Linux-CIFS Archive on lore.kernel.org
 help / color / Atom feed
* Permission denied mounting a DFS share with multiuser options
@ 2019-11-27 12:20 abrosich
  2019-12-03 22:16 ` Steve French
  0 siblings, 1 reply; 2+ messages in thread
From: abrosich @ 2019-11-27 12:20 UTC (permalink / raw)
  To: linux-cifs


Hello,

I'm trying to configure a linux client (Unubtu 18.04.3) to mount a DFS
share from a windows server 2019. Both machines are joined in the same
Active Directory domain. I joined the linux client using the "realm"
command and it works fine: for example I can login with ssh using AD
credentials.

The package cifs-utils is version 6.8.

I start by saying that I have a little konwledge of the windows world
and in particular of SMB, hence my question could by silly but I
searched for days without find any solution.

I found the following entries in the krb5.conf file (I suppose added by
"realm" coomand): 
3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (des-cbc-crc) 
   3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (des-cbc-md5) 
   3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (arcfour-hmac) 
   3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (aes128-cts-hmac-
sha1-96) 
   3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (aes256-cts-hmac-
sha1-96) 
   3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (des-cbc-crc) 
   3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (des-cbc-md5) 
   3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (arcfour-hmac) 
   3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (aes128-cts-hmac-
sha1-96) 
   3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (aes256-cts-hmac-
sha1-96) 

I created on the Domain Controller a user principal "linuxclientuser-
cifs" and associated to it an SPN "cifs/linuxclient.fqdn@AD.DOMAIN". I
exported the keytab file and added it in krb5.keytab where I have now
the followind entries:

  3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (des-cbc-crc) 
   3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (des-cbc-md5) 
   3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (arcfour-hmac) 
   3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (aes256-cts-
hmac-sha1-96) 
   3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (aes128-cts-
hmac-sha1-96) 


I use the following command to mount the share:
sudo mount --verbose --types cifs //winsrv/CifsShare /mnt/cifs --
options
sec=krb5,multiuser,vers=3,user=cifs/linuxclient.fqdn,domain=AD.DOMAIN

and the response is: "mount error(13): Permission denied"

Looking at logs I find:
Nov 27 13:07:18 linuxclient cifs.upcall: key description:
cifs.spnego;0;0;39010000;ver=0x2;host=winsrv;ip4=XXX.XXX.XXX.XXX;sec=kr
b5;uid=0x0;creduid=0x0;user=cifs/linuxclient.fqdn;pid=0x6ac
Nov 27 13:07:18 linuxclient cifs.upcall: ver=2
Nov 27 13:07:18 linuxclient cifs.upcall: host=winsrv
Nov 27 13:07:18 linuxclient cifs.upcall: ip=XXX.XXX.XXX.XXX
Nov 27 13:07:18 linuxclient cifs.upcall: sec=1
Nov 27 13:07:18 linuxclient cifs.upcall: uid=0
Nov 27 13:07:18 linuxclient cifs.upcall: creduid=0
Nov 27 13:07:18 linuxclient cifs.upcall: user=cifs/linuxclient.fqdn
Nov 27 13:07:18 linuxclient cifs.upcall: pid=1708
Nov 27 13:07:18 linuxclient cifs.upcall:
get_cachename_from_process_env: pid == 0
Nov 27 13:07:18 linuxclient cifs.upcall: get_existing_cc: default
ccache is FILE:/tmp/krb5cc_0
Nov 27 13:07:18 linuxclient cifs.upcall: get_tgt_time: unable to get
principal
Nov 27 13:07:18 linuxclient cifs.upcall: handle_krb5_mech: getting
service ticket for winsrv
Nov 27 13:07:18 linuxclient cifs.upcall: handle_krb5_mech: obtained
service ticket
Nov 27 13:07:18 linuxclient cifs.upcall: Exit status 0


where it says that it get the service ticket (I can see it sniffing
packets with wireshark) but it is "unable to get principal". Which
principal?

On the server side I have the following error:

A process has requested access to an object, but has not been granted
those access rights. (0xC0000022)
SPN: session setup failed before the SPN could be queried
SPN Validation Policy: SPN optional / no validation


What I'm doing wrong?

Any suggest is welcome.

Best regards

Alberto



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Permission denied mounting a DFS share with multiuser options
  2019-11-27 12:20 Permission denied mounting a DFS share with multiuser options abrosich
@ 2019-12-03 22:16 ` Steve French
  0 siblings, 0 replies; 2+ messages in thread
From: Steve French @ 2019-12-03 22:16 UTC (permalink / raw)
  To: abrosich; +Cc: CIFS

Have you experimented with a newer kernel (e.g. Ubuntu 19 or the
download from the Ubuntu mainline kernel download site) to see if some
of Paulo's DFS fixes (e.g. a large set went in last year) help.

On Wed, Nov 27, 2019 at 6:20 AM <abrosich@inogs.it> wrote:
>
>
> Hello,
>
> I'm trying to configure a linux client (Unubtu 18.04.3) to mount a DFS
> share from a windows server 2019. Both machines are joined in the same
> Active Directory domain. I joined the linux client using the "realm"
> command and it works fine: for example I can login with ssh using AD
> credentials.
>
> The package cifs-utils is version 6.8.
>
> I start by saying that I have a little konwledge of the windows world
> and in particular of SMB, hence my question could by silly but I
> searched for days without find any solution.
>
> I found the following entries in the krb5.conf file (I suppose added by
> "realm" coomand):
> 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (des-cbc-crc)
>    3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (des-cbc-md5)
>    3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (arcfour-hmac)
>    3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (aes128-cts-hmac-
> sha1-96)
>    3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (aes256-cts-hmac-
> sha1-96)
>    3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (des-cbc-crc)
>    3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (des-cbc-md5)
>    3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (arcfour-hmac)
>    3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (aes128-cts-hmac-
> sha1-96)
>    3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (aes256-cts-hmac-
> sha1-96)
>
> I created on the Domain Controller a user principal "linuxclientuser-
> cifs" and associated to it an SPN "cifs/linuxclient.fqdn@AD.DOMAIN". I
> exported the keytab file and added it in krb5.keytab where I have now
> the followind entries:
>
>   3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (des-cbc-crc)
>    3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (des-cbc-md5)
>    3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (arcfour-hmac)
>    3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (aes256-cts-
> hmac-sha1-96)
>    3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (aes128-cts-
> hmac-sha1-96)
>
>
> I use the following command to mount the share:
> sudo mount --verbose --types cifs //winsrv/CifsShare /mnt/cifs --
> options
> sec=krb5,multiuser,vers=3,user=cifs/linuxclient.fqdn,domain=AD.DOMAIN
>
> and the response is: "mount error(13): Permission denied"
>
> Looking at logs I find:
> Nov 27 13:07:18 linuxclient cifs.upcall: key description:
> cifs.spnego;0;0;39010000;ver=0x2;host=winsrv;ip4=XXX.XXX.XXX.XXX;sec=kr
> b5;uid=0x0;creduid=0x0;user=cifs/linuxclient.fqdn;pid=0x6ac
> Nov 27 13:07:18 linuxclient cifs.upcall: ver=2
> Nov 27 13:07:18 linuxclient cifs.upcall: host=winsrv
> Nov 27 13:07:18 linuxclient cifs.upcall: ip=XXX.XXX.XXX.XXX
> Nov 27 13:07:18 linuxclient cifs.upcall: sec=1
> Nov 27 13:07:18 linuxclient cifs.upcall: uid=0
> Nov 27 13:07:18 linuxclient cifs.upcall: creduid=0
> Nov 27 13:07:18 linuxclient cifs.upcall: user=cifs/linuxclient.fqdn
> Nov 27 13:07:18 linuxclient cifs.upcall: pid=1708
> Nov 27 13:07:18 linuxclient cifs.upcall:
> get_cachename_from_process_env: pid == 0
> Nov 27 13:07:18 linuxclient cifs.upcall: get_existing_cc: default
> ccache is FILE:/tmp/krb5cc_0
> Nov 27 13:07:18 linuxclient cifs.upcall: get_tgt_time: unable to get
> principal
> Nov 27 13:07:18 linuxclient cifs.upcall: handle_krb5_mech: getting
> service ticket for winsrv
> Nov 27 13:07:18 linuxclient cifs.upcall: handle_krb5_mech: obtained
> service ticket
> Nov 27 13:07:18 linuxclient cifs.upcall: Exit status 0
>
>
> where it says that it get the service ticket (I can see it sniffing
> packets with wireshark) but it is "unable to get principal". Which
> principal?
>
> On the server side I have the following error:
>
> A process has requested access to an object, but has not been granted
> those access rights. (0xC0000022)
> SPN: session setup failed before the SPN could be queried
> SPN Validation Policy: SPN optional / no validation
>
>
> What I'm doing wrong?
>
> Any suggest is welcome.
>
> Best regards
>
> Alberto
>
>


-- 
Thanks,

Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-27 12:20 Permission denied mounting a DFS share with multiuser options abrosich
2019-12-03 22:16 ` Steve French

Linux-CIFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-cifs/0 linux-cifs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-cifs linux-cifs/ https://lore.kernel.org/linux-cifs \
		linux-cifs@vger.kernel.org
	public-inbox-index linux-cifs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-cifs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git