LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-26-2009, 06:34 AM   #1
0ddba11
Member
 
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46

Rep: Reputation: 15
Question Automounting Windows Share using user's kerberos ticket


The goal is to create separate (auto)mounts on Red Hat Enterprise 5.3 machine to shares on various Windows 2003 file servers (64 bit) on a per user basis (just like drive mappings on XP clients) for example:

/home/bob/winmounts/projects
/home/bob/winmounts/data
/home/bob/winmounts/shared

This will eliminate the need to use NFS file sharing on the Windows servers (which seems to be fraught with permission mapping issues).

Steps taken so far:
I have configured our Red Hat Enterprise 5.3 machines to use Winbind authentication and they are all a member of AD so that users can log in to them using their AD credentials, which is all working nicely.

It should now be possible is to mount the Windows shares using the kerberos ticket already obtained during login.

So I have done:
Code:
chmod +s /sbin/*.cifs
to allow the users to actually run the mount.cifs and umount.cifs programs (probably not required for autumouting, but usefull for testing mounts manually).

Added:
Code:
/home /etc/auto.cifs --timeout=5
to /etc/auto.master

Created /etc/auto.cifs with the following two lines:
Code:
#!/bin/bash
echo "-fstype=cifs,sec=krb5,user=$1 ://our-file-server/our-home-share/$1"
Added the following two lines to /etc/request-key.conf:
Code:
create cifs.spnego * * /usr/sbin/cifs.upcall -c %k
create dns_resolver * * /usr/sbin/cifs.upcall %k
A quick test by trying to cd into /home/bob reveals mount error 126 (which is required key not available) in /var/log/messages.

Stopping autofs and trying to mount manually using:
Code:
/sbin/mount.cifs //our-file-server/our-home-share/bob /home/bob -o sec=krb5
Does indeed give the same response: "mount error 126 = Required key not available"

But a quick 'klist' shows that I do have a valid ticket.

HOWEVER....

If I log in as root, and get my kerberos ticket using 'kinit bob' and then try it, everything works (both manually and for autofs.

I suspect this is something to do with the fact that autofs runs as root, and the setuid on mount.cifs means it also runs as root, where there is indeed no valid kerberos ticket.

I'm obviously missing something here, surely automounting cifs shares should be possible?

Are there any options I can pass to cifs.upcall that will tell it to use MY cached kerberos credentials?

Last edited by 0ddba11; 08-26-2009 at 06:41 AM. Reason: Put in code tags to make it more legible
 
Old 09-04-2009, 06:45 PM   #2
klwilson78
LQ Newbie
 
Registered: Sep 2009
Posts: 2

Rep: Reputation: 0
I'm having the same problem. Has anyone found a solution?
 
Old 09-18-2009, 04:11 AM   #3
ralish
LQ Newbie
 
Registered: Sep 2009
Posts: 7

Rep: Reputation: 1
I'm having the exact same problem as detailed by 0ddba11.

Can we get any advice on how to troubleshoot this problem?
 
Old 09-18-2009, 08:36 AM   #4
ralish
LQ Newbie
 
Registered: Sep 2009
Posts: 7

Rep: Reputation: 1
0ddba11: Are you pulling user and group IDs from LDAP (or possibly some other remote service)? I'm guessing you are through Samba + Winbind.

After some serious troubleshooting some limited progress has been made on establishing the cause. With the help of a more knowledgeable person than me on Linux systems, we've discovered that when calling mount.cifs from a user account, uid and gid parameters matching the user uid/gid are appended transparently to the command sent to the cifs kernel module. However, if you explicitly set the uid/gid to the root uid/gid, the mount will work flawlessly using the cached kerberos credentials for the user.

My hypothesis is that the kernel isn't correctly handling IDs pulled from LDAP, only working with IDs that are local to the machine (explicitly defined in group/passwd?). It would appear as long as you override the appended uid/gid combination with ones local to the box, it will work fine. I note that when mounting from root, uid/gid parameters are NOT transparently added to the kernel command being passed to cifs module, so it may be the case these are only added for users where the uid/gid can't be found locally, and the problem manifests further down the codepath.

For example, under a standard user account that is on the AD server:
Code:
/sbin/mount.cifs //whatever/whatever /home/whatever/test --verbose -o sec=krb5
The above command will fail. However:
Code:
/sbin/mount.cifs //whatever/whatever /home/whatever/test --verbose -o sec=krb5,uid=0,gid=0
Will work fine for me.

Note that verbose will show you what exactly is being sent to the cifs kernel module, allowing you to see the appended parameters.

Can anyone else confirm our findings? Better yet, can anyone shed some light on them and how to resolve this issue elegantly? Is this a kernel bug?
 
Old 09-23-2009, 12:05 PM   #5
ralish
LQ Newbie
 
Registered: Sep 2009
Posts: 7

Rep: Reputation: 1
The problem has been resolved.

This is a known issue with the cifs.upcall program that has been fixed in the latest sources available from the git master branch on samba gitweb.

It does not appear to be fixed in any of the latest samba releases as of now and so you'll probably have to compile it yourself from the latest sources or backport it to your release of choice.

