« previous next »
Pages: [1]

Author Topic: mount.cifs of SAMBA share Fail by using Kerberos  (Read 9385 times)

davidegn

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
mount.cifs of SAMBA share Fail by using Kerberos
« on: January 05, 2014, 08:10:32 pm »
Hi guys,
I'm using Zentyal 3.3, updated from Zentyal 3.2 configured as a Domain Controller

By using the module "File Sharing and Domain Services", I have created a share "myshare" folder with rw permission for my yser "myuser".

In order to mount the share in an ubuntu client, I use the following command:

Code: [Select]

sudo mount.cifs //mydc.mydomain/myshare /tmp/myshare -o user=myuser,sec=krb5,cruid=myuid,cifsacl,fsc --verbose


but as a result I have obtained the following error:

Code: [Select]
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

By checking the log "syslog", the error is generated by cifs.upcall when it tries to get the kerberos ticket. Here below the syslog:

Code: [Select]
key description: cifs.spnego;0;0;39010000;ver=0x2;host=myhost;ip4=192.168.123.245;sec=krb5;uid=0x0;creduid=0x2dc6ef;user=myuser;pid=0x164f
cifs.upcall: ver=2
cifs.upcall: host=myhost
cifs.upcall: ip=192.168.123.245
cifs.upcall: sec=1
cifs.upcall: uid=0
cifs.upcall: creduid=3000047
cifs.upcall: user=myuser
cifs.upcall: pid=5711
cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_3000047_LptXXy
cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_3000047_LptXXy is valid ccache
cifs.upcall: handle_krb5_mech: getting service ticket for myhost
cifs.upcall: cifs_krb5_get_req: unable to get credentials for myhost
cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
kernel: [25707.318586] CIFS VFS: Send error in SessSetup = -126
kernel: [25707.318736] CIFS VFS: cifs_mount failed w/return code = -126

More in detail, the kerberos error  (-1765328377) is defined as  "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" and it means "Server not found in Kerberos database".

In order to mount some network unit after the login of the user in a client, I adopted this solution starting Zentyal 3.0 by using the mount.cifs in a script that it is executed after the login. After the upgrade of the Zentyal server to the version 3.2 and after 3.3, this solution didn't work.

Do you know this problem and a possible solution?

Differently, can you suggest a different way to mount network units after the login of the user in an ubuntu client? The most important thing is that each network units have to be mounted with the privilege of the user because each users has different privileges on the units.

For windows clients, I use the command "net use ..." and I need a similiar solution for ubuntu clients.

Thanks a lot


Logged

UdoB

  • Zen Warrior
  • ***
  • Posts: 148
  • Karma: +17/-0
    • View Profile
Re: mount.cifs of SAMBA share Fail by using Kerberos
« Reply #1 on: January 06, 2014, 07:21:19 pm »
Quote from: davidegn on January 05, 2014, 08:10:32 pm
Code: [Select]
sudo mount.cifs //mydc.mydomain/myshare /tmp/myshare -o user=myuser,sec=krb5,cruid=myuid,cifsacl,fsc --verbose
but as a result I have obtained the following error:
Code: [Select]
mount error(126): Required key not available

You need to have a Kerberos Ticket-Granting-Ticket. Get one by running "kinit":

(( uba = a Domain User;  zentyal = my Zentyal Server; neu.lan = my AD Domain; ubuntugnome = a client machine ))

Code: [Select]
root@ubuntugnome:~# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

root@ubuntugnome:~# kinit uba
Password for uba@NEU.LAN:
Warning: Your password will expire in 348 days on Sat Dec 20 20:15:36 2014

root@ubuntugnome:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: uba@NEU.LAN

Valid starting       Expires              Service principal
2014-01-06 19:14:33  2014-01-07 05:14:33  krbtgt/NEU.LAN@NEU.LAN
renew until 2014-01-07 19:14:34

Only then you can mount:
Code: [Select]
root@ubuntugnome:~# kinit uba
Password for uba@NEU.LAN:
Warning: Your password will expire in 348 days on Sat Dec 20 20:15:36 2014

root@ubuntugnome:~# mount.cifs //zentyal.neu.lan/temp /mnt/temp -o user=uba,sec=krb5,cifsacl,fsc --verbose
mount.cifs kernel mount options: ip=10.4.132.1,unc=\\zentyal.neu.lan\temp,sec=krb5,cifsacl,fsc,user=uba,pass=********

root@ubuntugnome:~# mount | grep temp
//zentyal.neu.lan/temp on /mnt/temp type cifs (rw)

root@ubuntugnome:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: uba@NEU.LAN

Valid starting       Expires              Service principal
2014-01-06 19:14:33  2014-01-07 05:14:33  krbtgt/NEU.LAN@NEU.LAN
renew until 2014-01-07 19:14:34
2014-01-06 19:15:55  2014-01-07 05:14:33  cifs/zentyal.neu.lan@
renew until 2014-01-07 19:14:34
2014-01-06 19:15:55  2014-01-07 05:14:33  cifs/zentyal.neu.lan@NEU.LAN
renew until 2014-01-07 19:14:34

There might be some more pre-requirements which I met on my test-machine because of prior tests. Not sure...

For an alternative you might want to read http://forum.zentyal.org/index.php/topic,12925.msg53495.html#msg53495
Logged
Udo
Pages: [1]
« previous next »