[Bug 236830] Re: cifs does not support kerberos authentication
I'm still experiencing this issue. Ubuntu hardy, patched up to date as of this writing. pj...@patslinux01 ~ $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 8.04.3 LTS Release:8.04 Codename: hardy pj...@patslinux01 ~ $ uname -a Linux patslinux01.mayo.edu 2.6.24-23-generic #1 SMP Wed Apr 1 21:43:24 UTC 2009 x86_64 GNU/Linux pj...@patslinux01 ~ $ klist Credentials cache: FILE:/tmp/krb5cc_1000 Principal: pj...@mfad.mfroot.org Issued Expires Principal Sep 3 14:48:04 Sep 4 00:48:04 krbtgt/mfad.mfroot@mfad.mfroot.org Sep 3 14:48:09 Sep 4 00:48:04 rchnas06...@mfad.mfroot.org # SMB Client connects using kerberos credentials pj...@patslinux01 ~ $ smbclient -k //rchnas06n2/Users500M OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] smb: \ pj...@patslinux01 ~ $ # mount.cifs does not, and prompts for a password: pj...@patslinux01 ~ $ mount.cifs //rchnas06n2/Users500M/PJS11 mnt/pjs11 -o sec=krb5 --verbose parsing options: sec=krb5 Password: (simply pressed return, here) mount.cifs kernel mount options unc=//rchnas06n2\Users500M,ip=129.176.156.20,user=pjs11,pass=,ver=1,sec=krb5,uid=1000,gid=1000,prefixpath=PJS11 mount error 5 = Input/output error Refer to the mount.cifs(8) manual page (e.g.man mount.cifs) pj...@patslinux01 ~ $ more /etc/request-key.conf (...snip copious comments) #OP TYPEDESCRIPTION CALLOUT INFOPROGRAM ARG1 ARG2 ARG3 ... #== === === === === create userdebug:* negate /bin/keyctl negate %k 30 %S create userdebug:loop:** |/bin/cat create userdebug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S #create cifs.spnego * * /usr/sbin/cifs.upcall -c %k %d create cifs.spnego * * /usr/sbin/cifs.upcall %k %d negate * * * /bin/keyctl negate %k 30 %S Do the 64 bit packages have the necessary patches in them? -- Pat -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Unfortunately, CIFS with Kerberos auth is broken in Intrepid, due to bug 298208. Has anyone here gotten the upcall business to work in 8.10? -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Copied to hardy-updates. The package was successfully tested in bug 259110. If this bug is not fixed for you in the hardy update, please report back here, then we'll reopen this. Thank you! ** Changed in: samba (Ubuntu Hardy) Status: Fix Committed = Fix Released -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
create cifs.upcall * * /usr/sbin/cifs.upcall %k %d The line in /etc/request-key.conf should look like the following instead: create cifs.spnego**/usr/sbin/cifs.upcall %k %d The key name is indeed cifs.spnego, only the executable name change. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
I can't make this work for me: [EMAIL PROTECTED]:~/hardy$ sudo mount.cifs //127.0.0.1/bigdisc /tmp/foo -ousername=atm26,sec=krb5,guest --verbose parsing options: username=atm26,sec=krb5,guest mount.cifs kernel mount options unc=//127.0.0.1\bigdisc,ip=127.0.0.1,ver=1,username=atm26,sec=krb5,guest mount error 5 = Input/output error Refer to the mount.cifs(8) manual page (e.g.man mount.cifs) with variations of hostnames/IP addresses to no effect (also used -o ip=127.0.0.1 and the real NetBIOS name of the server in the UNC path). Tried both krb5 and krb5i. I'm doing this over an SSH tunnel: ports 139 and 445 forwarded to the same ports on the CIFS server (a NetApp F840) and port 88 to the Windows AD Kerberos server. The ports are open: [EMAIL PROTECTED]:~/hardy$ netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 localhost:netbios-ssn *:* LISTEN tcp0 0 localhost:kerberos *:* LISTEN tcp0 0 localhost:microsoft-ds *:* LISTEN (tried IPv4-only as well). If I close these connections I get mount error 111 = Connection refused so it's not just a network connectivity thing. I've also tried forwarding port 137 to the AD Kerberos server too with no change. [EMAIL PROTECTED]:~/hardy$ sudo klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED] Valid starting ExpiresService principal 10/19/08 13:49:34 10/19/08 23:49:39 krbtgt/[EMAIL PROTECTED] renew until 10/20/08 13:49:34 10/19/08 13:52:56 10/19/08 23:49:39 [EMAIL PROTECTED] renew until 10/20/08 13:49:34 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [EMAIL PROTECTED]:~/hardy$ uname -a Linux bigwig 2.6.24-21-generic #1 SMP Mon Aug 25 17:32:09 UTC 2008 i686 GNU/Linux I've just upgraded from edgy to hardy via feisty and gutsy. I've installed smbfs/smbclient/samba-common/samba 3.0.28a-1ubuntu4.7 from hardy-proposed and added a line into /etc/request-key.conf as above (keyutils 1.2-4): create cifs.upcall * * /usr/sbin/cifs.upcall %k %d smbclient seems to work: [EMAIL PROTECTED]:~/hardy$ sudo smbclient -k -L 127.0.0.1 OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] Sharename Type Comment - --- atm26 Disk Home Directory IPC$IPC Remote IPC ETC$Disk Remote Administration homes-1 Disk Home directories homes-2 Disk Home directories homes-3 Disk Home directories [snip list of shares available on the server] grp-rb5 Disk grp-rb6 Disk Receiving SMB: Server stopped responding session request to 127.0.0.1 failed (Call returned zero bytes (EOF)) Receiving SMB: Server stopped responding session request to 127 failed (Call returned zero bytes (EOF)) OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] (the Server stopped responding bits are strange, but I can login and alter files fine with smbclient) I'm not 100% convinced this is a Kerberos-related problem, but the same mount worked just fine on SMBFS on edgy. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
linux 2.6.24-21 copied to hardy-updates. ** Changed in: linux (Ubuntu Hardy) Status: Fix Committed = Fix Released -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Changed in: samba (Ubuntu Hardy) Status: Triaged = Fix Committed -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Looks ok to me. I pinged bug 259110 for testers, if it can be tested soon and we can move the current samba SRU to -updates first, I'd prefer waiting a bit instead of stacking SRUs on top of each other. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 236830] Re: cifs does not support kerberos authentication
Steve, will you be able to provide this update for Hardy or will this only be in Intrepid? Including this in Hardy would releave us of serious issues with developing a Linux desktop alternative :-) Maxim Burgerhout [EMAIL PROTECTED] GPG Fingerprint 1CC2 A9B2 FE2E 799D 01DB 8A89 0AE8 B60A ACA3 4452 On Thu, Sep 18, 2008 at 00:49, Steve Langasek [EMAIL PROTECTED] wrote: upstream has stabilized the name of the executable now, so providing an update that includes the cifs.upcall helper instead of cifs.spnego just waits on me having the cycles available to do it. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a direct subscriber of the bug. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 236830] Re: cifs does not support kerberos authentication
On Thu, Sep 18, 2008 at 07:29:39AM -, wzzrd wrote: will you be able to provide this update for Hardy or will this only be in Intrepid? Including this in Hardy would releave us of serious issues with developing a Linux desktop alternative :-) The fix is already present in intrepid; this bug is open for tracking the issue for hardy specifically. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 236830] Re: cifs does not support kerberos authentication
Ah, yes, I see, sorry thanks for fixing this Maxim -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
To follow-up regarding the comment from Steve on 2008-08-15, it does work now indeed. Basically, it is entirely my fault for not configuring the Samba server for Kerberos authentication. For the record, you need to set the use kerberos keytab and realm options of smb.conf. Duh. Steve: I see that the latest smbfs package in hardy-proposed does not have the backported cifs.spnego that you have in your PPA. What are your plan in the short/medium term? For hardy, do you plan to wait for upstream to stabilize the name of the executable before you push an update, or do you plan to have the backported cifs.spnego executable in the interim anyway? -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
upstream has stabilized the name of the executable now, so providing an update that includes the cifs.upcall helper instead of cifs.spnego just waits on me having the cycles available to do it. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Tested the mount.cifs //172.18.100.35/open open/ -ousername=lager,sec=krb5i,guest --verbose command again and it worked fine. Used the new kernel version: linux-image-2.6.26-5-server-2.6.26-5.17 Thanks Steve. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Etienne, What kernel version are you running? That output appears to be consistent with what I see on a kernel that doesn't have CIFS upcall support enabled. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
I've just checked, and when using sec=krb5 against a server with no kerberos support, and a client with CIFS upcall support enabled (and keyutils installed) but without cifs.spnego configured, I get a different error: mount error 126 = Required key not available Refer to the mount.cifs(8) manual page (e.g.man mount.cifs) So the 'function not implemented' probably points to a kernel that's not built with CIFS_UPCALL support. Etienne, please confirm which kernel version this test was done with. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
I still get the (rather unhelpful) error: mount error 38 = Function not implemented I am not sure if the problem is with mount.cifs, or if it is something about the way I am set up. If someone who report success with backported 3.2.0 could try with the 3.0.28a package in Steve's PPA, that would be great. Right now, I am a bit puzzled. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 236830] Re: cifs does not support kerberos authentication
I suspect that you're seeing a periodic TGT refresh from Likewise; pam_krb5 doesn't provide infrastructure to refresh tickets automatically for you, but winbind/likewise do. I figured as much. I knew Heimdal provided a similar feature, but I had too little to do with recent versions of Winbind and Likewise in general to have noticed this before. Nice though. I haven't gotten krb5i working yet here either. I see Jocelyn *is* able to use krb5i. I haven't been able to downloaded the rebuilt packages from Intrepid Jocelyn provided. Maybe I have time to try it today, else it will be after my vacation. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 236830] Re: cifs does not support kerberos authentication
On Thu, Jul 24, 2008 at 08:59:56AM -, wzzrd wrote: I followed your instructions above (the request-key.conf stuff) and I am now able to mount a cifs share on my machine. So the kernel patch works, that's for sure; at least for a Kerberos cache generated during Likewise login (I use Likewise Open). Great! So we can consider the kernel part successfully verified. What does surprise me a bit is the fact that if I klist, I can see my TGT and, directly after mount, the host ticket from the fileserver. After a while though, the latter disappears, even though I still have the cifs share mounted and accessible. Maybe that has something to do with Likewise; I'm more used to using pam_krb5, which does not purge tickets this soon. I suspect that you're seeing a periodic TGT refresh from Likewise; pam_krb5 doesn't provide infrastructure to refresh tickets automatically for you, but winbind/likewise do. Apart from that, I can only mount the cifs share with sec=krb, not with sec=krb5i. During debugging this, I found that cifs.spnego segfaults horribly when started on it's own. As said, mounting seems to work though. I'll try downloading the Intrepid samba source deb at home tonight, maybe you guys have applied some patches on it? I haven't gotten krb5i working yet here either. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
I did some quick'n dirty samba backport from intrepid to hardy for my own needs. With the hardy-propposed kernel, it works like a charm (both krb5 and krb5i). I needed to backport libtalloc1 too. You can find those packages in : http://www.crapouillou.net/~jocelyn/debian/samba-hardy-backport/ -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 236830] Re: cifs does not support kerberos authentication
Jocelyn, could you check whether you are able to mount with sec=krb5i? I can't do that with the Samba I built from source right now. Thanks! Maxim Burgerhout [EMAIL PROTECTED] GPG Fingerprint 1CC2 A9B2 FE2E 799D 01DB 8A89 0AE8 B60A ACA3 4452 On Mon, Jul 28, 2008 at 12:48, Jocelyn Delalande [EMAIL PROTECTED] wrote: I did some quick'n dirty samba backport from intrepid to hardy for my own needs. With the hardy-propposed kernel, it works like a charm (both krb5 and krb5i). I needed to backport libtalloc1 too. You can find those packages in : http://www.crapouillou.net/~jocelyn/debian/samba-hardy-backport/ -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a direct subscriber of the bug. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
I can use krb5i -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Hi Steve, I had downloaded the source tarball from Samba.org at home and I'm not able to download the source deb from Intrepid at work, so I built Samba 3.2.0 from source and created a deb with checkinstall. Quick dirty. After pulling in the correct -dev packages, I configured with: ./configure --enable-cups --with-ads --with-cifsmount --with-ldap --enable-fam --with-cifsspnego --with-dnsupdate --with-automount --with- winbind --with-krb5 I installed the new version of samba in /usr/local/samba and installed the kernel from -proposed. I followed your instructions above (the request-key.conf stuff) and I am now able to mount a cifs share on my machine. So the kernel patch works, that's for sure; at least for a Kerberos cache generated during Likewise login (I use Likewise Open). What does surprise me a bit is the fact that if I klist, I can see my TGT and, directly after mount, the host ticket from the fileserver. After a while though, the latter disappears, even though I still have the cifs share mounted and accessible. Maybe that has something to do with Likewise; I'm more used to using pam_krb5, which does not purge tickets this soon. Apart from that, I can only mount the cifs share with sec=krb, not with sec=krb5i. During debugging this, I found that cifs.spnego segfaults horribly when started on it's own. As said, mounting seems to work though. I'll try downloading the Intrepid samba source deb at home tonight, maybe you guys have applied some patches on it? -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 236830] Re: cifs does not support kerberos authentication
Hi wzzrd, On Thu, Jul 17, 2008 at 08:05:43AM -, wzzrd wrote: Steve, can you please tell whether the backport of the cifs.spnego upcall helper will be in Hardy? I see the patch to the kernel config has been committed, but I'm not sure about the status of the rest of the solution. I believe that we should backport cifs.spnego to hardy, but it looks like this needs to settle a bit upstream first - upstream is currently in the process of renaming the binary from cifs.spnego to cifs.upcall, and I want to see whether that name change takes hold before backporting so that we don't cause ourselves additional upgrade issues. On Mon, Jul 21, 2008 at 08:55:55AM -, wzzrd wrote: I'ld really like to help test this, but I am a bit crippled by our firewall: not apt for me. Can you provide me with the packages you used to install cifs.spnego? I downloaded the new kernel at home yesterday, but I am unable to find Samba packages containing the new backported helper. Can you provide me with (a link to) the Samba packages you used for this, Steve? I've only done quick'n'dirty testing so far, pulling the cifs.spnego binary from the Debian experimental package for testing. At this point, the best way to test would be to grab the samba source package from intrepid and rebuild it for hardy. Test packages from me are going to be a couple of weeks out yet. It would be nice if someone could confirm in the meantime that the kernel side works, though, both for previously-working cases and for the upcall-specific stuff. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
I'ld really like to help test this, but I am a bit crippled by our firewall: not apt for me. Can you provide me with the packages you used to install cifs.spnego? I downloaded the new kernel at home yesterday, but I am unable to find Samba packages containing the new backported helper. Can you provide me with (a link to) the Samba packages you used for this, Steve? -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Steve, can you please tell whether the backport of the cifs.spnego upcall helper will be in Hardy? I see the patch to the kernel config has been committed, but I'm not sure about the status of the rest of the solution. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance! ** Changed in: samba (Ubuntu Hardy) Status: Confirmed = Fix Committed ** Tags added: verification-needed -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
** Changed in: samba (Ubuntu Hardy) Status: Fix Committed = Triaged -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
This bug was fixed in the package linux - 2.6.26-3.7 --- linux (2.6.26-3.7) intrepid; urgency=low [Amit Kucheria] * SAUCE: make fc transport removal of target configurable - LP: #163075 * SAUCE: pm: Config option to disable handling of console during suspend/resume [Ben Collins] * SAUCE: input/mouse/alps: Do not call psmouse_reset() for alps * SAUCE: irda: Default to dongle type 9 on IBM hardware * SAUCE: tulip: Let dmfe handle davicom on non-sparc * SAUCE: tulip: Define ULI PCI ID's * SAUCE: version: Implement version_signature proc file. * build: Cleanup arches * build: Remove remnants of unused binary-custom infrastructure * build: Remove disable_d_i (not needed) and cleanup ppa build stuff * ubuntu: New modules, acer-acpi * build: Remove -virtual, and rebuild configs * ubuntu: Add drbd module * acer-acpi: Fix makefile * x86/Kconfig: Fix missing quote for ubuntu Kconfig source * ubuntu: Add iscsitarget module * ubuntu: Added Amiga FS driver * ubuntu: Add squashfs driver * ubuntu: Remove asfs (Amiga FS). Need to be in linux-ports instead * squashfs: Move headers to real include directory * build/configs: The Great Config Consistency Check of 2008 * ubuntu: Move third-party includes to ubuntu/include * ubuntu: Add aufs module * ubuntu: Added atl2 driver * ubuntu: Add dm-radi4-5 driver * build: Add CONFIG_DEBUG_SECTION_MISMATCH=y to get old style warnings from build * ubuntu/Makefile: Fixup dm-raid4-5 and add kludge for kbuild * squashfs: Fixes for VFS changes * ubuntu/dm-raid4-5: Fixups for moved/renamed headers/functions in core md * ubuntu: Add ndiswrapper driver * d-i: Update module listings * build: Disable xd block device (ancient) * ndiswrapper: Fixup makefile * d-i: Remove efi-modules. The only module, efivars, is built-in * build: Remove install-source, obsolete and caused build failure * Ubuntu-2.6.26-1.3 * build: linux-doc rules got broken when disabling html side. Fixed now. * Ubuntu-2.6.26-1.4 * x86: Update to -rc6 allows CONFIG_PCI_OLPC to work with PCI_GOANY * d-i: Make virtio-ring optional (it's built-in on i386) * Ubuntu-2.6.26-1.4 * Ubuntu-2.6.26-1.5 * config: Enable DVB devices * ubuntu/aufs: Make aufs a bool config, since it needs to be built-in * config: Build aufs into the kernels * build: Fix arguments passed to link-headers script * config: Disable early printk * d-i: Move isofs to storage-core and kill st (scsi tape) from list * config: Enable non-promiscuous access to /dev/mem * x86: Add option to disable decompression info messages * config: Enable no-bz-chatter config options * build: Re-add linux-source package * d-i: Re-add socket-modules. Accidentally removed - LP: #241295 * Ubuntu-2.6.26-2.6 * Use makedumpfile to generate a vmcoreinfo file. * build: Build-Depend on makedumpfile for vmcoreinfo generation * build: Remove debug print from git-ubuntu-log * Updated configs for -rc7 * build: postinst, do not call depmod with -F * config: Enable rtc-cmos as a built-in driver. * control: Provide ndiswrapper-modules-1.9 * build: Generate vmcoreinfo in image build for crashdumps without debug image * config: Disable vesafb, since we'll prefer uvesafb * build: Copy uvesafb module to initrd mod directory * abi-check: New, more robust script * config: Enable heap randomization by default * abi-check: Cleanup output and call with perl (not $SHELL) * abi: Ignore missing vesafb (known) * config: Disable pcspkr (in favor of snd-pcsp) * swap: Add notify_swap_entry_free callback for compcache * compcache: Added ram backed compressed swap module * ubuntu: Enable kbuild and kconfig for compcache * config: Enable compcache and tlsf allocator as modules * config: Updated for -rc8. Disables XEN on i386 * config: Switch i386-server to 64G, enable PAE, 64-bit res, and XEN * ubuntu: Add misc drivers from hardy lum * ubuntu: Enable build of misc/ subdir * config: Enable misc drivers * aufs: Fix warning about single non-string-literal arg to printf style function * drivers: Remove some duplicate device entries in various modules * config: Disable some duplicate drivers * keyspan: Remove duplicate device ID's * check-aliases: Cleanup output, and fix rolling checks * ubuntu: Disable dm-bbr for now * dm-bbr: First cut at forward portiong. Still needs work. * ubuntu: Disable dm-bbr in kbuild/kconfig [Chuck Short] * SAUCE: ata: blacklist FUJITSU MHW2160BH PL - LP: #175834 * SAUCE: [USB]: add ASUS LCM to the blacklist [Colin Ian King] * SAUCE: airprime.c supports more devices - LP: #208250 * SAUCE: Enable speedstep for sonoma processors. - LP: #132271 * Add dm-loop * Add dm-loop BOM [Kyle McMartin] * SAUCE: fix orinoco_cs oops [Mario Limonciello] * SAUCE: Enable Reset and SCO workaround on Dell 410 BT adapter [Matthew Garrett] * SAUCE:
[Bug 236830] Re: cifs does not support kerberos authentication
Hi, just to be able to plan: Will this be fixed in Hardy eventuall, or only in newer releases? Thanks, Joachim -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
http://kernel.ubuntu.com/git?p=ubuntu/ubuntu- hardy.git;a=commit;h=5ecd2c7ef329ed53d583a10c16cf0d35d83edd7b ** Changed in: linux (Ubuntu Hardy) Status: In Progress = Fix Committed Target: None = ubuntu-8.04.2 -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
** Changed in: samba (Debian) Status: Confirmed = Fix Released -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
* Kernel change is isolated, that looks reasonably ok. I take it CONFIG_CIFS_EXPERIMENTAL does not change any behaviour, just enables CONFIG_CIFS_UPCALL config option? Does CONFIG_CIFS_UPCALL only enables the userspace callback for authorization (cifs.spnego) or any other behaviour? * I wouldn't like to promote keyutils to main in hardy (it sounds fine for MIR for intrepid, though). Since we have to touch the samba package anyway and backport cifs.spnego, can this be modified to point out Please install the keyutils package in the error message if it is missing? -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
** Changed in: samba (Ubuntu Hardy) Importance: Undecided = Medium Assignee: (unassigned) = Steve Langasek (vorlon) Status: New = Confirmed ** Changed in: linux (Ubuntu Hardy) Importance: Undecided = Medium Status: New = Confirmed -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
** Changed in: samba (Debian) Status: New = Confirmed -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
I'm afraid you'll find that sec=krb5 consistently gives the following results: $ mount.cifs //borges/pub /tmp/testmount -osec=krb5 Password: mount error 38 = Function not implemented Refer to the mount.cifs(8) manual page (e.g.man mount.cifs) $ Of course, mount.cifs(8) doesn't give any information about the implementation status of krb5 authentication. And unfortunately, krb5 authentication support in mount.cifs was never tested prior to migrating the packages away from smbfs; since there were no indications to the contrary in any of the documentation, I assumed that it was implemented and never thought to double-check this since none of my normal test servers are joined to AD. This is frustrating for me as well, as this is consequently the single biggest problem with the kernel cifs implementation -- far more relevant than incompatibilites with OS/2 or old Windows 9x servers -- but there had been virtually no discussion of this on the relevant lists when laying out the plans for dropping smbfs support (which has now been done completely in the upstream kernel). It appears, according to fs/cifs/README in the kernel tree, that kerberos authentication is possible if the kernel is built with CONFIG_CIFS_EXPERIMENTAL. It's probably too late to enable this for 8.04.1 now, but we could talk to the kernel team about getting this enabled for .2. But even with that, it appears that the Kerberos userspace upcall helper needed for this is only available as part of samba 3.2, which is not yet released and certainly not shipped in 8.04. -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Sorry, I'm afraid this bug is going to become something of a dumping ground for my investigations; this is getting complicated enough that I need somewhere to keep track of all the bits and pieces needed to get this working (...almost). Software needed: - 2.6.24 kernel with the CONFIG_CIFS_EXPERIMENTAL and CONFIG_CIFS_UPCALL options set - backported cifs.spnego upcall helper from samba 3.2 - keyutils package (from universe) Install the cifs.spnego helper as /usr/sbin/cifs.spnego, and add the following line to /etc/request-key.conf (a conffile provided by the keyutils package): create cifs.spnego * * /usr/sbin/cifs.spnego %k %d Make sure that the default_realm value in /etc/krb5.conf points to your AD realm; without this, I found that the kerberos upcall would fail because it would try to retrieve the ticket via the default realm, even if you already have a TGT in the necessary realm. (This seems like a regression in MIT KRB5, I don't remember this being a problem in the past when I had correct domain_realm mappings... but chances are, anyone who was already using smbmount w/ Kerberos has already dealt with this problem, I guess?) Run kinit without KRB5CCNAME set (because the kernel upcall can't set a different ccache using an environmental variable) to request credentials for your AD realm: $ kinit ubuntu Password for [EMAIL PROTECTED]: $ Then run the mount.cifs command, specifying username=, sec=, and 'guest' options (the misnamed 'guest' option being the way to tell mount.cifs not to prompt for a password): $ mount.cifs //win2003.canonical.local/ubuntu /tmp/testmount -ousername=ubuntu,sec=krb5i,guest $ Following these steps, I'm able to successfully mount a share using kerberos authentication in the cifs driver. ** Bug watch added: Debian Bug tracker #480663 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480663 ** Also affects: samba (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480663 Importance: Unknown Status: Unknown -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
Here is the patch used for the kernel; tested on amd64 ** Attachment added: patch to enable CIFS+kerberos in the kernel http://launchpadlibrarian.net/15159794/linux-cifs-experimental.diff -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
** Changed in: samba (Debian) Status: Unknown = New -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 236830] Re: cifs does not support kerberos authentication
This is a MASSIVE showstopper for many people. cifs doesn't mount things that smbfs used to, and smbfs is now just a pointer to cifs. So now there is no way to mount network shares if they are kerberos-auth only. This, in effect, renders previously perfectly-working Linux machines on a corporate network *completely* *useless*. It's very frustrating. ** Changed in: samba (Ubuntu) Status: New = Confirmed -- cifs does not support kerberos authentication https://bugs.launchpad.net/bugs/236830 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs