> Message du 17/11/12 11:44
> De : "Jeff Layton"
> A : "sergio.conrad"
> Copie à : [email protected]
> Objet : Re: cifs autofs krb5i
>
> On Sat, 17 Nov 2012 08:53:02 +0100
> "sergio.conrad" wrote:
>
> >
> >
> >
> > > Message du 17/11/12 03:01
> > > De : "Jeff Layton"
> > > A : "sergio.conrad"
> > > Copie à : [email protected]
> > > Objet : Re: cifs autofs krb5i
> > >
> > > On Fri, 16 Nov 2012 23:37:52 +0100
> > > "sergio.conrad" wrote:
> > >
> > > > Hi,
> > > >
> > > > I am able to connect to cifs share on Windows 2008 with Kerberos
> > > > security via
autofs
> > with
> > > > this map :
> > > > * -
> > > >
> >
fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> > > > o ://figue/data/&
> > > >
> > > > Is it working fine with alpha numeric login
> > > > fs/cifs/cifs_spnego.c: key description =
> > > >
> >
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > > > ;pid=0xd331
> > > >
> > > >
> > > > But if i use numeric only login like 12345678 i have a problem :
> > > > fs/cifs/cifs_spnego.c: key description =
> > > >
> >
ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> > > > pid=0xe5db
> > > > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> > > > CIFS VFS: Send error in SessSetup = -126
> > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc =
> > > > -126
> > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> > > > CIFS VFS: cifs_mount failed w/return code = -126
> > > >
> > > > What can I do to solve this issue ?
> > >
> > >
> > > cifs.upcall logs at daemon.debug level. Set up syslog to log that and
> > > you'll get some details about what it's doing.
> > >
> > > --
> > > Jeff Layton
> > >
> >
> > Thanks for your response,
> > I got the error
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is
> > owned by
> > 16777221, not 12345678
> >
> > Perhaps it is a confusion about the uid and the login in a numeric value
> >
> > [12345678@centad5 ~]$ id
> > uid=16777221(12345678) gid=16777216(utilisateurs du domaine)
> > groupes=16777216(utilisateurs du domaine),16777217(profs)
> >
> > The full log is :
> >
> > Nov 17 08:42:53 centad5 cifs.upcall: key description:
> >
cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui
> > d=0xbc614e;user=12345678;pid=0x9b5
> > Nov 17 08:42:53 centad5 cifs.upcall: ver=2
> > Nov 17 08:42:53 centad5 cifs.upcall: host=figue
> > Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11
> > Nov 17 08:42:53 centad5 cifs.upcall: sec=1
> > Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: user=12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: pid=2485
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering
> > /tmp/krb5cc_16777221
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is
> > owned by
> > 16777221, not 12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering
> > /tmp/krb5cc_16777216
> > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is
> > owned by
> > 16777216, not 12345678
> > Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13
> > Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service
> > ticket for
figue
> > Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve
> > (null) to
> > ccache
> > @
>
> What a bizarre setup you have. I imagine all sorts of things get
> confused by numeric usernames. Many programs will assume that when
> given a numeric username that it's a uid, not a name. You might
> reconsider that setup -- maybe prefix the numbers with a letter or
> something...
>
It seems it is a little late for this, we are already in a production state
with Active
Directory and winbind for authentication, Windows 2008 as a cifs server, Fedora
15 for
client and using pam_mount for mounting partition.
As we are experiencing some CIFS VFS: Unexpected SMB signature with this
I am testing some others ways...
> In any case, it does seem like there is confusion somewhere with
> numeric uids, but I don't think that confusion is with cifs.upcall. If
> that is the correct credcache for this user, then it looks like its
> being created with the wrong ownership.
>
> What does the output of "klist" look like when you're logged in as this
> user?
>
[12345678@centad5 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_16777221
Default principal: [email protected]
Valid starting Expires Service principal
11/17/12 14:34:04 11/18/12 00:34:04 krbtgt/[email protected]
renew until 11/24/12 14:34:04
11/17/12 14:34:04 11/18/12 00:34:04 [email protected]
renew until 11/24/12 14:34:04
11/17/12 14:34:04 11/18/12 00:34:04 [email protected]
renew until 11/24/12 14:34:04
[12345678@centad5 ~]$
> How about the output of "stat /tmp/krb5cc_16777216" ?
16777216 or 16777221 ?
I did it for the two files
[12345678@centad5 ~]$ id
uid=16777221(12345678) gid=16777216(utilisateurs du domaine)
groupes=16777216(utilisateurs du domaine),16777217(profs)
[12345678@centad5 ~]$
[12345678@centad5 ~]$ stat /tmp/krb5cc_16777221
File: « /tmp/krb5cc_16777221 »
Size: 3830 Blocks: 8 IO Block: 4096 fichier
Device: 801h/2049d Inode: 1985377 Links: 1
Access: (0600/-rw-------) Uid: (16777221/12345678) Gid: ( 0/ root)
Access: 2012-11-17 14:41:37.056868612 +0100
Modify: 2012-11-17 14:41:32.251850184 +0100
Change: 2012-11-17 14:41:32.251850184 +0100
[12345678@centad5 ~]$ stat /tmp/krb5cc_16777216
File: « /tmp/krb5cc_16777216 »
Size: 3751 Blocks: 8 IO Block: 4096 fichier
Device: 801h/2049d Inode: 1966082 Links: 1
Access: (0600/-rw-------) Uid: (16777216/ conrad5) Gid: ( 0/ root)
Access: 2012-11-16 23:11:47.948511483 +0100
Modify: 2012-11-16 23:11:47.948511483 +0100
Change: 2012-11-16 23:11:47.948511483 +0100
>
> --
> Jeff Layton
>
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
