[Bug 676525] Re: mount.cifs cannot mount with kerberos
Penelope Fudd
login.launchpad.net at ch.pkts.ca
Mon Jan 5 18:09:40 UTC 2015
I think I see the source of the problem....
When I do this:
# sudo strace -fo/tmp/a -p $$ &
# sudo mount -t cifs -o username=me,rw,uid=me,gid=mygroup,port=445,sec=krb5,creduid=/tmp/krb5cc_1000 \\\\server.example.com\\home\\me /mnt/me
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
# kill %1
# grep krb5cc /tmp/a
8619 access("/tmp/krb5cc_1000", R_OK) = 0
8619 open("/tmp/krb5cc_1000", O_RDONLY) = 3
# grep ' mount(' /tmp/a
8618 mount("\\\\server.example.com\\home\\me", ".", "cifs", 0, "ip=1.2.3.4,unc=\\\\server.example."...) = -1 EINVAL (Invalid argument)
# dmesg | grep CIFS
[ 4634.121902] CIFS: Unknown mount option "creduid=/tmp/krb5cc_1000"
When I don't used 'creduid=', the mount command returns:
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
and the strace output shows that it doesn't try accessing /tmp/krb5cc_* at all.
When I instead try 'cruid=1000', the same error occurs, and again, no
/tmp/krb5cc_* files are being accessed.
In short, I think that either the cifs kernel module needs to allow the
creduid option, or the mount.cifs program needs to strip it out before
calling mount(). After that, I don't know what else has to happen;
perhaps both creduid= and cruid= need to be specified? Or perhaps
creduid= needs to be renamed to kccf= (kerberos cached credentials file,
a name pulled out of a hat)?
Hopefully someone finally makes cifs+kerberos work from /etc/fstab or
/etc/pam.d so that it can be mounted when I log in, without having to
enter my password again.
Thanks!
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/676525
Title:
mount.cifs cannot mount with kerberos
Status in cifs-utils package in Ubuntu:
Confirmed
Bug description:
Binary package hint: cifs-utils
Please tell me if this is the wrong channel. I have put this in the
ubuntu forum with no reply here:
http://ubuntuforums.org/showthread.php?t=1623107
From the thread:
mount.cifs used to be able to work with kerberos tickets so long as I
changed the binary to suid root. I understand why this may have fallen
out of favour but since Meerkat, I am unable to get mount.cifs to
mount using kerberos and sudo.
# Non sudo mount.cifs with/without suid root
$ mount.cifs //server/share/directory ~/central -o sec=krb5
mount.cifs: permission denied: no match for /home/CauserC/central found in /etc/fstab
# Sudo mount.cifs with/without suid root
$ sudo mount.cifs //server/share/directory ~/central -o sec=krb5
mount error(126): Required key not available
I do definitely have a kerberos ticket, and both klist and "sudo
klist" show it to me.
Now, it does work if I do a "sudo kinit $USERNAME." Then a sudo
mount.cifs mounts the share no problem. This is obviously less than
ideal because it involves typing in a password again, and subsequent
non sudo klists result in:
$ klist
klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_10009_8ZePnt)
I'm tempted to file this as a bug report but wanted to check in here
first to make sure that I'm not doing anything stupid. As I say, I
never tried this in Lucid as suid root worked fine.
Any help appreciated
Chris
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: smbfs 2:4.5-2
ProcVersionSignature: Ubuntu 2.6.35-22.35-generic-pae 2.6.35.4
Uname: Linux 2.6.35-22-generic-pae i686
NonfreeKernelModules: nvidia
Architecture: i386
Date: Wed Nov 17 15:20:14 2010
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
ProcEnviron:
PATH=(custom, user)
LANG=en_GB.UTF-8
SHELL=/bin/bash
SourcePackage: cifs-utils
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/676525/+subscriptions
More information about the foundations-bugs
mailing list