subject:"\[Bug 1900856\] Re\: multiuser mount with sec=krb5\: cifs

[Bug 1900856] Re: multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

2021-03-30 Thread Karl O. Pinc

I believe this is the same bug as Debian bug#986168: 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986168

A work-around can be found there.

** Bug watch added: Debian Bug tracker #986168
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986168

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1900856

Title:
  multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1900856/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1900856] Re: multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

2021-03-30 Thread Launchpad Bug Tracker

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: cifs-utils (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1900856

Title:
  multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1900856/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1900856] Re: multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

2020-10-29 Thread Alexander Fieroch

Hm, if I add an AD username I can mount the share with an valid kerberos
ticket for the user:

root@kubuntu-lts:# mount -vvv -o sec=krb5,multiuser,vers=3.0,cruid=ntfieroch 
//FILESERVER/share /mnt/test/
mount.cifs kernel mount options: 
ip=X.X.X.X,unc=\\FILESERVER/share,sec=krb5,multiuser,vers=3.0,cruid=10011,user=root,pass=

I want to mount the samba share with multiuser option with the machine
accounts UPN in AD. Is that working for you?


If I specify UPN I get:

root@kubuntu-lts:# kinit -k KUBUNTU-LTS$
root@kubuntu-lts:# klist -ket /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp   Principal
 --- --
   2 22.10.2020 10:54:16 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 
   2 22.10.2020 10:54:16 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE 
(aes128-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE 
(aes256-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 host/kubuntu-...@mpi-dortmund.mpg.de (arcfour-hmac) 
   2 22.10.2020 10:54:16 host/kubuntu-...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 host/kubuntu-...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 
host/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de (arcfour-hmac) 
   2 22.10.2020 10:54:16 
host/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 
host/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 RestrictedKrbHost/kubuntu-...@mpi-dortmund.mpg.de 
(arcfour-hmac) 
   2 22.10.2020 10:54:16 RestrictedKrbHost/kubuntu-...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 RestrictedKrbHost/kubuntu-...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 
RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(arcfour-hmac) 
   2 22.10.2020 10:54:17 
RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes128-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:17 
RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg...@mpi-dortmund.mpg.de 
(aes256-cts-hmac-sha1-96) 

root@kubuntu-lts:# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE

Valid starting   Expires  Service principal
29.10.2020 13:49:42  29.10.2020 23:49:42  
krbtgt/mpi-dortmund.mpg...@mpi-dortmund.mpg.de
renew until 30.10.2020 13:49:42

root@kubuntu-lts:# mount -vvv -o 
sec=krb5,multiuser,vers=3.0,username='KUBUNTU-LTS$' //FILESERVER/share 
/mnt/test/
mount.cifs kernel mount options: 
ip=X.X.X.X,unc=\\FILESERVER\share,sec=krb5,multiuser,vers=3.0,user=KUBUNTU-LTS$,pass=
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log 
messages (dmesg)


The samba configuration for the smb share on FILESERVER has the UPN as valid 
user: 
[share]
  path = /mnt/share
  valid users = +"domain users", "KUBUNTU-LTS$"
  force group = "domain users"



Hm, now I get a different return code =-13 in dmesg:

[87872.570848] fs/cifs/cifsfs.c: Devname: //FILESERVER/share flags: 0
[87872.570889] fs/cifs/connect.c: Username: KUBUNTU-LTS$
[87872.570894] fs/cifs/connect.c: file mode: 0755  dir mode: 0755
[87872.570897] fs/cifs/connect.c: CIFS VFS: in mount_get_conns as Xid: 82 with 
uid: 0
[87872.570899] fs/cifs/connect.c: UNC: \\FILESERVER\share
[87872.570912] fs/cifs/connect.c: Socket created
[87872.570914] fs/cifs/connect.c: sndbuf 16384 rcvbuf 131072 rcvtimeo 0x6d6
[87872.580468] fs/cifs/fscache.c: cifs_fscache_get_client_cookie: 
(0x2f2c35d1/0xbd141cbc)
[87872.580470] fs/cifs/connect.c: Demultiplex PID: 14724
[87872.580475] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 83 with 
uid: 0
[87872.580476] fs/cifs/connect.c: Existing smb sess not found
[87872.580479] fs/cifs/smb2pdu.c: Negotiate protocol
[87872.580500] fs/cifs/transport.c: Sending smb: smb_len=106
[87872.585816] fs/cifs/connect.c: RFC1002 header 0xe0
[87872.585823] fs/cifs/smb2misc.c: SMB2 data length 96 offset 128
[87872.585823] fs/cifs/smb2misc.c: SMB2 len 224
[87872.585851] fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=4
[87872.585857] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[87872.585859] fs/cifs/smb2pdu.c: mode 0x1
[87872.585860] fs/cifs/smb2pdu.c: negotiated smb3.0 dialect
[87872.585863] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
[87872.585864] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
[87872.585865] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
[87872.585867] fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x300047 
TimeAdjust: 0
[87872.585868] fs/cifs/smb2pdu.c: Session Setup
[87872.585869] fs/cifs/smb2pdu.c: sess setup type 5
[87872.585873] fs/cifs/cifs_spnego.c: key description =

[Bug 1900856] Re: multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

2020-10-27 Thread Sergio Durigan Junior

Thanks for the bug report, Alexander!

I have a local setup here with an Active Directory running on Windows
Server 2019, and I fired up a Focal VM and tried to reproduce the steps
you mentioned above.  In a nutshell, here's what I did:

- realm join mydomain --membership-software=adcli
- Installed krb5-user and made sure everything was working correctly
- Installed smbclient et al and made sure everything was also working correctly
- Installed keyutils

Then, I acquired a krb5 ticket (using "kinit user", but without
resorting to a separate keytab, as you did above):

# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: j...@ad1.example.com

Valid starting   Expires  Service principal
10/27/2020 22:23:04  10/28/2020 08:23:04  krbtgt/ad1.example@ad1.example.com
renew until 10/28/2020 22:23:01

Finally, I tried mounting a SMB share from the Windows Server machine:

# mount //ad1.ad1.example.com/windows /mnt/ -o
sec=krb5,multiuser,file_mode=0660,dir_mode=0770,nounix,noserverino

And everything worked correctly.  I'm able to list the contents of the
share, and if I switch to another user I see that the multiuser option
kicks in and I see the files' owner/group is changed accordingly.

Here's the version of everything I'm using:

cifs-utils:
  Installed: 2:6.9-1ubuntu0.1
sssd:
  Installed: 2.2.3-3
smbclient:
  Installed: 2:4.11.6+dfsg-0ubuntu1.5

Unless I'm missing some step from your configuration, it seems I can't
reproduce the bug.  The only way I can reproduce the same error you had
is when I kdestroy my credentials and try to mount the share again.

I will try setting up a samba share on another machine in the realm and
then try to reproduce the issue, but initially I don't see how this
could make a difference.  I'll get back when I have something.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1900856

Title:
  multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1900856/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1900856] Re: multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

[Bug 1900856] Re: multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

[Bug 1900856] Re: multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

[Bug 1900856] Re: multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

4 matches

Site Navigation

Mail list logo

Footer information