cifs.upcall does not find/read existing credentials from KRB5CCNAME
Environment
- Red Hat Enterprise Linux 5.4 or earlier
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- samba-client-3.0.33-3.7.el5_3.1
- cifs-utils-4.8.1-20.el6
- cifs-utils-6.2-7.el7
Issue
cifs.upcall
has no current provision to getkerberos
credentials cache path from the KRB5CCNAME environment variable.- The
CIFS
client requires that the systemkerberos
cache with a pre-existingTGT
to be found in the default file location,/tmp/krb5cc_{uid}
.
Resolution
For non standard credential names upgrade samba-client-3.0.33-3.28.el5
or above or upgrade to Red Hat Enterprise Linux 6 or later.
Non standard credential paths are unsupported at this time.
Root Cause
cifs.upcall performs certain CIFS-related tasks for the kernel in user space.
Prior to samba-client-3.0.33-3.28.el5 cifs was not able to find and use Kerberos credential caches that used non-default filenames. The version of cifs.upcall included with Red Hat Enterprise Linux 5.5 will now search /tmp in order to find credentials caches with non-default filenames.
Diagnostic Steps
- Add an entry in /etc/fstab to mount the cifs share,
//winc.test.example.com/Winshare /cifs cifs username=winuser@TEST.EXAMPLE.COM,sec=krb5i,noauto,users 0 0
- set SUID on /sbin/mount.cifs , chown mount point to 'winuser'
- Add necessary entries to request-key.conf as per cifs.upcall man page
- Login as 'winuser' try to mount cifs share
-
mount fails with the following error.
$ mount /cifs mount error 126 = Required key not available Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
-
Debug logs
Aug 7 23:50:33 server1 automount[2601]: attempting to mount entry /cifs/Wshare Aug 7 23:50:33 server1 automount[2601]: lookup_mount: lookup(file): looking up Wshare Aug 7 23:50:33 server1 automount[2601]: lookup_mount: lookup(file): Wshare -> -fstype=cifs,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i ://winc.testlab.test.example.com/Wshare Aug 7 23:50:33 server1 automount[2601]: parse_mount: parse(sun): expanded entry: -fstype=cifs,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i ://winc.testlab.test.example.com/Wshare Aug 7 23:50:33 server1 automount[2601]: parse_mount: parse(sun): gathered options: timout=60,fstype=cifs,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i Aug 7 23:50:33 server1 automount[2601]: parse_mount: parse(sun): dequote("://winc.testlab.test.example.com/Wshare") -> ://winc.testlab.test.example.com/Wshare Aug 7 23:50:33 server1 automount[2601]: parse_mount: parse(sun): core of entry: options=timout=60,fstype=cifs,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i,loc=://winc.testlab.test.example.com/Wshare Aug 7 23:50:33 server1 automount[2601]: sun_mount: parse(sun): mounting root /cifs, mountpoint Wshare, what //winc.testlab.test.example.com/Wshare, fstype cifs, options timout=6 0,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i Aug 7 23:50:33 server1 automount[2601]: do_mount: //winc.testlab.test.example.com/Wshare /cifs/Wshare type cifs options timout=60,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i using module generic Aug 7 23:50:33 server1 automount[2601]: mount_mount: mount(generic): calling mkdir_path /cifs/Wshare Aug 7 23:50:33 server1 automount[2601]: mount_mount: mount(generic): calling mount -t cifs -s -o timout=60,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i //winc.testlab.test.example.com/Wshare /cifs/Wshare Aug 7 23:50:33 server1 kernel: CIFS: Unknown mount option timout Aug 7 23:50:33 server1 kernel: CIFS VFS: Send error in SessSetup = -126 Aug 7 23:50:33 server1 kernel: CIFS VFS: cifs_mount failed w/return code = -126 Aug 7 23:50:33 server1 automount[2601]: >> mount error 126 = Required key not available Aug 7 23:50:33 server1 automount[2601]: >> Refer to the mount.cifs(8) manual page (e.g.man mount.cifs) Aug 7 23:50:33 server1 automount[2601]: spawn_mount: mount failed with error code 16, retrying with the -f option
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments