Can not mount AD share with Kerberos ticket: mount error 126 = Required key not available
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
Can not mount AD share with Kerberos ticket: mount error 126 = Required key not available
by Robert Euhus
::
Rate this Message:
Hello,
I have added my Linux computer "relogin" to the our local AD-Realm "WORKGROUP.INTERN". I'm using Winbind for authentification against AD an usermapping (with idmap_rid). At login I get two kerberos tickets: ----------------------------------------------------------------- euhus@relogin:~$ klist -5 Ticket cache: FILE:/tmp/krb5cc_101125 Default principal: euhus@... Valid starting Expires Service principal 08/28/09 14:54:57 08/29/09 00:54:57 krbtgt/WORKGROUP.INTERN@... renew until 09/04/09 14:54:57 08/28/09 14:54:57 08/29/09 00:54:57 RELOGIN$@... renew until 09/04/09 14:54:57 euhus@relogin:~$ ----------------------------------------------------------------- However when I try to use these tickets for mounting a share I it fails with "mount error 126 = Required key not available": ----------------------------------------------------------------- euhus@relogin:~$ /sbin/mount.cifs //dc1.workgroup.site.de/homes .workgroup/homes/ --verbose -o sec=krb5i,guest parsing options: sec=krb5i,guest mount.cifs kernel mount options unc=//dc1.workgroup.site.de\homes,ip=1.2.3.220,user=euhus,ver=1,sec=krb5i,guest,uid=101125,gid=100513 mount error 126 = Required key not available Refer to the mount.cifs(8) manual page (e.g.man mount.cifs) ----------------------------------------------------------------- In /etc/request-key.conf I have: ----------------------------------------------------------------- create cifs.spnego * * /usr/sbin/cifs.upcall %k %d create dns_resolver * * /usr/sbin/cifs.upcall %k ----------------------------------------------------------------- Even with "echo 3 > /proc/fs/cifs/cifsFYI" dmesg does not really help: ----------------------------------------------------------------- [442597.829966] fs/cifs/connect.c: No session or bad tcon [442597.829966] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 25) rc = -95 [442597.829966] CIFS VFS: cifs_mount failed w/return code = -95 [442602.280555] fs/cifs/cifsfs.c: Devname: //dc1.workgroup.site.de/homes flags: 64 [442602.280555] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 26 with uid: 0 [442602.280555] fs/cifs/connect.c: Username: euhus [442602.280555] fs/cifs/connect.c: UNC: \\dc1.workgroup.site.de\homes ip: 1.2.3.220 [442602.280555] fs/cifs/connect.c: Socket created [442602.280555] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x7fffffff [442602.281556] fs/cifs/connect.c: Existing smb sess not found [442602.280555] fs/cifs/connect.c: Demultiplex PID: 20596 [442602.281556] fs/cifs/cifssmb.c: secFlags 0x1009 [442602.281556] fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security [442602.281556] fs/cifs/transport.c: For smb_command 114 [442602.281556] fs/cifs/transport.c: Sending smb of length 78 [442602.280555] fs/cifs/connect.c: rfc1002 length 0xc5 [442602.281556] fs/cifs/cifssmb.c: Dialect: 2 [442602.281556] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 [442602.281556] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 [442602.281556] fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92 [442602.281556] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 [442602.281556] fs/cifs/asn1.c: Need to call asn1_octets_decode() function for not_defined_in_RFC4178@please_ignore [442602.281556] fs/cifs/cifssmb.c: Must sign - secFlags 0x1009 [442602.281556] fs/cifs/cifssmb.c: negprot rc 0 [442602.281556] fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x8001f3fd TimeAdjust: -7200 [442602.281556] fs/cifs/sess.c: sess setup type 6 [442602.281556] fs/cifs/cifs_spnego.c: key description = ver=0x1;host=dc1.workgroup.site.de;ip4=1.2.3.220;sec=krb5;uid=0x18b05;user=euhus [442602.328182] fs/cifs/sess.c: ssetup freeing small buf f699dc80 [442602.328182] CIFS VFS: Send error in SessSetup = -126 [442602.460181] fs/cifs/connect.c: No session or bad tcon [442602.460181] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 26) rc = -126 [442602.460181] CIFS VFS: cifs_mount failed w/return code = -126 ----------------------------------------------------------------- I guess that cifs.upcall is trying to get the key for "host/relogin.workgroup.site.de@..." which I don't have as user. I don't really have an idea why. But kerberos tickets vor my host are in fact available in /etc/krb5.keytab: ----------------------------------------------------------------- relogin:~# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 host/relogin.workgroup.site.de@... 4 host/relogin.workgroup.site.de@... 4 host/relogin.workgroup.site.de@... 4 host/relogin@... 4 host/relogin@... 4 host/relogin@... 4 RELOGIN$@... 4 RELOGIN$@... 4 RELOGIN$@... ----------------------------------------------------------------- Using smbclient, Konqueror and Nautilus works with the ticket. I have tried the same on an Ubuntu 9.04 system without success. Sadly I haven't found any hints on the web. So maybe someon could at least give me a hint what to look out for eg. I would really like to see what key it is trying to find. But I could not find an option for seeing this in the logs. Some more Information on my System: Standard Debian Lenny with kernel 2.6.28-15-generic which has CIFS Version 1.55 One more thing that might be connected to this (although I don't think so): in /var/log/samba/log.winbindd I found: ----------------------------------------------------------------- [2009/08/24 10:12:52, 0] winbindd/winbindd_cache.c:initialize_winbindd_cache(2374) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2009/08/24 10:12:52, 2] winbindd/winbindd_util.c:add_trusted_domain(192) Added domain BUILTIN S-1-5-32 [2009/08/24 10:12:52, 2] winbindd/winbindd_util.c:add_trusted_domain(192) Added domain RELOGIN S-1-5-21-1796453317-37119528-1882467029 [2009/08/24 10:12:52, 2] winbindd/winbindd_util.c:add_trusted_domain(192) Added domain WORKGROUP WORKGROUP.INTERN S-1-5-21-3432792198-3694902127-1061648754 [2009/08/24 10:12:52, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(619) Doing kerberos session setup [2009/08/24 10:12:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP (Cannot resolve network address for KDC in requested realm) [2009/08/24 10:12:52, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm [2009/08/24 10:45:08, 0] lib/util_sock.c:write_data(1139) write_data: write failure. Error = Die Verbindung wurde vom Kommunikationspartner zurückgesetzt [2009/08/24 10:45:08, 0] libsmb/clientgen.c:write_socket(242) write_socket: Error writing 100 bytes to socket 18: ERRNO = Die Verbindung wurde vom Kommunikationspartner zurückgesetzt [2009/08/24 10:45:08, 0] libsmb/clientgen.c:cli_send_smb(290) Error writing 100 bytes to client. -1 (Die Verbindung wurde vom Kommunikationspartner zurückgesetzt) [2009/08/24 10:45:08, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2227) cli_rpc_pipe_open: cli_nt_create failed on pipe \samr to machine dc1.workgroup.intern. Error was Write error: Die Verbindung wurde vom Kommunikationspartner zurückgesetzt [2009/08/24 10:45:08, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(619) Doing kerberos session setup [2009/08/24 10:45:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP (Cannot resolve network address for KDC in requested realm) [2009/08/24 10:45:08, 1] libsmb/cliconnect.c:cli_session_setup_kerberos(626) cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm ----------------------------------------------------------------- If You need any other information, please let me know. Thanks for Your patience! Cheers, Robert _______________________________________________ linux-cifs-client mailing list linux-cifs-client@... https://lists.samba.org/mailman/listinfo/linux-cifs-client |
|
|
Re: Can not mount AD share with Kerberos ticket: mount error 126 = Required key not available
by Jeff Layton-3
::
Rate this Message:
On Fri, 11 Sep 2009 14:49:04 +0200
Robert Euhus <euhus-liste1@...> wrote: > Hello, > > I have added my Linux computer "relogin" to the our local AD-Realm > "WORKGROUP.INTERN". > I'm using Winbind for authentification against AD an usermapping (with > idmap_rid). > > At login I get two kerberos tickets: > > ----------------------------------------------------------------- > euhus@relogin:~$ klist -5 > Ticket cache: FILE:/tmp/krb5cc_101125 > Default principal: euhus@... > > Valid starting Expires Service principal > 08/28/09 14:54:57 08/29/09 00:54:57 > krbtgt/WORKGROUP.INTERN@... > renew until 09/04/09 14:54:57 > 08/28/09 14:54:57 08/29/09 00:54:57 RELOGIN$@... > renew until 09/04/09 14:54:57 > euhus@relogin:~$ > ----------------------------------------------------------------- > > However when I try to use these tickets for mounting a share I it fails > with "mount error 126 = Required key not available": > > ----------------------------------------------------------------- > euhus@relogin:~$ /sbin/mount.cifs //dc1.workgroup.site.de/homes > .workgroup/homes/ --verbose -o sec=krb5i,guest > parsing options: sec=krb5i,guest > > mount.cifs kernel mount options > unc=//dc1.workgroup.site.de\homes,ip=1.2.3.220,user=euhus,ver=1,sec=krb5i,guest,uid=101125,gid=100513 > > mount error 126 = Required key not available > Refer to the mount.cifs(8) manual page (e.g.man mount.cifs) > ----------------------------------------------------------------- > > In /etc/request-key.conf I have: > > ----------------------------------------------------------------- > create cifs.spnego * * /usr/sbin/cifs.upcall %k %d > create dns_resolver * * /usr/sbin/cifs.upcall %k > ----------------------------------------------------------------- > > Even with "echo 3 > /proc/fs/cifs/cifsFYI" dmesg does not really help: > > ----------------------------------------------------------------- > [442597.829966] fs/cifs/connect.c: No session or bad tcon > [442597.829966] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = > 25) rc = -95 > [442597.829966] CIFS VFS: cifs_mount failed w/return code = -95 > [442602.280555] fs/cifs/cifsfs.c: Devname: > //dc1.workgroup.site.de/homes flags: 64 > [442602.280555] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 26 > with uid: 0 > [442602.280555] fs/cifs/connect.c: Username: euhus > [442602.280555] fs/cifs/connect.c: UNC: \\dc1.workgroup.site.de\homes > ip: 1.2.3.220 > [442602.280555] fs/cifs/connect.c: Socket created > [442602.280555] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo > 0x7fffffff > [442602.281556] fs/cifs/connect.c: Existing smb sess not found > [442602.280555] fs/cifs/connect.c: Demultiplex PID: 20596 > [442602.281556] fs/cifs/cifssmb.c: secFlags 0x1009 > [442602.281556] fs/cifs/cifssmb.c: Kerberos only mechanism, enable > extended security > [442602.281556] fs/cifs/transport.c: For smb_command 114 > [442602.281556] fs/cifs/transport.c: Sending smb of length 78 > [442602.280555] fs/cifs/connect.c: rfc1002 length 0xc5 > [442602.281556] fs/cifs/cifssmb.c: Dialect: 2 > [442602.281556] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 > [442602.281556] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 > [442602.281556] fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92 > [442602.281556] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 > [442602.281556] fs/cifs/asn1.c: Need to call asn1_octets_decode() > function for not_defined_in_RFC4178@please_ignore > [442602.281556] fs/cifs/cifssmb.c: Must sign - secFlags 0x1009 > [442602.281556] fs/cifs/cifssmb.c: negprot rc 0 > [442602.281556] fs/cifs/connect.c: Security Mode: 0xf Capabilities: > 0x8001f3fd TimeAdjust: -7200 > [442602.281556] fs/cifs/sess.c: sess setup type 6 > [442602.281556] fs/cifs/cifs_spnego.c: key description = > ver=0x1;host=dc1.workgroup.site.de;ip4=1.2.3.220;sec=krb5;uid=0x18b05;user=euhus > [442602.328182] fs/cifs/sess.c: ssetup freeing small buf f699dc80 > [442602.328182] CIFS VFS: Send error in SessSetup = -126 > [442602.460181] fs/cifs/connect.c: No session or bad tcon > [442602.460181] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = > 26) rc = -126 > [442602.460181] CIFS VFS: cifs_mount failed w/return code = -126 > ----------------------------------------------------------------- > I guess that cifs.upcall is trying to get the key for > "host/relogin.workgroup.site.de@..." which I don't have as > user. I don't really have an idea why. But kerberos tickets vor my host > are in fact available in /etc/krb5.keytab: > ...nope, according to the above info, cifs.upcall is going to attempt to get a service principal of: host/dc1.workgroup.site.de@... ...before connecting to the server. That's failing for some reason. In general with krb5 you'll want to use the canonical hostname of the server when mounting as that's the name most likely to be used in service principals. > ----------------------------------------------------------------- > relogin:~# klist -k /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 4 host/relogin.workgroup.site.de@... > 4 host/relogin.workgroup.site.de@... > 4 host/relogin.workgroup.site.de@... > 4 host/relogin@... > 4 host/relogin@... > 4 host/relogin@... > 4 RELOGIN$@... > 4 RELOGIN$@... > 4 RELOGIN$@... > ----------------------------------------------------------------- > > Using smbclient, Konqueror and Nautilus works with the ticket. > > I have tried the same on an Ubuntu 9.04 system without success. > Sadly I haven't found any hints on the web. So maybe someon could at > least give me a hint what to look out for eg. I would really like to see > what key it is trying to find. But I could not find an option for seeing > this in the logs. > > Some more Information on my System: > Standard Debian Lenny with kernel 2.6.28-15-generic which has CIFS > Version 1.55 > > One more thing that might be connected to this (although I don't think > so): in /var/log/samba/log.winbindd I found: > > ----------------------------------------------------------------- > [2009/08/24 10:12:52, 0] > winbindd/winbindd_cache.c:initialize_winbindd_cache(2374) > initialize_winbindd_cache: clearing cache and re-creating with version > number 1 > [2009/08/24 10:12:52, 2] winbindd/winbindd_util.c:add_trusted_domain(192) > Added domain BUILTIN S-1-5-32 > [2009/08/24 10:12:52, 2] winbindd/winbindd_util.c:add_trusted_domain(192) > Added domain RELOGIN S-1-5-21-1796453317-37119528-1882467029 > [2009/08/24 10:12:52, 2] winbindd/winbindd_util.c:add_trusted_domain(192) > Added domain WORKGROUP WORKGROUP.INTERN > S-1-5-21-3432792198-3694902127-1061648754 > [2009/08/24 10:12:52, 2] > libsmb/cliconnect.c:cli_session_setup_kerberos(619) > Doing kerberos session setup > [2009/08/24 10:12:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) > ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP > (Cannot resolve network address for KDC in requested realm) > [2009/08/24 10:12:52, 1] > libsmb/cliconnect.c:cli_session_setup_kerberos(626) > cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot > resolve network address for KDC in requested realm > [2009/08/24 10:45:08, 0] lib/util_sock.c:write_data(1139) > write_data: write failure. Error = Die Verbindung wurde vom > Kommunikationspartner zurückgesetzt > [2009/08/24 10:45:08, 0] libsmb/clientgen.c:write_socket(242) > write_socket: Error writing 100 bytes to socket 18: ERRNO = Die > Verbindung wurde vom Kommunikationspartner zurückgesetzt > [2009/08/24 10:45:08, 0] libsmb/clientgen.c:cli_send_smb(290) > Error writing 100 bytes to client. -1 (Die Verbindung wurde vom > Kommunikationspartner zurückgesetzt) > [2009/08/24 10:45:08, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2227) > cli_rpc_pipe_open: cli_nt_create failed on pipe \samr to machine > dc1.workgroup.intern. Error was Write error: Die Verbindung wurde vom > Kommunikationspartner zurückgesetzt > [2009/08/24 10:45:08, 2] > libsmb/cliconnect.c:cli_session_setup_kerberos(619) > Doing kerberos session setup > [2009/08/24 10:45:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) > ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP > (Cannot resolve network address for KDC in requested realm) > [2009/08/24 10:45:08, 1] > libsmb/cliconnect.c:cli_session_setup_kerberos(626) > cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot > resolve network address for KDC in requested realm > ----------------------------------------------------------------- > > If You need any other information, please let me know. > Thanks for Your patience! > > Cheers, > Robert > > _______________________________________________ > linux-cifs-client mailing list > linux-cifs-client@... > https://lists.samba.org/mailman/listinfo/linux-cifs-client -- Jeff Layton <jlayton@...> _______________________________________________ linux-cifs-client mailing list linux-cifs-client@... https://lists.samba.org/mailman/listinfo/linux-cifs-client |
|
|
Re: Can not mount AD share with Kerberos ticket: mount error 126 = Required key not available
by Q (Igor Mammedov)
::
Rate this Message:
On Fri, Sep 11, 2009 at 6:55 PM, Jeff Layton <jlayton@...> wrote:
> On Fri, 11 Sep 2009 14:49:04 +0200 > Robert Euhus <euhus-liste1@...> wrote: > >> Hello, >> >> I have added my Linux computer "relogin" to the our local AD-Realm >> "WORKGROUP.INTERN". >> I'm using Winbind for authentification against AD an usermapping (with >> idmap_rid). >> >> At login I get two kerberos tickets: >> >> ----------------------------------------------------------------- >> euhus@relogin:~$ klist -5 >> Ticket cache: FILE:/tmp/krb5cc_101125 >> Default principal: euhus@... >> >> Valid starting Expires Service principal >> 08/28/09 14:54:57 08/29/09 00:54:57 >> krbtgt/WORKGROUP.INTERN@... >> renew until 09/04/09 14:54:57 >> 08/28/09 14:54:57 08/29/09 00:54:57 RELOGIN$@... >> renew until 09/04/09 14:54:57 >> euhus@relogin:~$ >> ----------------------------------------------------------------- >> >> However when I try to use these tickets for mounting a share I it fails >> with "mount error 126 = Required key not available": >> >> ----------------------------------------------------------------- >> euhus@relogin:~$ /sbin/mount.cifs //dc1.workgroup.site.de/homes >> .workgroup/homes/ --verbose -o sec=krb5i,guest >> parsing options: sec=krb5i,guest >> >> mount.cifs kernel mount options >> unc=//dc1.workgroup.site.de\homes,ip=1.2.3.220,user=euhus,ver=1,sec=krb5i,guest,uid=101125,gid=100513 >> >> mount error 126 = Required key not available >> Refer to the mount.cifs(8) manual page (e.g.man mount.cifs) >> ----------------------------------------------------------------- >> >> In /etc/request-key.conf I have: >> >> ----------------------------------------------------------------- >> create cifs.spnego * * /usr/sbin/cifs.upcall %k %d >> create dns_resolver * * /usr/sbin/cifs.upcall %k >> ----------------------------------------------------------------- >> >> Even with "echo 3 > /proc/fs/cifs/cifsFYI" dmesg does not really help: >> >> ----------------------------------------------------------------- >> [442597.829966] fs/cifs/connect.c: No session or bad tcon >> [442597.829966] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = >> 25) rc = -95 >> [442597.829966] CIFS VFS: cifs_mount failed w/return code = -95 >> [442602.280555] fs/cifs/cifsfs.c: Devname: >> //dc1.workgroup.site.de/homes flags: 64 >> [442602.280555] fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 26 >> with uid: 0 >> [442602.280555] fs/cifs/connect.c: Username: euhus >> [442602.280555] fs/cifs/connect.c: UNC: \\dc1.workgroup.site.de\homes >> ip: 1.2.3.220 >> [442602.280555] fs/cifs/connect.c: Socket created >> [442602.280555] fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo >> 0x7fffffff >> [442602.281556] fs/cifs/connect.c: Existing smb sess not found >> [442602.280555] fs/cifs/connect.c: Demultiplex PID: 20596 >> [442602.281556] fs/cifs/cifssmb.c: secFlags 0x1009 >> [442602.281556] fs/cifs/cifssmb.c: Kerberos only mechanism, enable >> extended security >> [442602.281556] fs/cifs/transport.c: For smb_command 114 >> [442602.281556] fs/cifs/transport.c: Sending smb of length 78 >> [442602.280555] fs/cifs/connect.c: rfc1002 length 0xc5 >> [442602.281556] fs/cifs/cifssmb.c: Dialect: 2 >> [442602.281556] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 >> [442602.281556] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 >> [442602.281556] fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92 >> [442602.281556] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 >> [442602.281556] fs/cifs/asn1.c: Need to call asn1_octets_decode() >> function for not_defined_in_RFC4178@please_ignore >> [442602.281556] fs/cifs/cifssmb.c: Must sign - secFlags 0x1009 >> [442602.281556] fs/cifs/cifssmb.c: negprot rc 0 >> [442602.281556] fs/cifs/connect.c: Security Mode: 0xf Capabilities: >> 0x8001f3fd TimeAdjust: -7200 >> [442602.281556] fs/cifs/sess.c: sess setup type 6 >> [442602.281556] fs/cifs/cifs_spnego.c: key description = >> ver=0x1;host=dc1.workgroup.site.de;ip4=1.2.3.220;sec=krb5;uid=0x18b05;user=euhus >> [442602.328182] fs/cifs/sess.c: ssetup freeing small buf f699dc80 >> [442602.328182] CIFS VFS: Send error in SessSetup = -126 >> [442602.460181] fs/cifs/connect.c: No session or bad tcon >> [442602.460181] fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = >> 26) rc = -126 >> [442602.460181] CIFS VFS: cifs_mount failed w/return code = -126 >> ----------------------------------------------------------------- >> I guess that cifs.upcall is trying to get the key for >> "host/relogin.workgroup.site.de@..." which I don't have as >> user. I don't really have an idea why. But kerberos tickets vor my host >> are in fact available in /etc/krb5.keytab: >> > > ...nope, according to the above info, cifs.upcall is going to attempt > to get a service principal of: > > host/dc1.workgroup.site.de@... Robert, Try to use command (something like this): $ kvno host/dc1.workgroup.site.de to see if you can get a service ticket. > > ...before connecting to the server. That's failing for some reason. In > general with krb5 you'll want to use the canonical hostname of the > server when mounting as that's the name most likely to be used in > service principals. > >> ----------------------------------------------------------------- >> relogin:~# klist -k /etc/krb5.keytab >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 4 host/relogin.workgroup.site.de@... >> 4 host/relogin.workgroup.site.de@... >> 4 host/relogin.workgroup.site.de@... >> 4 host/relogin@... >> 4 host/relogin@... >> 4 host/relogin@... >> 4 RELOGIN$@... >> 4 RELOGIN$@... >> 4 RELOGIN$@... >> ----------------------------------------------------------------- >> >> Using smbclient, Konqueror and Nautilus works with the ticket. >> >> I have tried the same on an Ubuntu 9.04 system without success. >> Sadly I haven't found any hints on the web. So maybe someon could at >> least give me a hint what to look out for eg. I would really like to see >> what key it is trying to find. But I could not find an option for seeing >> this in the logs. >> >> Some more Information on my System: >> Standard Debian Lenny with kernel 2.6.28-15-generic which has CIFS >> Version 1.55 >> >> One more thing that might be connected to this (although I don't think >> so): in /var/log/samba/log.winbindd I found: >> >> ----------------------------------------------------------------- >> [2009/08/24 10:12:52, 0] >> winbindd/winbindd_cache.c:initialize_winbindd_cache(2374) >> initialize_winbindd_cache: clearing cache and re-creating with version >> number 1 >> [2009/08/24 10:12:52, 2] winbindd/winbindd_util.c:add_trusted_domain(192) >> Added domain BUILTIN S-1-5-32 >> [2009/08/24 10:12:52, 2] winbindd/winbindd_util.c:add_trusted_domain(192) >> Added domain RELOGIN S-1-5-21-1796453317-37119528-1882467029 >> [2009/08/24 10:12:52, 2] winbindd/winbindd_util.c:add_trusted_domain(192) >> Added domain WORKGROUP WORKGROUP.INTERN >> S-1-5-21-3432792198-3694902127-1061648754 >> [2009/08/24 10:12:52, 2] >> libsmb/cliconnect.c:cli_session_setup_kerberos(619) >> Doing kerberos session setup >> [2009/08/24 10:12:52, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) >> ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP >> (Cannot resolve network address for KDC in requested realm) >> [2009/08/24 10:12:52, 1] >> libsmb/cliconnect.c:cli_session_setup_kerberos(626) >> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot >> resolve network address for KDC in requested realm >> [2009/08/24 10:45:08, 0] lib/util_sock.c:write_data(1139) >> write_data: write failure. Error = Die Verbindung wurde vom >> Kommunikationspartner zurückgesetzt >> [2009/08/24 10:45:08, 0] libsmb/clientgen.c:write_socket(242) >> write_socket: Error writing 100 bytes to socket 18: ERRNO = Die >> Verbindung wurde vom Kommunikationspartner zurückgesetzt >> [2009/08/24 10:45:08, 0] libsmb/clientgen.c:cli_send_smb(290) >> Error writing 100 bytes to client. -1 (Die Verbindung wurde vom >> Kommunikationspartner zurückgesetzt) >> [2009/08/24 10:45:08, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2227) >> cli_rpc_pipe_open: cli_nt_create failed on pipe \samr to machine >> dc1.workgroup.intern. Error was Write error: Die Verbindung wurde vom >> Kommunikationspartner zurückgesetzt >> [2009/08/24 10:45:08, 2] >> libsmb/cliconnect.c:cli_session_setup_kerberos(619) >> Doing kerberos session setup >> [2009/08/24 10:45:08, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680) >> ads_krb5_mk_req: krb5_get_credentials failed for dc1$@WORKGROUP >> (Cannot resolve network address for KDC in requested realm) >> [2009/08/24 10:45:08, 1] >> libsmb/cliconnect.c:cli_session_setup_kerberos(626) >> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot >> resolve network address for KDC in requested realm >> ----------------------------------------------------------------- >> >> If You need any other information, please let me know. >> Thanks for Your patience! >> >> Cheers, >> Robert >> >> _______________________________________________ >> linux-cifs-client mailing list >> linux-cifs-client@... >> https://lists.samba.org/mailman/listinfo/linux-cifs-client > > > -- > Jeff Layton <jlayton@...> > _______________________________________________ > linux-cifs-client mailing list > linux-cifs-client@... > https://lists.samba.org/mailman/listinfo/linux-cifs-client > linux-cifs-client mailing list linux-cifs-client@... https://lists.samba.org/mailman/listinfo/linux-cifs-client |
|
|
SOLVED: Re: Can not mount AD share with Kerberos ticket: mount error 126 = Required key not available
by Robert Euhus
::
Rate this Message:
Jeff Layton schrieb:
> On Fri, 11 Sep 2009 14:49:04 +0200 > Robert Euhus <euhus-liste1@...> wrote: > Hello, >> >> [..] > > ...nope, according to the above info, cifs.upcall is going to attempt > to get a service principal of: > > host/dc1.workgroup.site.de@... > > ...before connecting to the server. That's failing for some reason. In > general with krb5 you'll want to use the canonical hostname of the > server when mounting as that's the name most likely to be used in > service principals. me that the KDC only has a service principal for host/dc1.workgroup.intern@... not for host/dc1.workgroup.site.de@... which doesn't look right to me. But using /sbin/mount.cifs //dc1.workgroup.intern/homes .workgroup/homes/ -o sec=krb5i,guest works now. Thank you very much! Cheers, Robert. _______________________________________________ linux-cifs-client mailing list linux-cifs-client@... https://lists.samba.org/mailman/listinfo/linux-cifs-client |
| Free embeddable forum powered by Nabble | Forum Help |
