Ubuntu
cifs-utils package

  1. Bug #1900856
  2. Comment #2

Comment 2 for bug 1900856

Revision history for this message
Alexander Fieroch (fieroch) wrote :

Hm, if I add an AD username I can mount the share with an valid kerberos ticket for the user:

root@kubuntu-lts:# mount -vvv -o sec=krb5,multiuser,vers=3.0,cruid=ntfieroch //FILESERVER/share /mnt/test/
mount.cifs kernel mount options: ip=X.X.X.X,unc=\\FILESERVER/share,sec=krb5,multiuser,vers=3.0,cruid=10011,user=root,pass=********

I want to mount the samba share with multiuser option with the machine accounts UPN in AD. Is that working for you?

If I specify UPN I get:

root@kubuntu-lts:# kinit -k KUBUNTU-LTS$
root@kubuntu-lts:# klist -ket /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
   2 22.10.2020 10:54:16 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (arcfour-hmac)
   2 22.10.2020 10:54:16 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96)
   2 22.10.2020 10:54:16 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96)
   2 22.10.2020 10:54:16 <email address hidden> (arcfour-hmac)
   2 22.10.2020 10:54:16 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 22.10.2020 10:54:16 <email address hidden> (aes256-cts-hmac-sha1-96)
   2 22.10.2020 10:54:16 <email address hidden> (arcfour-hmac)
   2 22.10.2020 10:54:16 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 22.10.2020 10:54:16 <email address hidden> (aes256-cts-hmac-sha1-96)
   2 22.10.2020 10:54:16 <email address hidden> (arcfour-hmac)
   2 22.10.2020 10:54:16 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 22.10.2020 10:54:16 <email address hidden> (aes256-cts-hmac-sha1-96)
   2 22.10.2020 10:54:16 <email address hidden> (arcfour-hmac)
   2 22.10.2020 10:54:17 <email address hidden> (aes128-cts-hmac-sha1-96)
   2 22.10.2020 10:54:17 <email address hidden> (aes256-cts-hmac-sha1-96)

root@kubuntu-lts:# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE

Valid starting Expires Service principal
29.10.2020 13:49:42 29.10.2020 23:49:42 <email address hidden>
        renew until 30.10.2020 13:49:42

root@kubuntu-lts:# mount -vvv -o sec=krb5,multiuser,vers=3.0,username='KUBUNTU-LTS$' //FILESERVER/share /mnt/test/
mount.cifs kernel mount options: ip=X.X.X.X,unc=\\FILESERVER\share,sec=krb5,multiuser,vers=3.0,user=KUBUNTU-LTS$,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

The samba configuration for the smb share on FILESERVER has the UPN as valid user:
[share]
  path = /mnt/share
  valid users = +"domain users", "KUBUNTU-LTS$"
  force group = "domain users"

Hm, now I get a different return code =-13 in dmesg:

[87872.570848] fs/cifs/cifsfs.c: Devname: //FILESERVER/share flags: 0
[87872.570889] fs/cifs/connect.c: Username: KUBUNTU-LTS$
[87872.570894] fs/cifs/connect.c: file mode: 0755 dir mode: 0755
[87872.570897] fs/cifs/connect.c: CIFS VFS: in mount_get_conns as Xid: 82 with uid: 0
[87872.570899] fs/cifs/connect.c: UNC: \\FILESERVER\share
[87872.570912] fs/cifs/connect.c: Socket created
[87872.570914] fs/cifs/connect.c: sndbuf 16384 rcvbuf 131072 rcvtimeo 0x6d6
[87872.580468] fs/cifs/fscache.c: cifs_fscache_get_client_cookie: (0x000000002f2c35d1/0x00000000bd141cbc)
[87872.580470] fs/cifs/connect.c: Demultiplex PID: 14724
[87872.580475] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 83 with uid: 0
[87872.580476] fs/cifs/connect.c: Existing smb sess not found
[87872.580479] fs/cifs/smb2pdu.c: Negotiate protocol
[87872.580500] fs/cifs/transport.c: Sending smb: smb_len=106
[87872.585816] fs/cifs/connect.c: RFC1002 header 0xe0
[87872.585823] fs/cifs/smb2misc.c: SMB2 data length 96 offset 128
[87872.585823] fs/cifs/smb2misc.c: SMB2 len 224
[87872.585851] fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=4
[87872.585857] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[87872.585859] fs/cifs/smb2pdu.c: mode 0x1
[87872.585860] fs/cifs/smb2pdu.c: negotiated smb3.0 dialect
[87872.585863] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
[87872.585864] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
[87872.585865] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
[87872.585867] fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x300047 TimeAdjust: 0
[87872.585868] fs/cifs/smb2pdu.c: Session Setup
[87872.585869] fs/cifs/smb2pdu.c: sess setup type 5
[87872.585873] fs/cifs/cifs_spnego.c: key description = ver=0x2;host=FILESERVER;ip4=X.X.X.X;sec=krb5;uid=0x0;creduid=0x0;user=KUBUNTU-LTS$;pid=0x3982
[87872.591266] fs/cifs/transport.c: Sending smb: smb_len=1502
[87872.598034] fs/cifs/connect.c: RFC1002 header 0x49
[87872.598040] fs/cifs/smb2misc.c: SMB2 data length 0 offset 0
[87872.598041] fs/cifs/smb2misc.c: SMB2 len 73
[87872.598056] fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=1 state=4
[87872.598059] Status code returned 0xc0000022 STATUS_ACCESS_DENIED
[87872.598064] fs/cifs/smb2maperror.c: Mapping SMB2 status code 0xc0000022 to POSIX err -13
[87872.598065] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[87872.598071] CIFS VFS: \\FILESERVER Send error in SessSetup = -13
[87872.598076] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 83) rc = -13
[87872.598084] fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0x000000002f2c35d1/0x00000000bd141cbc)
[87872.598096] fs/cifs/connect.c: CIFS VFS: leaving mount_put_conns (xid = 82) rc = 0
[87872.598097] CIFS VFS: cifs_mount failed w/return code = -13