Last edited by ralish; 09-23-2009 at 12:07 PM.
 
Old 10-06-2009, 12:01 PM   #6
klwilson78
LQ Newbie
 
Registered: Sep 2009
Posts: 2

Rep: Reputation: 0
Do you have a bug number for the known issue? Can you specify the version of cifs.upcall which contains the fix? I'd like to be able to determine if and when it makes it into various distributions.
 
Old 10-07-2009, 12:05 AM   #7
ralish
LQ Newbie
 
Registered: Sep 2009
Posts: 7

Rep: Reputation: 1
I'm not aware of any particular bug filed for this issue; there may be one, but I don't know of it (though if there is one I'd be interested). However, this is the particular commit in the Samba git repository that fixes the issue. As of now it does not appear to be in any of the stable trees but only in the Master tree and I have no idea if this is likely to change in the near future.

The particular version of cifs.upcall that contains the fix is v1.3, with cifs.upcall v1.2 what is currently shipping in all of the above stable branches. Keep in mind that this doesn't *guarantee* that you have the fix, there are several commits preceding the above fix that are all part of cifs.upcall v1.3. As of now, it seems the only way to get the fix is to either pull the latest sources from Master and compile them yourself, or backport the fix to a previous version and recompile the sources yourself.

Last edited by ralish; 10-07-2009 at 12:07 AM.
 
Old 11-20-2009, 04:56 AM   #8
munta
LQ Newbie
 
Registered: Nov 2009
Posts: 3

Rep: Reputation: 0
kbrf cifs and keyutils

Hi all. Had simillar issue on ubuntu 9.10
Installed keyutils
http://www.linuxquestions.org/questi....-krb5-770384/
 
Old 11-21-2009, 03:18 AM   #9
ralish
LQ Newbie
 
Registered: Sep 2009
Posts: 7

Rep: Reputation: 1
Thanks for the link munta.

I checked the system that was originally affected and it already has keyutils installed however (as it should), so I think our problems are somewhat different.
 
Old 11-23-2009, 05:08 PM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
not a network question. moved to Linux - Server.
 
Old 12-02-2009, 05:37 AM   #11
0ddba11
Member
 
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46

Original Poster
Rep: Reputation: 15
Hi chaps,

Sorry I've not been around for a while, been going through a massive file system migration from Netware to Windows (which is why I wanted this to work). Due to time constraints we ended up implementing 'Microsoft Server for NFS' which now seems to be causing more problems than it's solving so I'm actively looking at this as a solution once again.

I'm downloading RHEL 5.4 to see if the fixes to cifs.upcall have made it in (5.4 also supports DFS so potentially a double benefit).

It was really good to see your responses, if not only to know that I'm not alone on this and particular thanks to ralish for finding out that the correct credentials do indeed make it through to the cifs kernel module!

More news later...
 
Old 12-02-2009, 01:26 PM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
You're downloading 5.4, when you're already using 5.3? What's wrong with a yum update??
 
Old 12-03-2009, 04:05 AM   #13
0ddba11
Member
 
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by acid_kewpie View Post
You're downloading 5.4, when you're already using 5.3? What's wrong with a yum update??
Although off topic, we are actually running 4.4 across the board, the 5.3 box was a dev box to test this CIFS functionality which is no more.

Now then, I have now setup a 5.4 box exactly as per our previous 5.3 dev box (no further patches yet) and the problem still exists.

Doing:
Code:
cifs.upcall -v
reveals that it is still version 1.2 so no suprises why it doesn't work.

Now I'm off to update the box to and see if cifs.upcall gets updated.
 
Old 12-03-2009, 06:19 AM   #14
0ddba11
Member
 
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by ralish View Post
I'm not aware of any particular bug filed for this issue
https://bugzilla.redhat.com/show_bug.cgi?id=517195

 
Old 12-03-2009, 07:35 AM   #15
0ddba11
Member
 
Registered: Nov 2004
Location: Derby - UK
Distribution: Ubuntu at Home, RedHat Enterprise at Work
Posts: 46

Original Poster
Rep: Reputation: 15
Now I need some help...

I did the following:
  • Downloaded samba-3.0.33-3.15.el5_4.src.rpm
  • Built new RPMS's
  • Freshened my RPM's with the ones I built

Doing:
Code:
cifs.upcall -v
now shows it to be version 1.3, but I STILL get the 'Required key not available' error.
 
  


Reply

Tags
kerberos, login, logout, mount, samba, session, share, windows


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem for get ticket from kerberos aspenbr Linux - Networking 1 08-11-2009 11:44 AM
Problem in get ticket with Kerberos aspenbr Linux - Software 0 08-11-2009 05:24 AM
pam_krb5 won't retrieve a kerberos ticket Thakowbbery Conectiva 1 01-10-2007 06:20 AM
Mounting network shares using kerberos ticket dlbuhl Linux - Networking 0 12-19-2006 11:53 AM
Samba Kerberos Ticket sindri Linux - Software 0 11-24-2004 02:10 AM


All times are GMT -5. The time now is 03:00 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration