[Bug 1900856] Re: multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

Thu Oct 29 13:00:38 UTC 2020

Hm, if I add an AD username I can mount the share with an valid kerberos
ticket for the user:

root at kubuntu-lts:# mount -vvv -o sec=krb5,multiuser,vers=3.0,cruid=ntfieroch //FILESERVER/share /mnt/test/
mount.cifs kernel mount options: ip=X.X.X.X,unc=\\FILESERVER/share,sec=krb5,multiuser,vers=3.0,cruid=10011,user=root,pass=********

I want to mount the samba share with multiuser option with the machine
accounts UPN in AD. Is that working for you?

If I specify UPN I get:

root at kubuntu-lts:# kinit -k KUBUNTU-LTS$
root at kubuntu-lts:# klist -ket /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 22.10.2020 10:54:16 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 
   2 22.10.2020 10:54:16 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 host/KUBUNTU-LTS at MPI-DORTMUND.MPG.DE (arcfour-hmac) 
   2 22.10.2020 10:54:16 host/KUBUNTU-LTS at MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 host/KUBUNTU-LTS at MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 host/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (arcfour-hmac) 
   2 22.10.2020 10:54:16 host/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 host/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 RestrictedKrbHost/KUBUNTU-LTS at MPI-DORTMUND.MPG.DE (arcfour-hmac) 
   2 22.10.2020 10:54:16 RestrictedKrbHost/KUBUNTU-LTS at MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 RestrictedKrbHost/KUBUNTU-LTS at MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:16 RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (arcfour-hmac) 
   2 22.10.2020 10:54:17 RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
   2 22.10.2020 10:54:17 RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 

root at kubuntu-lts:# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE

Valid starting       Expires              Service principal
29.10.2020 13:49:42  29.10.2020 23:49:42  krbtgt/MPI-DORTMUND.MPG.DE at MPI-DORTMUND.MPG.DE
        renew until 30.10.2020 13:49:42

root at kubuntu-lts:# mount -vvv -o sec=krb5,multiuser,vers=3.0,username='KUBUNTU-LTS$' //FILESERVER/share /mnt/test/
mount.cifs kernel mount options: ip=X.X.X.X,unc=\\FILESERVER\share,sec=krb5,multiuser,vers=3.0,user=KUBUNTU-LTS$,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

The samba configuration for the smb share on FILESERVER has the UPN as valid user: 
[share]
  path = /mnt/share
  valid users = +"domain users", "KUBUNTU-LTS$"
  force group = "domain users"

Hm, now I get a different return code =-13 in dmesg:

[87872.570848] fs/cifs/cifsfs.c: Devname: //FILESERVER/share flags: 0
[87872.570889] fs/cifs/connect.c: Username: KUBUNTU-LTS$
[87872.570894] fs/cifs/connect.c: file mode: 0755  dir mode: 0755
[87872.570897] fs/cifs/connect.c: CIFS VFS: in mount_get_conns as Xid: 82 with uid: 0
[87872.570899] fs/cifs/connect.c: UNC: \\FILESERVER\share
[87872.570912] fs/cifs/connect.c: Socket created
[87872.570914] fs/cifs/connect.c: sndbuf 16384 rcvbuf 131072 rcvtimeo 0x6d6
[87872.580468] fs/cifs/fscache.c: cifs_fscache_get_client_cookie: (0x000000002f2c35d1/0x00000000bd141cbc)
[87872.580470] fs/cifs/connect.c: Demultiplex PID: 14724
[87872.580475] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 83 with uid: 0
[87872.580476] fs/cifs/connect.c: Existing smb sess not found
[87872.580479] fs/cifs/smb2pdu.c: Negotiate protocol
[87872.580500] fs/cifs/transport.c: Sending smb: smb_len=106
[87872.585816] fs/cifs/connect.c: RFC1002 header 0xe0
[87872.585823] fs/cifs/smb2misc.c: SMB2 data length 96 offset 128
[87872.585823] fs/cifs/smb2misc.c: SMB2 len 224
[87872.585851] fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=4
[87872.585857] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[87872.585859] fs/cifs/smb2pdu.c: mode 0x1
[87872.585860] fs/cifs/smb2pdu.c: negotiated smb3.0 dialect
[87872.585863] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
[87872.585864] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
[87872.585865] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
[87872.585867] fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x300047 TimeAdjust: 0
[87872.585868] fs/cifs/smb2pdu.c: Session Setup
[87872.585869] fs/cifs/smb2pdu.c: sess setup type 5
[87872.585873] fs/cifs/cifs_spnego.c: key description = ver=0x2;host=FILESERVER;ip4=X.X.X.X;sec=krb5;uid=0x0;creduid=0x0;user=KUBUNTU-LTS$;pid=0x3982
[87872.591266] fs/cifs/transport.c: Sending smb: smb_len=1502
[87872.598034] fs/cifs/connect.c: RFC1002 header 0x49
[87872.598040] fs/cifs/smb2misc.c: SMB2 data length 0 offset 0
[87872.598041] fs/cifs/smb2misc.c: SMB2 len 73
[87872.598056] fs/cifs/transport.c: cifs_sync_mid_result: cmd=1 mid=1 state=4
[87872.598059] Status code returned 0xc0000022 STATUS_ACCESS_DENIED
[87872.598064] fs/cifs/smb2maperror.c: Mapping SMB2 status code 0xc0000022 to POSIX err -13
[87872.598065] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
[87872.598071] CIFS VFS: \\FILESERVER Send error in SessSetup = -13
[87872.598076] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 83) rc = -13
[87872.598084] fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0x000000002f2c35d1/0x00000000bd141cbc)
[87872.598096] fs/cifs/connect.c: CIFS VFS: leaving mount_put_conns (xid = 82) rc = 0
[87872.598097] CIFS VFS: cifs_mount failed w/return code = -13

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1900856

Title:
  multiuser mount with sec=krb5: cifs_mount failed w/return code = -2

Status in cifs-utils package in Ubuntu:
  New

Bug description:
  I want to mount a cifs-share with kerberos and multiuser option. On
  Ubuntu it fails. Same command and system configuration is working on a
  RedHat linux. Maybe there's a regression in cifs-utils or another
  library that differs from RedHat?

  Ubuntu 20.04.1
  cifs-utils 6.9-1ubuntu0.1

  RedHat 7.9
  cifs-utils 6.2-10.el7

  We have joined our clients to AD with realm --membership-
  software=adcli and use sssd for authentication.

  What I did:
  root at kubuntu-lts:# kinit -k KUBUNTU-LTS$
  root at kubuntu-lts:# klist
  Ticket cache: FILE:/tmp/krb5cc_10011_r0AC1F
  Default principal: KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE

  Valid starting       Expires              Service principal
  21.10.2020 16:16:20  22.10.2020 02:16:20  krbtgt/MPI-DORTMUND.MPG.DE at MPI-DORTMUND.MPG.DE
          renew until 22.10.2020 16:16:20
  root at kubuntu-lts:# mount //FILESERVER/SHARE /mnt/test -o sec=krb5,multiuser,file_mode=0660,dir_mode=0770,nounix,noserverino
  mount error(2): No such file or directory
  Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

  Share can be mounted as a user without multiuser option but not with system UPN and multiuser option. This is working on a system with RedHat 7.9.

  I also enabled debug information for cifs:

  echo 'module cifs +p' > /sys/kernel/debug/dynamic_debug/control
  echo 'file fs/cifs/* +p' > /sys/kernel/debug/dynamic_debug/control
  echo 7 > /proc/fs/cifs/cifsFYI
  echo 1 > /sys/module/dns_resolver/parameters/debug

  now I can see additional information in dmesg:

  [350004.228812] fs/cifs/cifsfs.c: Devname: //SERVER/SHARE flags: 0
  [350004.228856] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
  [350004.228858] fs/cifs/connect.c: Username: root
  [350004.228862] fs/cifs/connect.c: file mode: 0660  dir mode: 0770
  [350004.228866] fs/cifs/connect.c: CIFS VFS: in mount_get_conns as Xid: 109 with uid: 0
  [350004.228867] fs/cifs/connect.c: UNC: \\SERVER\SHARE
  [350004.228881] fs/cifs/connect.c: Socket created
  [350004.228883] fs/cifs/connect.c: sndbuf 16384 rcvbuf 131072 rcvtimeo 0x6d6
  [350004.229238] fs/cifs/connect.c: Demultiplex PID: 94569
  [350004.229278] fs/cifs/fscache.c: cifs_fscache_get_client_cookie: (0x0000000035f51052/0x00000000f0122aa2)
  [350004.229297] fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 110 with uid: 0
  [350004.229315] fs/cifs/connect.c: Existing smb sess not found
  [350004.229321] fs/cifs/smb2pdu.c: Negotiate protocol
  [350004.229350] fs/cifs/transport.c: Sending smb: smb_len=284
  [350004.230011] fs/cifs/connect.c: RFC1002 header 0x114
  [350004.230018] fs/cifs/smb2misc.c: SMB2 data length 85 offset 128
  [350004.230019] fs/cifs/smb2misc.c: SMB2 len 213
  [350004.230020] fs/cifs/smb2misc.c: length of negcontexts 60 pad 3
  [350004.230046] fs/cifs/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=4
  [350004.230052] fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
  [350004.230054] fs/cifs/smb2pdu.c: mode 0x1
  [350004.230055] fs/cifs/smb2pdu.c: negotiated smb3.1.1 dialect
  [350004.230058] fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
  [350004.230059] fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
  [350004.230060] fs/cifs/smb2pdu.c: decoding 2 negotiate contexts
  [350004.230061] fs/cifs/smb2pdu.c: decode SMB3.11 encryption neg context of len 4
  [350004.230061] fs/cifs/smb2pdu.c: SMB311 cipher type:2
  [350004.230063] fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x300056 TimeAdjust: 0
  [350004.230064] fs/cifs/smb2pdu.c: Session Setup
  [350004.230065] fs/cifs/smb2pdu.c: sess setup type 5
  [350004.230069] fs/cifs/cifs_spnego.c: key description = ver=0x2;host=SERVER;ip4=XXX.XXX.XXX.XXX;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x17167
  [350004.235985] CIFS VFS: Verify user has a krb5 ticket and keyutils is installed
  [350004.235994] CIFS VFS: \\SERVER Send error in SessSetup = -126
  [350004.236000] fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 110) rc = -126
  [350004.236004] fs/cifs/connect.c: build_unc_path_to_root: full_path=\\SERVER\SHARE
  [350004.236006] fs/cifs/connect.c: build_unc_path_to_root: full_path=\\SERVER\SHARE
  [350004.236008] fs/cifs/connect.c: build_unc_path_to_root: full_path=\\SERVER\SHARE
  [350004.236011] fs/cifs/dfs_cache.c: do_dfs_cache_find: search path: \SERVER\SHARE
  [350004.236013] fs/cifs/dfs_cache.c: do_dfs_cache_find: cache miss
  [350004.236017] fs/cifs/dfs_cache.c: do_dfs_cache_find: search path: \SERVER\SHARE
  [350004.236018] fs/cifs/dfs_cache.c: do_dfs_cache_find: cache miss
  [350004.236029] fs/cifs/fscache.c: cifs_fscache_release_client_cookie: (0x0000000035f51052/0x00000000f0122aa2)
  [350004.236037] fs/cifs/connect.c: CIFS VFS: leaving mount_put_conns (xid = 109) rc = 0
  [350004.236039] CIFS VFS: cifs_mount failed w/return code = -2

  The error is:
  [350004.235985] CIFS VFS: Verify user has a krb5 ticket and keyutils is installed
  [350004.235994] CIFS VFS: \\SERVER Send error in SessSetup = -126
  [350004.236039] CIFS VFS: cifs_mount failed w/return code = -2

  Of course keyutils is installed:

  root at kubuntu-lts:# dpkg -l keyutils 
  ii  keyutils       1.6-6ubuntu1 amd64        Linux Key Management Utilities

  It looks like the kerberos ticket is not found to mount the share with UPN. But I have a valid ticket:

  root at kubuntu-lts:# klist
  Ticket cache: FILE:/tmp/krb5cc_10011_r0AC1F
  Default principal: KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE

  Valid starting       Expires              Service principal
  21.10.2020 16:16:20  22.10.2020 02:16:20  krbtgt/MPI-DORTMUND.MPG.DE at MPI-DORTMUND.MPG.DE
          renew until 22.10.2020 16:16:20

  My keytab:

  root at kubuntu-lts:# klist -ket /etc/krb5.keytab 
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Timestamp           Principal
  ---- ------------------- ------------------------------------------------------
     3 21.10.2020 15:43:11 kubuntu-lts$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 
     3 21.10.2020 15:43:11 kubuntu-lts$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:11 kubuntu-lts$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:12 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (arcfour-hmac) 
     3 21.10.2020 15:43:12 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:12 KUBUNTU-LTS$@MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:12 host/kubuntu-lts at MPI-DORTMUND.MPG.DE (arcfour-hmac) 
     3 21.10.2020 15:43:12 host/kubuntu-lts at MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:12 host/kubuntu-lts at MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:12 host/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (arcfour-hmac) 
     3 21.10.2020 15:43:13 host/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:13 host/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:13 RestrictedKrbHost/kubuntu-lts at MPI-DORTMUND.MPG.DE (arcfour-hmac) 
     3 21.10.2020 15:43:13 RestrictedKrbHost/kubuntu-lts at MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:13 RestrictedKrbHost/kubuntu-lts at MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:13 RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (arcfour-hmac) 
     3 21.10.2020 15:43:13 RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:14 RestrictedKrbHost/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:14 cifs/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (arcfour-hmac) 
     3 21.10.2020 15:43:14 cifs/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:14 cifs/kubuntu-lts.client.mpi-dortmund.mpg.de at MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:14 cifs/KUBUNTU-LTS at MPI-DORTMUND.MPG.DE (arcfour-hmac) 
     3 21.10.2020 15:43:14 cifs/KUBUNTU-LTS at MPI-DORTMUND.MPG.DE (aes128-cts-hmac-sha1-96) 
     3 21.10.2020 15:43:14 cifs/KUBUNTU-LTS at MPI-DORTMUND.MPG.DE (aes256-cts-hmac-sha1-96)

  This looks like a bug or regression for my because it's working on RedHat 7.9 with a previous release of cifs-utils.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1900856/+subscriptions