[Samba] mount.cifs and sec=krb5 - Samba

Hello fellow Samba folks,

I am attempting to mount a cifs share on a RHEL 5 box using
mount.cifs. The server is another RHEL 5 box. Both boxes are joined
to the same Kerberos realm (AD).

I kinit to get my Kerberos tickets.

This is the mount command I'm using:

mount.cifs //rhel5.server.iastate.edu/benvon ./mnt -o
user=benvon,sec=krb5

This results in a password prompt, then a permission denied message
(even if the password was correct).

The interesting thing to see is the log on the server (log level 10
excerpt):

[2007/05/04 15:10:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1010)
sesssetupX:name=[]\[湥潶n䰀湩硵ç˜*牥楳湯ãˆ*㘮
ㄮⴸ⸸⸱⸱汥5䥃å�†å˜*å�†äŒ*楬湥â�´æ½¦â�²æ ¥Œç•®x]@
[129.186.196.8]
[2007/05/04 15:10:30, 6] param/loadparm.c:lp_file_list_changed(3001)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time:
Fri May 4 10:59:44 2007

[2007/05/04 15:10:30, 5] auth/auth_util.c:make_user_info_map(161)
make_user_info_map: Mapping user []\[湥潶n䰀湩硵ç˜*牥楳湯
ãˆ*㘮ㄮⴸ⸸⸱⸱汥5䥃å�†å˜*å�†äŒ*楬湥â�´æ ½¦â�²æ¥Œç•®x] from
workstation [129.186.196.8]
[2007/05/04 15:10:30, 5] auth/auth_util.c:make_user_info(75)
attempting to make a user_info for 湥潶n䰀湩硵ç˜*牥楳湯ãˆ*
㘮ㄮⴸ⸸⸱⸱汥5䥃å�†å˜*å�†äŒ*楬湥â�´æ½¦â �²æ¥Œç•®x (湥潶n
䰀湩硵ç˜*牥楳湯ãˆ*㘮ㄮⴸ⸸⸱⸱汥5䥃å �†å˜*å�†äŒ*楬湥
�潦�楌畮x)
[2007/05/04 15:10:30, 5] auth/auth_util.c:make_user_info(85)
making strings for 湥潶n䰀湩硵ç˜*牥楳湯ãˆ*㘮
ㄮⴸ⸸⸱⸱汥5䥃å�†å˜*å�†äŒ*楬湥â�´æ½¦â�²æ ¥Œç•®x's user_info
struct
[2007/05/04 15:10:30, 5] auth/auth_util.c:make_user_info(117)
making blobs for 湥潶n䰀湩硵ç˜*牥楳湯ãˆ*㘮ㄮⴸ⸸⸱⸱
æ±¥5䥃å�†å˜*å�†äŒ*楬湥â�´æ½¦â�²æ¥Œç•®x's user_info struct
[2007/05/04 15:10:30, 10] auth/auth_util.c:make_user_info(135)
made an encrypted user_info for 湥潶n䰀湩硵ç˜*牥楳湯ãˆ*㘮
ㄮⴸ⸸⸱⸱汥5䥃å�†å˜*å�†äŒ*楬湥â�´æ½¦â�²æ ¥Œç•®x (湥潶nä°€
湩硵ç˜*牥楳湯ãˆ*㘮ㄮⴸ⸸⸱⸱汥5䥃å�†å ˜*å�†äŒ*楬湥â�´
潦�楌畮x)
[2007/05/04 15:10:30, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user []\[湥潶
n䰀湩硵ç˜*牥楳湯ãˆ*㘮ㄮⴸ⸸⸱⸱汥5䥃 å�†å˜*å�†äŒ*楬湥
�潦�楌畮x]@[129.186.196.8] with the new password interface
[2007/05/04 15:10:30, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [IASTATE]\[湥潶n䰀湩硵
ç˜*牥楳湯ãˆ*㘮ㄮⴸ⸸⸱⸱汥5䥃å�†å˜*å�†ä Œ*楬湥â�´æ½¦â�²
楌畮x]@[129.186.196.8]


Yah....

Anyway, when leaving off the sec=krb5 or setting sec=ntlmv2,
everything works as expected.

smbclient -k works as expected.

Does anyone have any advice? I can produce as much logging as may be
needed.

If this isn't the proper place to be asking questions about
mount.cifs, please redirect me.

Many Thanks,

Ben Vaughan, RHCE
Engineering Computing Support Services
Iowa State University
benvon@iastate.edu--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Fri, 2007-05-04 at 15:17 -0500, Ben Vaughan wrote:
> Hello fellow Samba folks,
>
> I am attempting to mount a cifs share on a RHEL 5 box using
> mount.cifs. The server is another RHEL 5 box. Both boxes are joined
> to the same Kerberos realm (AD).
>
> I kinit to get my Kerberos tickets.
>
> This is the mount command I'm using:
>
> mount.cifs //rhel5.server.iastate.edu/benvon ./mnt -o
> user=benvon,sec=krb5

[..]

> Does anyone have any advice? I can produce as much logging as may be
> needed.

Ben, the kernel module do not yet support kerberos, that's the problem.

> If this isn't the proper place to be asking questions about
> mount.cifs, please redirect me.

mount.cifs is fine, it is the kernel module that is still not complete
(wrt kerberos), you may ask info on the cifs module to
linux-cifs-client@lists.samba.org

Simo.

--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra@samba.org
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ben,


> I am attempting to mount a cifs share on a RHEL 5 box using mount.cifs.
> The server is another RHEL 5 box. Both boxes are joined to the same
> Kerberos realm (AD).
>
> I kinit to get my Kerberos tickets.
>
> This is the mount command I'm using:
>
> mount.cifs //rhel5.server.iastate.edu/benvon ./mnt -o user=benvon,sec=krb5

The cifs.ko krb5 support does not work right now.

You can find more details (inlcuding a list ot the
cifs client ml at http://linux-cifs.samba.org/

We're working on it.




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGO6GYIR7qMdg1EfYRAm1/AJ9VAHGTuTQKUcUQCAbrVGxVZzTdFACglbhH
lnfmt5e1T2aSi4oNnSnhjyQ=
=yMyD
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba