Re: [Freeipa-users] Mount cifs share using kerberos

Fri, 09 Jan 2015 09:16:52 -0800 

On Fri, 09 Jan 2015, John Obaterspok wrote:



2015-01-09 10:11 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>:


On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and
/etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch
Kerberos keys and map IDs of CIFS identities. These configurations are
part of cifs-utils package which also supplies mount.cifs.





I have no /etc/request-key.d/cifs.upcall.conf on my F21. Is it suppose to
be there?

No, it was my fault, forgetting the actual name -- it is
cifs.spnego.conf that you have listed below:


This is what I have:

[root@ipaserver etc]# cat request-key.conf
###############################################################################
# .... snip ....
################################################################################

#OP     TYPE    DESCRIPTION     CALLOUT INFO    PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== ===============
===============================
create  dns_resolver *          *               /sbin/key.dns_resolver %k
create  user    debug:*         negate          /bin/keyctl negate %k 30 %S
create  user    debug:*         rejected        /bin/keyctl reject %k 30 %c
%S
create  user    debug:*         expired         /bin/keyctl reject %k 30 %c
%S
create  user    debug:*         revoked         /bin/keyctl reject %k 30 %c
%S
create  user    debug:loop:*    *               |/bin/cat
create  user    debug:*         *
/usr/share/keyutils/request-key-debug.sh %k %d %c %S
negate  *       *               *               /bin/keyctl negate %k 30 %S

[root@ipaserver etc]# ls request-key.d/
cifs.idmap.conf   cifs.spnego.conf  id_resolver.conf

[root@ipaserver etc]# cat request-key.d/cifs.idmap.conf
create  cifs.idmap    * * /usr/sbin/cifs.idmap %k

[root@ipaserver etc]# cat request-key.d/cifs.spnego.conf
create  cifs.spnego    * * /usr/sbin/cifs.upcall %k

So if you have all these configs right, can you add --verbose to
mount.cifs arguments _before_ -o options?

mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5

and you can enable debugging before mounting in /proc/fs/cifs/, see
https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project






















					Reply via email to