4eaed93000
> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=256357, ...}) = 0
> mmap(NULL, 256357, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4eaed54000
> close(3) = 0
> open("/usr/lib/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\21\0\0\0\0\0\0"..., 832)
> = 832
> fstat(3, {st_mode=S_IFREG|0755, st_size=14480, ...}) = 0
> mmap(NULL, 2109608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
> 0x7f4eae96f000
> mprotect(0x7f4eae972000, 2093056, PROT_NONE) = 0
> mmap(0x7f4eaeb71000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x2000) = 0x7f4eaeb71000
> close(3) = 0
> open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
> read(3,
> "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\30\2\0\0\0\0\0"..., 832)
> = 832
> fstat(3, {st_mode=S_IFREG|0755, st_size=1997041, ...}) = 0
> mmap(NULL, 3816528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
> 0x7f4eae5cb000
> mprotect(0x7f4eae766000, 2093056, PROT_NONE) = 0
> mmap(0x7f4eae965000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0x19a000) = 0x7f4eae965000
> mmap(0x7f4eae96b000, 15440, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_ANONYMOUS, -1, 0) = 0x7f4eae96b000
> close(3) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f4eaed53000
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f4eaed52000
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f4eaed51000
> arch_prctl(ARCH_SET_FS, 0x7f4eaed52700) = 0
> mprotect(0x7f4eae965000, 16384, PROT_READ) = 0
> mprotect(0x7f4eaeb71000, 4096, PROT_READ) = 0
> mprotect(0x602000, 4096, PROT_READ) = 0
> mprotect(0x7f4eaed94000, 4096, PROT_READ) = 0
> munmap(0x7f4eaed54000, 256357) = 0
> getuid() = 1001
> brk(0) = 0x64e000
> brk(0x66f000) = 0x66f000
> socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
> connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
> ENOENT (No such file or directory)
> close(3) = 0
> socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
> connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
> ENOENT (No such file or directory)
> close(3) = 0
> open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=274, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f4eaed92000
> read(3, "# Begin /etc/nsswitch.conf\n\npass"..., 4096) = 274
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0x7f4eaed92000, 4096) = 0
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=256357, ...}) = 0
> mmap(NULL, 256357, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4eaed54000
> close(3) = 0
> open("/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
> read(3,
> "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\"\0\0\0\0\0\0"..., 832) =
> 832
> fstat(3, {st_mode=S_IFREG|0755, st_size=52112, ...}) = 0
> mmap(NULL, 2148136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
> 0x7f4eae3be000
> mprotect(0x7f4eae3ca000, 2093056, PROT_NONE) = 0
> mmap(0x7f4eae5c9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
> MAP_DENYWRITE, 3, 0xb000) = 0x7f4eae5c9000
> close(3) = 0
> mprotect(0x7f4eae5c9000, 4096, PROT_READ) = 0
> munmap(0x7f4eaed54000, 256357) = 0
> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=1439, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f4eaed92000
> read(3, "root:x:0:0:root client:/root:/bi"..., 4096) = 1439
> close(3) = 0
> munmap(0x7f4eaed92000, 4096) = 0
> socket(PF_NETLINK, SOCK_RAW, 0) = 3
> bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
> getsockname(3, {sa_family=AF_NETLINK, pid=18164, groups=00000000}, [12]) = 0
> sendto(3, "\24\0\0\0\26\0\1\3^\227\374O\0\0\0\0\0\0\0\0", 20, 0,
> {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
> msg_iov(1)=[{"0\0\0\0\24\0\2\0^\227\374O\364F\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"...,
> 4096}], msg_controllen=0, msg_flags=0}, 0) = 224
> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
> msg_iov(1)=[{"@\0\0\0\24\0\2\0^\227\374O\364F\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0"...,
> 4096}], msg_controllen=0, msg_flags=0}, 0) = 192
> recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
> msg_iov(1)=[{"\24\0\0\0\3\0\2\0^\227\374O\364F\0\0\0\0\0\0", 4096}],
> msg_controllen=0, msg_flags=0}, 0) = 20
> socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
> connect(4, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
> ENOENT (No such file or directory)
> close(4) = 0
> close(3) = 0
> socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
> connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
> ENOENT (No such file or directory)
> close(3) = 0
> open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=63, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f4eaed92000
> read(3, "#\n# /etc/host.conf\n#\n\norder host"..., 4096) = 63
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0x7f4eaed92000, 4096) = 0
> getpid() = 18164
> open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=63, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f4eaed92000
> read(3, "nameserver 127.0.0.1\nnameserver "..., 4096) = 63
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0x7f4eaed92000, 4096) = 0
> uname({sys="Linux", node="client", ...}) = 0
> open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=622, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f4eaed92000
> read(3, "#\n# /etc/hosts: static lookup ta"..., 4096) = 622
> read(3, "", 4096) = 0
> close(3) = 0
> munmap(0x7f4eaed92000, 4096) = 0
> keyctl(0xa, 0xfffffffd, 0x4021c2, 0x7fff300084d0, 0) = -1 ENOKEY (Required
> key not available)
> open("/dev/tty", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 3
> ioctl(3, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS,
> {B38400 opost isig icanon echo ...}) = 0
> ioctl(3, SNDCTL_TMR_CONTINUE or SNDRV_TIMER_IOCTL_GPARAMS or TCSETSF,
> {B38400 opost -isig icanon -echo ...}) = 0
> fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...}) = 0
> ioctl(3, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS,
> {B38400 opost -isig icanon -echo ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x7f4eaed92000
> write(3, "Password: ", 10Password: ) = 10
> read(3, "\33[B\33[C\33[B\33[D\n", 4096) = 13
> write(3, "\n", 1
> ) = 1
> ioctl(3, SNDCTL_TMR_CONTINUE or SNDRV_TIMER_IOCTL_GPARAMS or TCSETSF,
> {B38400 opost isig icanon echo ...}) = 0
> close(3) = 0
> munmap(0x7f4eaed92000, 4096) = 0
> add_key(0x4021c2, 0x7fff30008410, 0x7fff30008450, 0x17, 0xfffffffd) =
> 588748510
> keyctl(0x5, 0x231796de, 0xd0d0000, 0xffffffffffffffff, 0xfffffffd) = 0
> exit_group(0) = ?
> +++ exited with 0 +++
(cc'ing the keyrings mailing list in the hopes that someone there has
an idea)
Well, that is odd...it looks like the add_key() succeeded, as well as
the keyctl(KEYCTL_SETPERM, ...) call that followed it to set
permissions on the new key.
If it's gone after that, then I can only figure that the cifscreds
process is somehow ending up with a different session keyring than its
parent?
--
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: mount.cifs multiuser w/o krb5? How?
@ 2012-07-11 19:06 Milan Knížek
0 siblings, 0 replies; 9+ messages in thread
From: Milan Knížek @ 2012-07-11 19:06 UTC (permalink / raw)
To: linux-cifs
sorry, sent from a wrong email address and probably silently rejected
by Majordomo...
-------- Přeposlaná zpráva --------
Předmět: Re: mount.cifs multiuser w/o krb5? How?
Datum: Tue, 10 Jul 2012 23:05:21 +0200
Jeff Layton writes:
> Ok, that at least gives us something to go on. Running this under
> strace might give us some sort of clue as to the problem as well.
>
Here it is:
[root@client ~]# su - zmrzlinka
[zmrzlinka@client ~]$ strace cifscreds add toillet
execve("/usr/bin/cifscreds", ["cifscreds", "add", "toillet"], [/* 27 vars
*/]) = 0
brk(0) = 0x64e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed93000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=256357, ...}) = 0
mmap(NULL, 256357, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4eaed54000
close(3) = 0
open("/usr/lib/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\21\0\0\0\0\0\0"..., 832)
= 832
fstat(3, {st_mode=S_IFREG|0755, st_size=14480, ...}) = 0
mmap(NULL, 2109608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f4eae96f000
mprotect(0x7f4eae972000, 2093056, PROT_NONE) = 0
mmap(0x7f4eaeb71000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x2000) = 0x7f4eaeb71000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\30\2\0\0\0\0\0"..., 832)
= 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1997041, ...}) = 0
mmap(NULL, 3816528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f4eae5cb000
mprotect(0x7f4eae766000, 2093056, PROT_NONE) = 0
mmap(0x7f4eae965000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x19a000) = 0x7f4eae965000
mmap(0x7f4eae96b000, 15440, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x7f4eae96b000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed53000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed52000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed51000
arch_prctl(ARCH_SET_FS, 0x7f4eaed52700) = 0
mprotect(0x7f4eae965000, 16384, PROT_READ) = 0
mprotect(0x7f4eaeb71000, 4096, PROT_READ) = 0
mprotect(0x602000, 4096, PROT_READ) = 0
mprotect(0x7f4eaed94000, 4096, PROT_READ) = 0
munmap(0x7f4eaed54000, 256357) = 0
getuid() = 1001
brk(0) = 0x64e000
brk(0x66f000) = 0x66f000
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=274, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
read(3, "# Begin /etc/nsswitch.conf\n\npass"..., 4096) = 274
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=256357, ...}) = 0
mmap(NULL, 256357, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4eaed54000
close(3) = 0
open("/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\"\0\0\0\0\0\0"..., 832) =
832
fstat(3, {st_mode=S_IFREG|0755, st_size=52112, ...}) = 0
mmap(NULL, 2148136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f4eae3be000
mprotect(0x7f4eae3ca000, 2093056, PROT_NONE) = 0
mmap(0x7f4eae5c9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0xb000) = 0x7f4eae5c9000
close(3) = 0
mprotect(0x7f4eae5c9000, 4096, PROT_READ) = 0
munmap(0x7f4eaed54000, 256357) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1439, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
read(3, "root:x:0:0:root client:/root:/bi"..., 4096) = 1439
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
socket(PF_NETLINK, SOCK_RAW, 0) = 3
bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=18164, groups=00000000}, [12]) = 0
sendto(3, "\24\0\0\0\26\0\1\3^\227\374O\0\0\0\0\0\0\0\0", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"0\0\0\0\24\0\2\0^\227\374O\364F\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 224
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"@\0\0\0\24\0\2\0^\227\374O\364F\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 192
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\24\0\0\0\3\0\2\0^\227\374O\364F\0\0\0\0\0\0", 4096}],
msg_controllen=0, msg_flags=0}, 0) = 20
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
connect(4, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(4) = 0
close(3) = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=63, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
read(3, "#\n# /etc/host.conf\n#\n\norder host"..., 4096) = 63
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
getpid() = 18164
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=63, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
read(3, "nameserver 127.0.0.1\nnameserver "..., 4096) = 63
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
uname({sys="Linux", node="client", ...}) = 0
open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=622, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
read(3, "#\n# /etc/hosts: static lookup ta"..., 4096) = 622
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
keyctl(0xa, 0xfffffffd, 0x4021c2, 0x7fff300084d0, 0) = -1 ENOKEY (Required
key not available)
open("/dev/tty", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 3
ioctl(3, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS,
{B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_CONTINUE or SNDRV_TIMER_IOCTL_GPARAMS or TCSETSF,
{B38400 opost -isig icanon -echo ...}) = 0
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS,
{B38400 opost -isig icanon -echo ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
write(3, "Password: ", 10Password: ) = 10
read(3, "\33[B\33[C\33[B\33[D\n", 4096) = 13
write(3, "\n", 1
) = 1
ioctl(3, SNDCTL_TMR_CONTINUE or SNDRV_TIMER_IOCTL_GPARAMS or TCSETSF,
{B38400 opost isig icanon echo ...}) = 0
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
add_key(0x4021c2, 0x7fff30008410, 0x7fff30008450, 0x17, 0xfffffffd) =
588748510
keyctl(0x5, 0x231796de, 0xd0d0000, 0xffffffffffffffff, 0xfffffffd) = 0
exit_group(0) = ?
+++ exited with 0 +++
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: mount.cifs multiuser w/o krb5? How?
2012-07-09 10:26 ` Jeff Layton
2012-07-10 21:01 ` knizek-VIXq6x/3rUk
@ 2012-07-10 21:05 ` knizek-VIXq6x/3rUk
1 sibling, 0 replies; 9+ messages in thread
From: knizek-VIXq6x/3rUk @ 2012-07-10 21:05 UTC (permalink / raw)
To: Jeff Layton; +Cc: Milan Knížek, linux-cifs-u79uwXL29TY76Z2rM5mHXA
Jeff Layton writes:
> Ok, that at least gives us something to go on. Running this under
> strace might give us some sort of clue as to the problem as well.
>
Here it is:
[root@client ~]# su - zmrzlinka
[zmrzlinka@client ~]$ strace cifscreds add toillet
execve("/usr/bin/cifscreds", ["cifscreds", "add", "toillet"], [/* 27 vars
*/]) = 0
brk(0) = 0x64e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed93000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=256357, ...}) = 0
mmap(NULL, 256357, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4eaed54000
close(3) = 0
open("/usr/lib/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\21\0\0\0\0\0\0"..., 832)
= 832
fstat(3, {st_mode=S_IFREG|0755, st_size=14480, ...}) = 0
mmap(NULL, 2109608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f4eae96f000
mprotect(0x7f4eae972000, 2093056, PROT_NONE) = 0
mmap(0x7f4eaeb71000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x2000) = 0x7f4eaeb71000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\30\2\0\0\0\0\0"..., 832)
= 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1997041, ...}) = 0
mmap(NULL, 3816528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f4eae5cb000
mprotect(0x7f4eae766000, 2093056, PROT_NONE) = 0
mmap(0x7f4eae965000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x19a000) = 0x7f4eae965000
mmap(0x7f4eae96b000, 15440, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x7f4eae96b000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed53000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed52000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed51000
arch_prctl(ARCH_SET_FS, 0x7f4eaed52700) = 0
mprotect(0x7f4eae965000, 16384, PROT_READ) = 0
mprotect(0x7f4eaeb71000, 4096, PROT_READ) = 0
mprotect(0x602000, 4096, PROT_READ) = 0
mprotect(0x7f4eaed94000, 4096, PROT_READ) = 0
munmap(0x7f4eaed54000, 256357) = 0
getuid() = 1001
brk(0) = 0x64e000
brk(0x66f000) = 0x66f000
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=274, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
read(3, "# Begin /etc/nsswitch.conf\n\npass"..., 4096) = 274
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=256357, ...}) = 0
mmap(NULL, 256357, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4eaed54000
close(3) = 0
open("/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\"\0\0\0\0\0\0"..., 832) =
832
fstat(3, {st_mode=S_IFREG|0755, st_size=52112, ...}) = 0
mmap(NULL, 2148136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f4eae3be000
mprotect(0x7f4eae3ca000, 2093056, PROT_NONE) = 0
mmap(0x7f4eae5c9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0xb000) = 0x7f4eae5c9000
close(3) = 0
mprotect(0x7f4eae5c9000, 4096, PROT_READ) = 0
munmap(0x7f4eaed54000, 256357) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1439, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
read(3, "root:x:0:0:root client:/root:/bi"..., 4096) = 1439
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
socket(PF_NETLINK, SOCK_RAW, 0) = 3
bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=18164, groups=00000000}, [12]) = 0
sendto(3, "\24\0\0\0\26\0\1\3^\227\374O\0\0\0\0\0\0\0\0", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"0\0\0\0\24\0\2\0^\227\374O\364F\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 224
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"@\0\0\0\24\0\2\0^\227\374O\364F\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 192
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\24\0\0\0\3\0\2\0^\227\374O\364F\0\0\0\0\0\0", 4096}],
msg_controllen=0, msg_flags=0}, 0) = 20
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 4
connect(4, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(4) = 0
close(3) = 0
socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_FILE, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(3) = 0
open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=63, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
read(3, "#\n# /etc/host.conf\n#\n\norder host"..., 4096) = 63
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
getpid() = 18164
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=63, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
read(3, "nameserver 127.0.0.1\nnameserver "..., 4096) = 63
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
uname({sys="Linux", node="client", ...}) = 0
open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=622, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
read(3, "#\n# /etc/hosts: static lookup ta"..., 4096) = 622
read(3, "", 4096) = 0
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
keyctl(0xa, 0xfffffffd, 0x4021c2, 0x7fff300084d0, 0) = -1 ENOKEY (Required
key not available)
open("/dev/tty", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 3
ioctl(3, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS,
{B38400 opost isig icanon echo ...}) = 0
ioctl(3, SNDCTL_TMR_CONTINUE or SNDRV_TIMER_IOCTL_GPARAMS or TCSETSF,
{B38400 opost -isig icanon -echo ...}) = 0
fstat(3, {st_mode=S_IFCHR|0666, st_rdev=makedev(5, 0), ...}) = 0
ioctl(3, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS,
{B38400 opost -isig icanon -echo ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f4eaed92000
write(3, "Password: ", 10Password: ) = 10
read(3, "\33[B\33[C\33[B\33[D\n", 4096) = 13
write(3, "\n", 1
) = 1
ioctl(3, SNDCTL_TMR_CONTINUE or SNDRV_TIMER_IOCTL_GPARAMS or TCSETSF,
{B38400 opost isig icanon echo ...}) = 0
close(3) = 0
munmap(0x7f4eaed92000, 4096) = 0
add_key(0x4021c2, 0x7fff30008410, 0x7fff30008450, 0x17, 0xfffffffd) =
588748510
keyctl(0x5, 0x231796de, 0xd0d0000, 0xffffffffffffffff, 0xfffffffd) = 0
exit_group(0) = ?
