cifs.upcall does not find/read existing credentials from KRB5CCNAME

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 5.4 or earlier
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • samba-client-3.0.33-3.7.el5_3.1
  • cifs-utils-4.8.1-20.el6
  • cifs-utils-6.2-7.el7

Issue

  • cifs.upcall has no current provision to get kerberos credentials cache path from the KRB5CCNAME environment variable.
  • The CIFS client requires that the system kerberos cache with a pre-existing TGT to be found in the default file location, /tmp/krb5cc_{uid}.

Resolution

For non standard credential names upgrade samba-client-3.0.33-3.28.el5 or above or upgrade to Red Hat Enterprise Linux 6 or later.
Non standard credential paths are unsupported at this time.

Root Cause

cifs.upcall performs certain CIFS-related tasks for the kernel in user space.

Prior to samba-client-3.0.33-3.28.el5 cifs was not able to find and use Kerberos credential caches that used non-default filenames. The version of cifs.upcall included with Red Hat Enterprise Linux 5.5 will now search /tmp in order to find credentials caches with non-default filenames.

Diagnostic Steps

  • Add an entry in /etc/fstab to mount the cifs share,
//winc.test.example.com/Winshare       /cifs   cifs  username=winuser@TEST.EXAMPLE.COM,sec=krb5i,noauto,users 0  0
  • set SUID on /sbin/mount.cifs , chown mount point to 'winuser'
  • Add necessary entries to request-key.conf as per cifs.upcall man page
  • Login as 'winuser' try to mount cifs share

  • mount fails with the following error.

         $ mount /cifs
mount error 126 = Required key not available
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

  • Debug logs

    Aug  7 23:50:33 server1 automount[2601]: attempting to mount entry /cifs/Wshare
Aug  7 23:50:33 server1 automount[2601]: lookup_mount: lookup(file): looking up Wshare
Aug  7 23:50:33 server1 automount[2601]: lookup_mount: lookup(file): Wshare -> -fstype=cifs,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i ://winc.testlab.test.example.com/Wshare
Aug  7 23:50:33 server1 automount[2601]: parse_mount: parse(sun): expanded entry: -fstype=cifs,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i ://winc.testlab.test.example.com/Wshare
Aug  7 23:50:33 server1 automount[2601]: parse_mount: parse(sun): gathered options: timout=60,fstype=cifs,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i
Aug  7 23:50:33 server1 automount[2601]: parse_mount: parse(sun): dequote("://winc.testlab.test.example.com/Wshare") -> ://winc.testlab.test.example.com/Wshare
Aug  7 23:50:33 server1 automount[2601]: parse_mount: parse(sun): core of entry: options=timout=60,fstype=cifs,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i,loc=://winc.testlab.test.example.com/Wshare
Aug  7 23:50:33 server1 automount[2601]: sun_mount: parse(sun): mounting root /cifs, mountpoint Wshare, what //winc.testlab.test.example.com/Wshare, fstype cifs, options timout=6
0,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i
Aug  7 23:50:33 server1 automount[2601]: do_mount: //winc.testlab.test.example.com/Wshare /cifs/Wshare type cifs options timout=60,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i
using module generic
Aug  7 23:50:33 server1 automount[2601]: mount_mount: mount(generic): calling mkdir_path /cifs/Wshare
Aug  7 23:50:33 server1 automount[2601]: mount_mount: mount(generic): calling mount -t cifs -s -o timout=60,username=nctest@TESTLAB.TEST.EXAMPLE.COM,sec=krb5i //winc.testlab.test.example.com/Wshare /cifs/Wshare
Aug  7 23:50:33 server1 kernel: CIFS: Unknown mount option timout
Aug  7 23:50:33 server1 kernel:  CIFS VFS: Send error in SessSetup = -126
Aug  7 23:50:33 server1 kernel:  CIFS VFS: cifs_mount failed w/return code = -126
Aug  7 23:50:33 server1 automount[2601]: >> mount error 126 = Required key not available
Aug  7 23:50:33 server1 automount[2601]: >> Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
Aug  7 23:50:33 server1 automount[2601]: spawn_mount: mount failed with error code 16, retrying with the -f option

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments