Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-12 10:13 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Mon, 12 Jan 2015, John Obaterspok wrote: 2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com: On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com : To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied Looks like your account needs to be in the 'admins' group in order to access the file. Acquiring the admin ticket doesn't switch the user ID nor add you to the group.. I thought the krb5 mount option would allow ticked based access to the file. Is the purpose of the krb5 mount option just used during mounting of the share? Otherwise I see no difference compared to not using krb5 mount option!? Its purpose is authentication. After you have been successfully recognized by the server, both client and server need to map your identity while authorizing your access to actual files. In CIFS there are two types of access control which are applied at the same time: - ACLs per file or directory - POSIX access control based on uid/gid of a process that accesses the file or directory Client-side checks in cifs.ko can be switched off by noperm option. In this case server side will be doing actual access enforcement, using the uid/gid mapped on the server side (based on the Kerberos principal), unless CIFS Unix Extensions were negotiated between cifs.ko and the server. In the latter case client will pass uid/gid of a client to the server and server will do the actual check using them instead of discovering them based on the authentication token. In case where there is a common identity store in use with Kerberos, it is often better to use cifs.ko option multiuser which will imply noperm and server will be doing all the checks. Simo also added that You need to pass the 'multiuser' option at mount time for that, the default for cifs.ko is still to just use the mount credentials. Well, I were actually using multiuser in the original test where I got permission denied but there is something weird going on. mount -t cifs //ipaserver.MY.LAN/Share -o sec=krb5,multiuser mountpoint (I also tried -o sec=krb5,multiuser,cache=none) Anyway, it works if I do the mount as root and then as user john gets the admin ticket *before* going to the share. Then it doesn't matter if I do kdestroy, I can still access a file that would require admin ticket. If I remount the share and go to share as john without admin ticket I can't access a file that would require admin ticket. If I get an admin ticket then I'm still not able to access the file. [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt [john@ipaserver mountpoint]$ cat test.txt Hello World [john@ipaserver mountpoint]$ id john uid=143444(john) gid=143444(john) groups=143444(john),1434400010(mediafiles) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_Ri45Eiw Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-14 21:54:24 2015-01-15 21:53:57 cifs/ipaserver.my@my.lan 2015-01-14 21:53:59 2015-01-15 21:53:57 krbtgt/my@my.lan [john@ipaserver mountpoint]$ kdestroy [john@ipaserver mountpoint]$ klist klist: Credentials cache keyring 'persistent:143444:krb_ccache_Ri45Eiw' not found [john@ipaserver mountpoint]$ cat test.txt Hello World [john@ipaserver mountpoint]$ klist klist: Credentials cache keyring 'persistent:143444:krb_ccache_Ri45Eiw' not found - -- then remount share. john has non-admin ticket - [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john)
Re: [Freeipa-users] Mount cifs share using kerberos
On Wed, 14 Jan 2015, John Obaterspok wrote: 2015-01-12 10:13 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Mon, 12 Jan 2015, John Obaterspok wrote: 2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com: On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com : To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied Looks like your account needs to be in the 'admins' group in order to access the file. Acquiring the admin ticket doesn't switch the user ID nor add you to the group.. I thought the krb5 mount option would allow ticked based access to the file. Is the purpose of the krb5 mount option just used during mounting of the share? Otherwise I see no difference compared to not using krb5 mount option!? Its purpose is authentication. After you have been successfully recognized by the server, both client and server need to map your identity while authorizing your access to actual files. In CIFS there are two types of access control which are applied at the same time: - ACLs per file or directory - POSIX access control based on uid/gid of a process that accesses the file or directory Client-side checks in cifs.ko can be switched off by noperm option. In this case server side will be doing actual access enforcement, using the uid/gid mapped on the server side (based on the Kerberos principal), unless CIFS Unix Extensions were negotiated between cifs.ko and the server. In the latter case client will pass uid/gid of a client to the server and server will do the actual check using them instead of discovering them based on the authentication token. In case where there is a common identity store in use with Kerberos, it is often better to use cifs.ko option multiuser which will imply noperm and server will be doing all the checks. Simo also added that You need to pass the 'multiuser' option at mount time for that, the default for cifs.ko is still to just use the mount credentials. Well, I were actually using multiuser in the original test where I got permission denied but there is something weird going on. Nothing weird (tl;dr). mount -t cifs //ipaserver.MY.LAN/Share -o sec=krb5,multiuser mountpoint (I also tried -o sec=krb5,multiuser,cache=none) Anyway, it works if I do the mount as root and then as user john gets the admin ticket *before* going to the share. Then it doesn't matter if I do kdestroy, I can still access a file that would require admin ticket. If I remount the share and go to share as john without admin ticket I can't access a file that would require admin ticket. If I get an admin ticket then I'm still not able to access the file. Kerberos authentication happens when you first access the share as a new user -- cifs.ko will ask userspace to provide Kerberos credentials to the kernel so that negotiation can happen. Once it is done, the credentials are valid until the actual Kerberos ticket expires or until session expires. So when you access file as john while having admin ticket, you get admin ticket used for multiuser access. Destroying ccache does not affect already performed negotiation. When you remount, previous credentials that cifs.ko used are cleaned, thus cannot be used. If you try to access the mount point as 'john' without Kerberos credentials, you'd be negotiating anonymous connection which would only succeed if the share is allowed to connect to anonymously (guest ok = yes). However, you accessed the share with john Kerberos credentials. These credentials were negotiated and will be valid until the connection is dropped or ticket expires, whichever event comes first. In fact, cifs.ko expires sessions periodically but I was unable to find exact expiration time myself. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To
Re: [Freeipa-users] Mount cifs share using kerberos
On Mon, 12 Jan 2015 09:46:37 +0100 John Obaterspok john.obaters...@gmail.com wrote: 2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com: On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied Looks like your account needs to be in the 'admins' group in order to access the file. Acquiring the admin ticket doesn't switch the user ID nor add you to the group.. I thought the krb5 mount option would allow ticked based access to the file. Is the purpose of the krb5 mount option just used during mounting of the share? Otherwise I see no difference compared to not using krb5 mount option!? You need to pass the 'multiuser' option at mount time for that, the default for cifs.ko is still to just use the mount credentials. See mount.cifs manpage, search for 'multiuser' Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com: On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied Looks like your account needs to be in the 'admins' group in order to access the file. Acquiring the admin ticket doesn't switch the user ID nor add you to the group.. I thought the krb5 mount option would allow ticked based access to the file. Is the purpose of the krb5 mount option just used during mounting of the share? Otherwise I see no difference compared to not using krb5 mount option!? -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
On Mon, 12 Jan 2015, John Obaterspok wrote: 2015-01-11 16:33 GMT+01:00 Jakub Hrozek jhro...@redhat.com: On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied Looks like your account needs to be in the 'admins' group in order to access the file. Acquiring the admin ticket doesn't switch the user ID nor add you to the group.. I thought the krb5 mount option would allow ticked based access to the file. Is the purpose of the krb5 mount option just used during mounting of the share? Otherwise I see no difference compared to not using krb5 mount option!? Its purpose is authentication. After you have been successfully recognized by the server, both client and server need to map your identity while authorizing your access to actual files. In CIFS there are two types of access control which are applied at the same time: - ACLs per file or directory - POSIX access control based on uid/gid of a process that accesses the file or directory Client-side checks in cifs.ko can be switched off by noperm option. In this case server side will be doing actual access enforcement, using the uid/gid mapped on the server side (based on the Kerberos principal), unless CIFS Unix Extensions were negotiated between cifs.ko and the server. In the latter case client will pass uid/gid of a client to the server and server will do the actual check using them instead of discovering them based on the authentication token. In case where there is a common identity store in use with Kerberos, it is often better to use cifs.ko option multiuser which will imply noperm and server will be doing all the checks. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
On Sun, Jan 11, 2015 at 11:00:16AM +0100, John Obaterspok wrote: 2015-01-10 13:32 GMT+01:00 Gianluca Cecchi gianluca.cec...@gmail.com: To get the whole root environment you have to run su - root did you try with it? ahh... that works fine Gianluca! Final question, if I have a file on the share like: [john@ipaserver mountpoint]$ ll test.txt -rwxr-. 1 root admins 12 11 jan 10.42 test.txt Should I be able to access it if I aquire an admin ticket? Currently I get Permission denied [john@ipaserver mountpoint]$ id uid=143444(john) gid=143444(john) grupper=143444(john) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [john@ipaserver mountpoint]$ getfacl test.txt # file: test.txt # owner: root # group: admins user::rwx group::r-- other::--- [john@ipaserver mountpoint]$ id admin uid=143440(admin) gid=143440(admins) groups=143440(admins) [john@ipaserver mountpoint]$ klist Ticket cache: KEYRING:persistent:143444:krb_ccache_MVjxTqf Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-11 10:43:52 2015-01-12 10:43:50 krbtgt/my@my.lan [john@ipaserver mountpoint]$ cat test.txt cat: test.txt: Permission denied Looks like your account needs to be in the 'admins' group in order to access the file. Acquiring the admin ticket doesn't switch the user ID nor add you to the group.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
To get the whole root environment you have to run su - root did you try with it? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-09 10:11 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch Kerberos keys and map IDs of CIFS identities. These configurations are part of cifs-utils package which also supplies mount.cifs. I have no /etc/request-key.d/cifs.upcall.conf on my F21. Is it suppose to be there? This is what I have: [root@ipaserver etc]# cat request-key.conf ### # snip #OP TYPEDESCRIPTION CALLOUT INFOPROGRAM ARG1 ARG2 ARG3 ... #== === === === === create dns_resolver * * /sbin/key.dns_resolver %k create userdebug:* negate /bin/keyctl negate %k 30 %S create userdebug:* rejected/bin/keyctl reject %k 30 %c %S create userdebug:* expired /bin/keyctl reject %k 30 %c %S create userdebug:* revoked /bin/keyctl reject %k 30 %c %S create userdebug:loop:** |/bin/cat create userdebug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S negate * * * /bin/keyctl negate %k 30 %S [root@ipaserver etc]# ls request-key.d/ cifs.idmap.conf cifs.spnego.conf id_resolver.conf [root@ipaserver etc]# cat request-key.d/cifs.idmap.conf create cifs.idmap* * /usr/sbin/cifs.idmap %k [root@ipaserver etc]# cat request-key.d/cifs.spnego.conf create cifs.spnego* * /usr/sbin/cifs.upcall %k -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-09 18:12 GMT+01:00 Alexander Bokovoy aboko...@redhat.com So if you have all these configs right, can you add --verbose to mount.cifs arguments _before_ -o options? mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5 and you can enable debugging before mounting in /proc/fs/cifs/, see https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting -- [john@ipaserver ~]$ rpm -q cifs-utils cifs-utils-6.4-2.fc21.x86_64 [john@ipaserver mnt]# su root [root@ipaserver mnt]# kdestroy [root@ipaserver mnt]# kinit admin [root@ipaserver mnt]# klist Ticket cache: KEYRING:persistent:143444:krb_ccache_As3C1bl Default principal: ad...@my.lan Valid starting Expires Service principal 2015-01-09 22:40:37 2015-01-10 22:40:32 krbtgt/my@my.lan [root@ipaserver mnt]# [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5 mointpoint mount.cifs kernel mount options: ip=192.168.0.103,unc=\\ipaserver.MY.LAN\TheShare,sec=krb5,user=john,pass= mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [fre jan 9 22:40:15 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:40:15 2015] CIFS VFS: cifs_mount failed w/return code = -126 [fre jan 9 22:40:49 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:40:49 2015] CIFS VFS: cifs_mount failed w/return code = -126 [fre jan 9 22:42:30 2015] fs/cifs/cifsfs.c: Devname: //ipaserver.MY.LAN/TheShare flags: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Username: john [fre jan 9 22:42:30 2015] fs/cifs/connect.c: file mode: 0x1ed dir mode: 0x1ed [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 6 with uid: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: UNC: \\ipaserver.MY.LAN\TheShare [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Socket created [fre jan 9 22:42:30 2015] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58 [fre jan 9 22:42:30 2015] fs/cifs/fscache.c: cifs_fscache_get_client_cookie: (0x88007a28dc00/0x8800736ee000) [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 7 with uid: 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Existing smb sess not found [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: Requesting extended security. [fre jan 9 22:42:30 2015] fs/cifs/transport.c: For smb_command 114 [fre jan 9 22:42:30 2015] fs/cifs/transport.c: Sending smb: smb_len=78 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Demultiplex PID: 20875 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: RFC1002 header 0xb5 [fre jan 9 22:42:30 2015] fs/cifs/misc.c: checkSMB Length: 0xb9, smb_buf_length: 0xb5 [fre jan 9 22:42:30 2015] fs/cifs/transport.c: cifs_sync_mid_result: cmd=114 mid=1 state=4 [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: Dialect: 2 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 [fre jan 9 22:42:30 2015] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 [fre jan 9 22:42:30 2015] fs/cifs/cifssmb.c: negprot rc 0 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x8080f3fd TimeAdjust: -3600 [fre jan 9 22:42:30 2015] fs/cifs/sess.c: sess setup type 5 [fre jan 9 22:42:30 2015] fs/cifs/cifs_spnego.c: key description = ver=0x2;host=ipaserver.MY.LAN;ip4=192.168.0.103;sec=krb5;uid=0x0;creduid=0x0;user=john;pid=0x5188 [fre jan 9 22:42:30 2015] CIFS VFS: Send error in SessSetup = -126 [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 7) rc = -126 [fre jan 9 22:42:30 2015] fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0x88007a28dc00/0x8800736ee000) [fre jan 9 22:42:30 2015] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 6) rc = -126 [fre jan 9 22:42:30 2015] CIFS VFS: cifs_mount failed w/return code = -126 Is it okay that the verbose output says sec=krb5,user=john,pass= I did su from john... -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
On Thu, 8 Jan 2015 22:29:00 +0100 John Obaterspok john.obaters...@gmail.com wrote: Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 mountpoint mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? What does klist say ? and what version of cifs-utils ? Simo. -- john 2015-01-08 18:51 GMT+01:00 Simo Sorce s...@redhat.com: On Thu, 8 Jan 2015 10:01:50 +0100 John Obaterspok john.obaters...@gmail.com wrote: Hello, I have a samba share on the freeipa 4.1 server that I want to mount from another client that is part of the ipa domain I've tried: mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 Shouldn't I be able to do the mount this way? -- john You should be able to, what's the error ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
On Thu, 08 Jan 2015, John Obaterspok wrote: Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 mountpoint mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? Do you have proper configuration in request-key.conf(5)? On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch Kerberos keys and map IDs of CIFS identities. These configurations are part of cifs-utils package which also supplies mount.cifs. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
2015-01-09 10:11 GMT+01:00 Alexander Bokovoy aboko...@redhat.com: On Thu, 08 Jan 2015, John Obaterspok wrote: Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 mountpoint mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? Do you have proper configuration in request-key.conf(5)? I didn't know about those files, so if there are no defaults then I guess I don't have a proper configuration. On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch Kerberos keys and map IDs of CIFS identities. These configurations are part of cifs-utils package which also supplies mount.cifs. Thanks Alexander, -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Mount cifs share using kerberos
Hello, I have a samba share on the freeipa 4.1 server that I want to mount from another client that is part of the ipa domain I've tried: mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 Shouldn't I be able to do the mount this way? -- john -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
On Thu, 8 Jan 2015 10:01:50 +0100 John Obaterspok john.obaters...@gmail.com wrote: Hello, I have a samba share on the freeipa 4.1 server that I want to mount from another client that is part of the ipa domain I've tried: mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 Shouldn't I be able to do the mount this way? -- john You should be able to, what's the error ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Mount cifs share using kerberos
Hello, I've tried to do the following on the client (and also on the ipaserver itself) where I want to the the ipaserver share mounted. [root@ipaserver mnt]# mount -t cifs //ipaserver.MY.LAN/TheShare -o sec=krb5 mountpoint mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) (root has an admin ticket aquired) Any hints for a newbie? -- john 2015-01-08 18:51 GMT+01:00 Simo Sorce s...@redhat.com: On Thu, 8 Jan 2015 10:01:50 +0100 John Obaterspok john.obaters...@gmail.com wrote: Hello, I have a samba share on the freeipa 4.1 server that I want to mount from another client that is part of the ipa domain I've tried: mount -t cifs //ipaserver.DOMAIN.LAN/share /mnt/point -o sec=krb5 Shouldn't I be able to do the mount this way? -- john You should be able to, what's the error ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project