[arch-general] Bug with CIFS mount
Hi All, I suppose I hit this bug: https://bugs.archlinux.org/task/68963 and it seems it is not fully resolved. I didn't request to reopen the bug, because I'm not 100% sure it is really the same thing. I have a setup with kerberos/sssd/pam/autofs, authenticating with an active directory, and cifs mounts stopped working. Login and nfs with kerberos work fine, to the issue is quite likely with cifs. Mounting the cifs share works with libcap-ng-0.8-1, but not with libcap-ng-0.8.2-1. I have cifs-utils 6.11-2, sssd 2.4.0-2 and krb5 1.18.2-1. Did I miss something or am I hitting something special due to the setup? Does anybody have a clue what could be the issue? I include lots of details about the config and logs, but tl;dr: "mount -t cifs -o domain=DOM,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0 //nas.example.com/theUser /nas/home/theUser" fails with "cifs.upcall[532824]: drop_all_capabilities: Unable to apply capability set: Success" Best, Tasnad Substituted values ================== * myMachine: the client's hostname (not fqdn) * theUser: the nonroot user trying to mount via autofs * 1234567: uid of theUser (from Active directory) * DOM: the AD domain * DOM.EXAMPLE.COM: domain, fqdn /etc/krb5.conf ============== [libdefaults] default_realm = DOM.EXAMPLE.COM udp_preference_limit = 0 default_ccache_name = FILE:/tmp/krb5cc_%{uid} dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 10h renew_lifetime = 7d forwardable = true sssd.conf ========= [sssd] config_file_version = 2 domains = DOM.EXAMPLE.COM services = nss, pam [nss] default_shell = /bin/bash shell_fallback = /bin/bash filter_groups = root filter_users = root [domain/DOM.EXAMPLE.COM] id_provider = ad auth_provider = ad access_provider = simple ldap_schema = ad sudo_provider = none cache_credentials = false krb5_store_password_if_offline = false dyndns_update = false ldap_id_mapping = false use_fully_qualified_names = false enumerate = false ignore_group_members = true case_sensitive = preserving ad_enable_gc = false ad_hostname = myMachine ldap_search_base = [...] ldap_user_search_base = [...] ldap_user_search_scope = [...] ldap_group_search_base = [...] ldap_group_search_scope = [...] nsswitch.conf ============= passwd: files sss group: files sss shadow: files sss gshadow: files sss publickey: files hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns networks: files protocols: files services: files sss ethers: files rpc: files netgroup: files sss automount: sss homes.autofs ============ /nas/home /etc/autofs/auto.master.d/home.map -domain=DOM,fstype=cifs,sec=krb5,soft,noserverino,cifsacl home.map ======== * -username=$USER,cruid=$UID,vers=3.0 ://nas.example.com/& cifs idmap plugin ============ /etc/cifs_utils/idmap-plugin -> /usr/lib/cifs-utils/cifs_idmap_sss.so klist ===== Ticket cache: FILE:/tmp/krb5cc_<uid> Default principal: theUser@DOM.EXAMPLE.COM Valid starting Expires Service principal 12/16/2020 11:31:48 12/16/2020 21:25:18 krbtgt/DOM.EXAMPLE.COM@DOM.EXAMPLE.COM renew until 12/23/2020 11:25:18 automount -fd ============= handle_packet: type = 3 handle_packet_missing_indirect: token 727, name theUser, request pid 532818 attempting to mount entry /nas/home/theUser lookup_mount: lookup(file): looking up theUser lookup_mount: lookup(file): theUser -> -username=$USER,cruid=$UID,vers=3.0 ://nas.example.com/& parse_mount: parse(sun): expanded entry: -username=theUser,cruid=1234567,vers=3.0 ://nas.example.com/theUser parse_mount: parse(sun): gathered options: domain=DOM,fstype=cifs,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0 parse_mount: parse(sun): dequote("://nas.example.com/theUser") -> ://nas.example.com/theUser parse_mount: parse(sun): core of entry: options=domain=DOM,fstype=cifs,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0, loc=://nas.example.com/theUser sun_mount: parse(sun): mounting root /nas/home, mountpoint theUser, what //nas.example.com/theUser, fstype cifs, options domain=DOM,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0 do_mount: //nas.example.com/theUser /nas/home/theUser type cifs options domain=DOM,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0 using module generic mount_mount: mount(generic): calling mkdir_path /nas/home/theUser mount(generic): calling mount -t cifs -o domain=DOM,sec=krb5,soft,noserverino,cifsacl,username=theUser,cruid=1234567,vers=3.0 //nas.example.com/theUser /nas/home/theUser
mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) mount(generic): failed to mount //nas.example.com/theUser (type cifs) on /nas/home/theUser dev_ioctl_send_fail: token = 727 failed to mount /nas/home/theUser
journalctl ============== kernel: CIFS: fs/cifs/cifsfs.c: Devname: //nas.example.com/theUser flags: 0 kernel: CIFS: fs/cifs/connect.c: Domain name set kernel: CIFS: fs/cifs/connect.c: Username: theUser kernel: CIFS: fs/cifs/connect.c: file mode: 0755 dir mode: 0755 kernel: CIFS: fs/cifs/connect.c: VFS: in mount_get_conns as Xid: 684 with uid: 0 kernel: CIFS: fs/cifs/connect.c: UNC: \\nas.example.com\theUser kernel: CIFS: fs/cifs/connect.c: Socket created kernel: CIFS: fs/cifs/connect.c: sndbuf 16384 rcvbuf 131072 rcvtimeo 0x834 kernel: CIFS: fs/cifs/connect.c: Demultiplex PID: 532823 kernel: CIFS: fs/cifs/fscache.c: cifs_fscache_get_client_cookie: (0x000[...]8/0x0000[...]d) kernel: CIFS: fs/cifs/connect.c: VFS: in cifs_get_smb_ses as Xid: 685 with uid: 0 kernel: CIFS: fs/cifs/connect.c: Existing smb sess not found kernel: CIFS: fs/cifs/smb2pdu.c: Negotiate protocol kernel: CIFS: fs/cifs/transport.c: Sending smb: smb_len=106 kernel: CIFS: fs/cifs/connect.c: RFC1002 header 0xfa kernel: CIFS: fs/cifs/smb2misc.c: SMB2 data length 122 offset 128 kernel: CIFS: fs/cifs/smb2misc.c: SMB2 len 250 kernel: CIFS: fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=4 kernel: CIFS: fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release kernel: CIFS: fs/cifs/smb2pdu.c: mode 0x1 kernel: CIFS: fs/cifs/smb2pdu.c: negotiated smb3.0 dialect kernel: CIFS: fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92 kernel: CIFS: fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92 kernel: CIFS: fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1 kernel: CIFS: fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x300057 TimeAdjust: 0 kernel: CIFS: fs/cifs/smb2pdu.c: Session Setup kernel: CIFS: fs/cifs/smb2pdu.c: sess setup type 5 kernel: CIFS: fs/cifs/cifs_spnego.c: key description = ver=0x2;host=nas.example.com;ip4=10.0.0.1;sec=krb5;uid=0x0;creduid=0x12D687;user=theUser;pid=0x82155 cifs.upcall[532824]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=nas.example.com;ip4=10.0.0.1;sec=krb5;uid=0x0;creduid=0x12D687;user=theUser;pid=0x82155 cifs.upcall[532824]: ver=2 cifs.upcall[532824]: host=nas.example.com cifs.upcall[532824]: ip=10.0.0.1 cifs.upcall[532824]: sec=1 cifs.upcall[532824]: uid=0 cifs.upcall[532824]: creduid=1234567 cifs.upcall[532824]: user=theUser cifs.upcall[532824]: pid=532821 cifs.upcall[532824]: get_cachename_from_process_env: pathname=/proc/532821/environ cifs.upcall[532824]: drop_all_capabilities: Unable to apply capability set: Success cifs.upcall[532824]: Exit status 1 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\nas.example.com Send error in SessSetup = -126 kernel: CIFS: fs/cifs/connect.c: VFS: leaving cifs_get_smb_ses (xid = 685) rc = -126 kernel: CIFS: fs/cifs/dfs_cache.c: __dfs_cache_find: search path: \nas.example.com\theUser kernel: CIFS: fs/cifs/dfs_cache.c: get_dfs_referral: get an DFS referral for \nas.example.com\theUser kernel: CIFS: fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0x0000[...]8/0x00000[...]d) kernel: CIFS: fs/cifs/connect.c: VFS: leaving mount_put_conns (xid = 684) rc = 0 kernel: CIFS: VFS: cifs_mount failed w/return code = -126
On 16-12-2020 14:09, Tasnad Kernetzky via arch-general wrote:
Hi All, Hi,
I suppose I hit this bug: https://bugs.archlinux.org/task/68963 and it seems it is not fully resolved. I didn't request to reopen the bug, because I'm not 100% sure it is really the same thing.
The bug you're linking is marked as duplicate of this one: https://bugs.archlinux.org/task/68666 That one has been re-opened yesterday, so it seems likely that the problem is not solved yet. But you also shouldn't re-open the duplicate issue. Judging from the comments on the re-opened issue, an additional patch has been sent upstream already. I hope this helps :) -- Maarten
On Thu, 17 Dec 2020 at 00:12, Maarten de Vries <maarten@de-vri.es> wrote:
On 16-12-2020 14:09, Tasnad Kernetzky via arch-general wrote:
Hi All, Hi,
I suppose I hit this bug: https://bugs.archlinux.org/task/68963 and it seems it is not fully resolved. I didn't request to reopen the bug, because I'm not 100% sure it is really the same thing.
The bug you're linking is marked as duplicate of this one: https://bugs.archlinux.org/task/68666
That one has been re-opened yesterday, so it seems likely that the problem is not solved yet. But you also shouldn't re-open the duplicate issue. Judging from the comments on the re-opened issue, an additional patch has been sent upstream already.
I hope this helps :)
-- Maarten
Oh well, it literally says "sorry for the duplicate", how could I miss that. Thank you very much and also thanks to/for the patche[r]s! Best, Tasnad
participants (2)
-
Maarten de Vries
-
Tasnad Kernetzky