+++ exited with 0 +++
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: mount.cifs multiuser w/o krb5? How?
2012-07-09 10:26 ` Jeff Layton
@ 2012-07-10 21:01 ` knizek-VIXq6x/3rUk
2012-07-10 21:05 ` knizek-VIXq6x/3rUk
1 sibling, 0 replies; 9+ messages in thread
From: knizek-VIXq6x/3rUk @ 2012-07-10 21:01 UTC (permalink / raw)
To: Jeff Layton; +Cc: Milan Knížek, linux-cifs-u79uwXL29TY76Z2rM5mHXA
Jeff Layton writes:
>> cifscreds add is more or less equivalent to a command like this:
>
> $ keyctl add logon cifs:a:ip_address 'username:password' @s
>
There seems to be a general problem with adding keys (@s) to the default
"session" keyring. Adding user type keys (@u) works.
$ keyctl add logon description data @s
does not add anything to the _uid_ses:UID keyring, which is automatically
created after login.
Interestingly, when a new session keyring is added, then it works:
[root@client ~]# su - zmrzlinka
[zmrzlinka@client ~]$ keyctl show
Session Keyring
1037083570 --alswrv 1001 -1 keyring: _uid_ses.1001
578017679 --alswrv 1001 -1 \_ keyring: _uid.1001
[zmrzlinka@client ~]$ cifscreds add toillet
Password:
[zmrzlinka@client ~]$ keyctl show
Session Keyring
1037083570 --alswrv 1001 -1 keyring: _uid_ses.1001
578017679 --alswrv 1001 -1 \_ keyring: _uid.1001
[zmrzlinka@client ~]$ keyctl session new-session
Joined session keyring: 871855811
[zmrzlinka@client ~]$ keyctl show
Session Keyring
871855811 --alswrv 1001 100 keyring: new-session
[zmrzlinka@client ~]$ cifscreds add toillet
Password:
[zmrzlinka@client ~]$ keyctl show
Session Keyring
871855811 --alswrv 1001 100 keyring: new-session
244698182 ----sw-v 1001 100 \_ logon: cifs:a:192.168.1.3
Milan
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: mount.cifs multiuser w/o krb5? How?
[not found] ` <1341612593.26748.9.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
@ 2012-07-09 10:26 ` Jeff Layton
2012-07-10 21:01 ` knizek-VIXq6x/3rUk
2012-07-10 21:05 ` knizek-VIXq6x/3rUk
0 siblings, 2 replies; 9+ messages in thread
From: Jeff Layton @ 2012-07-09 10:26 UTC (permalink / raw)
To: Milan Knížek; +Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA
On Sat, 07 Jul 2012 00:09:53 +0200
Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Jeff Layton píše v Pá 06. 07. 2012 v 14:15 -0400:
>
> Hello Jeff,
>
> > On Wed, 04 Jul 2012 20:52:17 +0200
> > Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > To move on for multiuser: adding the credentials to the keyring:
> > > [user1@client /]$ cifscreds add server
> > > and typing in the password.
> > >
> > > (Similarly for user2.)
> > >
> > > When I remount the same share with "multiuser" option with the
> > > credentials of user1, the share is accessible only by the root user, the
> > > users user1 and user2 cannot list the mount point (cannot access /mnt:
> > > Permission denied)
> > >
> >
> > Can you clarify exactly what you did above? How, exactly did you
> > remount the share?
>
> I actually unmounted and mounted again with the extra "multiuser"
> option.
>
Ok, good...
> > > Adding cifscreds has exit code 0. Running "cifscreds clearall" results
> > > in "You have no stashed cifs credentials. If you want to add them use:
> > > cifscreds add" and exit code 1. That's weird.
> > >
> >
> > After you do the "cifscreds add", if you then do a "keyctl show" does
> > it show the cifs keys attached to your session keyring?
> >
> > One thing that may be biting you: cifscreds attaches the keys to the
> > session keyring. If you do the "add" in one session and then try to
> > access from another, it won't work since the keys just aren't present.
> > The fact that "clearall" doesn't find any creds leads me to suspect
> > that's what's going on here.
> >
> > The scope of a "session" in keys parlance is unfortunately somewhat
> > poorly defined, but you basically need to do the "cifscreds add" from
> > each login. A graphical login on the console would be a single session
> > however.
>
> Hm, I will need to read more on the keyrings in kernel...
>
> Anyway, here are some details:
> [root@client /]# su - zmrzlinka
> [zmrzlinka@client ~]$ keyctl show
> Session Keyring
> 14048542 --alswrv 1001 -1 keyring: _uid_ses.1001
> 320075663 --alswrv 1001 -1 \_ keyring: _uid.1001
> [zmrzlinka@client ~]$ cifscreds add -u zmrzlinka toillet
> Password: [blabla]
> [zmrzlinka@client ~]$ keyctl show
> Session Keyring
> 14048542 --alswrv 1001 -1 keyring: _uid_ses.1001
> 320075663 --alswrv 1001 -1 \_ keyring: _uid.1001
>
> It does not seem to change anything. Is there a way how to add the key
> to the keyring using "keyctl" instead of "cifscreds" (for testing
> purposes)?
>
> Regards,
> Milan
Ok, that at least gives us something to go on. Running this under
strace might give us some sort of clue as to the problem as well.
cifscreds add is more or less equivalent to a command like this:
$ keyctl add logon cifs:a:ip_address 'username:password' @s
If the server is multi-homed, then cifscreds add will add a key for each
address in the list returned when the hostname is resolved.
--
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: mount.cifs multiuser w/o krb5? How?
[not found] ` <20120706141543.1b564c11-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
@ 2012-07-06 22:09 ` Milan Knížek
[not found] ` <1341612593.26748.9.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
0 siblings, 1 reply; 9+ messages in thread
From: Milan Knížek @ 2012-07-06 22:09 UTC (permalink / raw)
To: Jeff Layton; +Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA
Jeff Layton píše v Pá 06. 07. 2012 v 14:15 -0400:
Hello Jeff,
> On Wed, 04 Jul 2012 20:52:17 +0200
> Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > To move on for multiuser: adding the credentials to the keyring:
> > [user1@client /]$ cifscreds add server
> > and typing in the password.
> >
> > (Similarly for user2.)
> >
> > When I remount the same share with "multiuser" option with the
> > credentials of user1, the share is accessible only by the root user, the
> > users user1 and user2 cannot list the mount point (cannot access /mnt:
> > Permission denied)
> >
>
> Can you clarify exactly what you did above? How, exactly did you
> remount the share?
I actually unmounted and mounted again with the extra "multiuser"
option.
> > Adding cifscreds has exit code 0. Running "cifscreds clearall" results
> > in "You have no stashed cifs credentials. If you want to add them use:
> > cifscreds add" and exit code 1. That's weird.
> >
>
> After you do the "cifscreds add", if you then do a "keyctl show" does
> it show the cifs keys attached to your session keyring?
>
> One thing that may be biting you: cifscreds attaches the keys to the
> session keyring. If you do the "add" in one session and then try to
> access from another, it won't work since the keys just aren't present.
> The fact that "clearall" doesn't find any creds leads me to suspect
> that's what's going on here.
>
> The scope of a "session" in keys parlance is unfortunately somewhat
> poorly defined, but you basically need to do the "cifscreds add" from
> each login. A graphical login on the console would be a single session
> however.
Hm, I will need to read more on the keyrings in kernel...
Anyway, here are some details:
[root@client /]# su - zmrzlinka
[zmrzlinka@client ~]$ keyctl show
Session Keyring
14048542 --alswrv 1001 -1 keyring: _uid_ses.1001
320075663 --alswrv 1001 -1 \_ keyring: _uid.1001
[zmrzlinka@client ~]$ cifscreds add -u zmrzlinka toillet
Password: [blabla]
[zmrzlinka@client ~]$ keyctl show
Session Keyring
14048542 --alswrv 1001 -1 keyring: _uid_ses.1001
320075663 --alswrv 1001 -1 \_ keyring: _uid.1001
It does not seem to change anything. Is there a way how to add the key
to the keyring using "keyctl" instead of "cifscreds" (for testing
purposes)?
Regards,
Milan
--
http://milan-knizek.net
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: mount.cifs multiuser w/o krb5? How?
[not found] ` <1341427937.3252.6.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
@ 2012-07-06 18:15 ` Jeff Layton
[not found] ` <20120706141543.1b564c11-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
0 siblings, 1 reply; 9+ messages in thread
From: Jeff Layton @ 2012-07-06 18:15 UTC (permalink / raw)
To: Milan Knížek; +Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA
On Wed, 04 Jul 2012 20:52:17 +0200
Milan Knížek <knizek.confy-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Hello,
>
> I would like to have a single cifs mount accessible by multiple users
> allowing them to create files with their respective uid.
>
> Having spent some time on RTFM and Google search on this mailing list,
> it seems that the "multiuser" option of mount.cifs could make me happy.
> And it should work now also for systems w/o krb5.
>
>
> My intention is to avoid use of any directory services or domain (small
> network of mainly linux clients). The test platform (both server and
> client) are Arch linux, kernel 3.4.4-2-ARCH x86-64, cifs-utils 5.4-1.
>
Thanks for giving this a go. It's quite new, so there may be some kinks
to work out. Those cifs-utils and kernel versions should be fine for
this.
> The smb.conf on the server has
> security = user
> client ntlmv2 auth = yes
>
> I can post full smb.conf, if needed. Users have the same uid on both
> client and server.
>
> From the client, I am able to mount - as root - //server/share with
> credentials of user1 and user1 can access the share. Mounting and
> accessing works also for user2.
>
> [root@client /]$ mount
> //server/share on /mnt type cifs (rw,relatime,sec=ntlmv2,unc=\\server
> \share,username=user1,domain=WORKGROUP,uid=0,noforceuid,gid=0,
> noforcegid,addr=192.168.1.3,unix,posixpaths,serverino,acl,
> rsize=1048576,wsize=65536,actimeo=1
>
> To move on for multiuser: adding the credentials to the keyring:
> [user1@client /]$ cifscreds add server
> and typing in the password.
>
> (Similarly for user2.)
>
> When I remount the same share with "multiuser" option with the
> credentials of user1, the share is accessible only by the root user, the
> users user1 and user2 cannot list the mount point (cannot access /mnt:
> Permission denied)
>
Can you clarify exactly what you did above? How, exactly did you
remount the share?
> What do I do wrong?
>
> Adding cifscreds has exit code 0. Running "cifscreds clearall" results
> in "You have no stashed cifs credentials. If you want to add them use:
> cifscreds add" and exit code 1. That's weird.
>
After you do the "cifscreds add", if you then do a "keyctl show" does
it show the cifs keys attached to your session keyring?
One thing that may be biting you: cifscreds attaches the keys to the
session keyring. If you do the "add" in one session and then try to
access from another, it won't work since the keys just aren't present.
The fact that "clearall" doesn't find any creds leads me to suspect
that's what's going on here.
The scope of a "session" in keys parlance is unfortunately somewhat
poorly defined, but you basically need to do the "cifscreds add" from
each login. A graphical login on the console would be a single session
however.
> The manpage of cifscreds reads "The cifscreds utility requires a kernel
> built with support for the login key type." What is the name of kernel
> config option to check?
>
There's no specific configuration. Newer kernels should all get the "login"
key type as it's part of the "core" keys API.
> Further it reads "When a cifs filesystem is mounted with the "multiuser"
> option, and does not use krb5 authentication, it needs to be able to get
> the credentials for each user from somewhere. The cifscreds program is
> the tool used to provide these credentials to the kernel."
>
> However, man page of mount.cifs mentions "Because the kernel cannot
> prompt for passwords, multiuser mounts are limited to mounts using sec=
> options that don't require passwords." Does that include NTLMv2 or its
> variants? Do I have to do something extra to let the kernel know about
> the credentials?
>
The cifscreds manpage is correct, and the mount.cifs one probably needs
updating.
--
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* mount.cifs multiuser w/o krb5? How?
@ 2012-07-04 18:52 Milan Knížek
[not found] ` <1341427937.3252.6.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
0 siblings, 1 reply; 9+ messages in thread
From: Milan Knížek @ 2012-07-04 18:52 UTC (permalink / raw)
To: linux-cifs-u79uwXL29TY76Z2rM5mHXA
Hello,
I would like to have a single cifs mount accessible by multiple users
allowing them to create files with their respective uid.
Having spent some time on RTFM and Google search on this mailing list,
it seems that the "multiuser" option of mount.cifs could make me happy.
And it should work now also for systems w/o krb5.
My intention is to avoid use of any directory services or domain (small
network of mainly linux clients). The test platform (both server and
client) are Arch linux, kernel 3.4.4-2-ARCH x86-64, cifs-utils 5.4-1.
The smb.conf on the server has
security = user
client ntlmv2 auth = yes
I can post full smb.conf, if needed. Users have the same uid on both
client and server.
>From the client, I am able to mount - as root - //server/share with
credentials of user1 and user1 can access the share. Mounting and
accessing works also for user2.
[root@client /]$ mount
//server/share on /mnt type cifs (rw,relatime,sec=ntlmv2,unc=\\server
\share,username=user1,domain=WORKGROUP,uid=0,noforceuid,gid=0,
noforcegid,addr=192.168.1.3,unix,posixpaths,serverino,acl,
rsize=1048576,wsize=65536,actimeo=1
To move on for multiuser: adding the credentials to the keyring:
[user1@client /]$ cifscreds add server
and typing in the password.
(Similarly for user2.)
When I remount the same share with "multiuser" option with the
credentials of user1, the share is accessible only by the root user, the
users user1 and user2 cannot list the mount point (cannot access /mnt:
Permission denied)
What do I do wrong?
Adding cifscreds has exit code 0. Running "cifscreds clearall" results
in "You have no stashed cifs credentials. If you want to add them use:
cifscreds add" and exit code 1. That's weird.
The manpage of cifscreds reads "The cifscreds utility requires a kernel
built with support for the login key type." What is the name of kernel
config option to check?
Further it reads "When a cifs filesystem is mounted with the "multiuser"
option, and does not use krb5 authentication, it needs to be able to get
the credentials for each user from somewhere. The cifscreds program is
the tool used to provide these credentials to the kernel."
However, man page of mount.cifs mentions "Because the kernel cannot
prompt for passwords, multiuser mounts are limited to mounts using sec=
options that don't require passwords." Does that include NTLMv2 or its
variants? Do I have to do something extra to let the kernel know about
the credentials?
Thanks for any hints.
Regards,
Milan
--
http://milan-knizek.net
About linux and photography (Czech only)
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2012-07-11 19:56 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-11 19:05 mount.cifs multiuser w/o krb5? How? Milan Knížek
2012-07-11 19:56 ` Jeff Layton
-- strict thread matches above, loose matches on Subject: below --
2012-07-11 19:06 Milan Knížek
2012-07-04 18:52 Milan Knížek
[not found] ` <1341427937.3252.6.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
2012-07-06 18:15 ` Jeff Layton
[not found] ` <20120706141543.1b564c11-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2012-07-06 22:09 ` Milan Knížek
[not found] ` <1341612593.26748.9.camel-77nuZImz6nKt3pJmeLR6bw@public.gmane.org>
2012-07-09 10:26 ` Jeff Layton
2012-07-10 21:01 ` knizek-VIXq6x/3rUk
2012-07-10 21:05 ` knizek-VIXq6x/3rUk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.