"Required key not available" means that cifs.upcall — run by the kernel in response to the mount request — was not able to get a Kerberos ticket for the CIFS server and from that generate the key needed for authenticating to the server (it would go in the kernel keyring of the client thread). cifs.upcall logs to daemon.debug; check those messages first. Usually that’s /var/log/daemon, but you may need to adjust your syslog configuration to include debug-level messages. On my system these look like so:
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] key description: cifs.spnego;0;0;3f000000;ver=0x2;host=server.example.com;ip4=10.12.0.6;sec=krb5;uid=0x0;creduid=0x2cec;user=res;pid=0x1997
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] ver=2
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] host=server.example.com
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] ip=10.12.0.6
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] sec=1
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] uid=0
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] creduid=11500
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] user=res
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] pid=6551
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] find_krb5_cc: considering /tmp/krb5cc_5601
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] find_krb5_cc: /tmp/krb5cc_5601 is owned by 5601, not 11500
Aug 19 20:00:26 client.example.com cifs.upcall: [daemon.debug] find_krb5_cc: considering /tmp/krb5cc_5702
...
Ordinarily you’d use a mount command like this:
$ sudo mount -t cifs -o user=acoder,cruid=acoder,sec=krb5 ...
The cruid parameter tells cifs.upcall on behalf of which account this mount is occurring. It will look for Kerberos credential caches (“ccaches”) owned by this account (/tmp/krb5cc_*) first, to see if that account is logged in and has current credentials (e.g. if it’s a person and they’ve done kinit); you can see this in action in the log above where it is “considering” various ccaches. If that fails, it tries to kinit with a keytab. Earlier versions just use the system default keytab, which means the client principal’s keys must go there (usually /etc/krb5.keytab). Later versions have a -K flag you can use to deploy per-user keytabs for this, obviously better on a multi-user system. Note that you don’t need the password in the mount command; the keytab provides that information.
A separate thing to check, is that the Kerberos configuration on the client allows getting a CIFS ticket for the server to succeed at all. E.g.:
$ kinit acoder@EXAMPLE.COM
... type your password
$ klist
... see your TGT
$ kvno cifs/fileserver.example.com@EXAMPLE.COM
$ klist
... see CIFS ticket
Anyway there are many variables; start with the cifs.upcall debug log and let’s go from there.
(Note that the first answer is confused and wrong; you should ignore it. There is no need to join the client host to the realm, and its host principal is irrelevant here.)
Содержание
- pam_mount + kerberos + AD
- «ошибка монтирования (126): требуемый ключ недоступен» с CIFS и Kerberos
- CIFS VFS: Send error in SessSetup = -126
- Bug Description
pam_mount + kerberos + AD
Имеется Astra Linux SE 1.6 (обновление 8), введен в домен средствами fly-admin-ad-client (winbind). Авторизация тестового доменного пользователя проходит, добавил его в sudoers как админа. Работает. Пытаюсь подключить сетевые диски с использованием pam_mount:
volume fstype=«cifs» server=«192.168.0.5» path=«Share» mountpoint=«/home/MYDOMAIN/testuser/Share» options=«user=%(DOMAIN_USER),uid=%(USERUID),rw,setuids,soft,sec=krb5i,cruid=%(USERUID),iocharset=utf8,vers=1.0»
Каталоги существуют, права 777. При попытке авторизации пользователем в /var/log/auth.log получаем:
(mount.c:76): mount error(126): Required key not available
В /var/log/kern.log получаем: Sep 13 18:55:22 PC-1 kernel: [ 3540.149560] CIFS VFS: Send error in SessSetup = -126 Sep 13 18:55:22 PC-1 kernel: [ 3540.149571] CIFS VFS: cifs_mount failed w/return code = -126
При ручном монтировании:
testuser@PC-1:/root$ sudo mount.cifs -v //192.168.0.5/Share /home/MYDOMAIN/testuser/Share user=testuser,uid=3005,sec=krb5i,ver=1 [sudo] пароль для testuser: (pam_mount.c:365): pam_mount 2.16: entering auth stage Password for root@//192.168.0.5/Share: ********* mount.cifs kernel mount options: ip=192.168.0.5,unc=192.168.0.5Share,user=root,pass=******** mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Монтирование проходит под root, соответственно в /tmp создается тикет krb5cc_0 для рута.
sudo -u testuser mount.cifs -v //192.168.0.5/Share /home/MYDOMAIN/testuser/Share user=testuser,uid=3005,sec=krb5i,ver=1 Получаем: mount.cifs: permission denied: no match for /home/MYDOMAIN/testuser/Share found in /etc/fstab
Просьба знающих людей направить на путь истинный и подсказать, где я ошибаюсь 🙂
Источник
«ошибка монтирования (126): требуемый ключ недоступен» с CIFS и Kerberos
Мое приложение должно безопасно подключить общий ресурс Isilon с использованием CIFS и Kerberos. Моя mount попытка возвращается Required key not available ::
mount -t cifs //fileserver.example.com/client123/files /mnt/client123/files -o username=acoder,password=XXXXXX,sec=krb5
Вот соответствующие записи из /var/log/messages
Фон и конфигурация
Я добавил keytab, используя:
Проверено klist -kte :
Что могло вызвать ошибку «Требуемый ключ недоступен»?
РЕДАКТИРОВАТЬ: я включил отладку в CIFS и снова попытался смонтировать общий ресурс. Вот этот вывод:
«Required key not available» означает, что cifs.upcall — запущенный ядром в ответ на запрос монтирования — не смог получить билет Kerberos для сервера CIFS и из него сгенерировать ключ, необходимый для аутентификации на сервере (он войдет в связку ключей ядра клиентского потока ). cifs.upcall журналы в daemon.debug ; сначала проверьте эти сообщения. Обычно это так /var/log/daemon , но вам может потребоваться настроить конфигурацию системного журнала, чтобы включить сообщения уровня отладки. В моей системе это выглядит так:
Обычно вы использовали бы такую команду монтирования:
cruid Параметр указывает , cifs.upcall от имени которого приходится это крепление происходит. Сначала он будет искать кеши учетных данных Kerberos («ccaches»), принадлежащие этой учетной записи ( /tmp/krb5cc_* ), чтобы увидеть, вошла ли эта учетная запись в систему и имеет ли текущие учетные данные (например, если это человек, и они это сделали kinit ); вы можете увидеть это в действии в журнале выше, где он «рассматривает» различные ccache. Если это не удается, он пытается выполнить kinit с помощью keytab. В более ранних версиях просто используется системная таблица ключей по умолчанию, что означает, что ключи основного клиента должны находиться там (обычно /etc/krb5.keytab ). В более поздних версиях есть -K флаг, который вы можете использовать для развертывания для этого отдельных пользовательских вкладок, что, очевидно, лучше для многопользовательской системы. Обратите внимание, что вам не нужен пароль в команде монтирования; keytab предоставляет эту информацию.
Отдельная вещь, которую нужно проверить, это то, что конфигурация Kerberos на клиенте позволяет получить билет CIFS для сервера, чтобы вообще успешно. Например:
В любом случае есть много переменных; начнем с cifs.upcall журнала отладки и пойдем дальше.
(Обратите внимание, что первый ответ запутан и неверен; вы должны игнорировать его. Нет необходимости присоединять клиентский хост к области, и его принципал хоста здесь не имеет значения.)
Источник
CIFS VFS: Send error in SessSetup = -126
| Affects | Status | Importance | Assigned to | Milestone |
|---|---|---|---|---|
| cifs-utils (Ubuntu) |
Bug Description
Binary package hint: cifs-utils
Im mounting a samba file server with a kerberos ticket, this works fine until a network failure.
I am able to reproduce this error by pulling the network cable while the samba share is mounted, and putting it back in. It seems like it not able to find/renew the ticket. The ticket seems fine since I am able to use the internet which requires kerberos as well.
After the failure syslog get flooded(several logging rules per second) sometimes it eats all my diskspace in /var/log and results in a non use able system.
zcat syslog.2.gz|grep «CIFS VFS: Send error in SessSetup» |wc -l
22449972
If more information is needed let me know.
Technical stuff :
Mount command : mount.cifs //foobar. local/san/ $PAM_USER $HOME_mount -o sec=krb5
Ubuntu Lucid LTS 32Bit
Kernel : uname -a
Linux ubuntu-lucid 2.6.32-30-generic #59-Ubuntu SMP Tue Mar 1 21:30:21 UTC 2011 i686 GNU/Linux
Samba-common : 2:3.4.7
Apr 14 12:20:37 ubuntu-lucid kernel: [ 169.308684] e1000e: eth0 NIC Link is Down
Apr 14 12:20:37 ubuntu-lucid NetworkManager: (eth0): carrier now OFF (device state 1)
Apr 14 12:20:54 ubuntu-lucid kernel: [ 186.924066] CIFS VFS: No response for cmd 50 mid 2759
Apr 14 12:20:55 ubuntu-lucid kernel: [ 187.924030] CIFS VFS: No response for cmd 50 mid 2763
Apr 14 12:20:55 ubuntu-lucid kernel: [ 187.925008] CIFS VFS: No response for cmd 50 mid 2760
Apr 14 12:20:55 ubuntu-lucid kernel: [ 187.925516] CIFS VFS: No response for cmd 50 mid 2761
Apr 14 12:20:55 ubuntu-lucid kernel: [ 187.926014] CIFS VFS: No response for cmd 50 mid 2762
Apr 14 12:20:58 ubuntu-lucid kernel: [ 190.564831] e1000e: eth0 NIC Link is Up 100 Mbps Full Duplex, Flow Control: None
Apr 14 12:20:58 ubuntu-lucid kernel: [ 190.564835] 0000:00:19.0: eth0: 10/100 speed: disabling TSO
Apr 14 12:20:58 ubuntu-lucid NetworkManager: (eth0): carrier now ON (device state 1)
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: key description: cifs.spnego; 45939;21920; 3f000000; ver=0x2; host=foobar. local;ip4= x.x.x.x; sec=krb5; uid=0x0; user=root; pid=0x887
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_ 45939_ui4AgC
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: find_krb5_cc: /tmp/krb5cc_ 45939_ui4AgC is owned by 45939, not 0
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: handle_krb5_mech: getting service ticket for cifs/foobar.local
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328189)
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: handle_krb5_mech: getting service ticket for host/foobar.local
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328189)
Apr 14 12:21:06 ubuntu-lucid kernel: [ 198.955402] CIFS VFS: Send error in SessSetup = -126
Apr 14 12:21:06 ubuntu-lucid kernel: [ 198.956295] CIFS VFS: Unexpected lookup error -126
klist show a valid ticket for foorbar.local
ls -l /tmp/krb
-rw——- 1 l.user somegroup 938 2011-04-14 13:40 krb5cc_45939_iVfJt6
If I install a maverick 2.6.38 kernel the problem is «solved» system is still use able and no more massive cifs errors, but when I use a 2.6.35 kernel from lucid the problem still exists.
| Changed in cifs-utils (Ubuntu): | |
| status: | New → Confirmed |
After some more testing 2.6.38 doesn’t fix the problem, it delays the problem. If a short network outage occurs everything goes well, if the network outage takes longer then 5min it still fails with the same cifs 126 error.
Found a stack trace in /var/log/messages/
May 12 04:46:22 ubuntu kernel: [43380.856587] Pid: 19245, comm: chmod Tainted: P (2.6.32-31-generic #61-Ubuntu) HP Compaq 8000 Elite SFF PC
May 12 04:46:22 ubuntu kernel: [43380.856591] EIP: 0060:[ ] EFLAGS: 00210246 CPU: 3
May 12 04:46:22 ubuntu kernel: [43380.856594] EIP is at wait_for_ key_constructio n+0x2a/ 0x70
May 12 04:46:22 ubuntu kernel: [43380.856596] EAX: 00000000 EBX: 00000000 ECX: c02f4a70 EDX: 00000000
May 12 04:46:22 ubuntu kernel: [43380.856599] ESI: 00000002 EDI: f28b4300 EBP: f0e3bb18 ESP: f0e3bb0c
May 12 04:46:22 ubuntu kernel: [43380.856601] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
May 12 04:46:22 ubuntu kernel: [43380.856607] f8b168c0 00000000 f13d9e00 f0e3bb40 c02f53ba 00000000 00000000 00000000
May 12 04:46:22 ubuntu kernel: [43380.856614] 00000000 f8b0900c f2905480 f2905480 f13d9e00 f0e3bb6c f8b023fc f29054cf
May 12 04:46:22 ubuntu kernel: [43380.856621] f8b09002 00004b2d f6bf2320 f6bf2320 f28b43a2 f28b4300 00000800 00004058
May 12 04:46:22 ubuntu kernel: [43380.856633] [ ] ? request_ key+0x5a/ 0x90
May 12 04:46:22 ubuntu kernel: [43380.856642] [ ] ? cifs_get_ spnego_ key+0x17c/ 0x1d0 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856649] [ ] ? CIFS_SessSetup+ 0x66d/0xc10 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856654] [ ] ? default_ spin_lock_ flags+0x8/ 0x10
May 12 04:46:22 ubuntu kernel: [43380.856659] [ ] ? extract_ buf+0x7e/ 0xe0
May 12 04:46:22 ubuntu kernel: [43380.856665] [ ] ? cifs_setup_ session+ 0x69/0x1a0 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856670] [ ] ? _spin_lock_ irqsave+ 0x2f/0x50
May 12 04:46:22 ubuntu kernel: [43380.856676] [ ] ? cifs_reconnect_ tcon+0x1ab/ 0x280 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856682] [ ] ? smb_init+0x24/0x80 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856688] [ ] ? CIFSSMBUnixQPat hInfo+0x55/ 0x250 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856696] [ ] ? cifs_get_ inode_info_ unix+0x5e/ 0x100 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856703] [ ] ? build_path_ from_dentry+ 0xa5/0x1e0 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856710] [ ] ? build_path_ from_dentry+ 0x17c/0x1e0 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856714] [ ] ? _spin_lock+0xd/0x10
May 12 04:46:22 ubuntu kernel: [43380.856721] [ ] ? cifs_revalidate +0x1f4/ 0x3e0 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856725] [ ] ? dput+0x91/0x130
May 12 04:46:22 ubuntu kernel: [43380.856728] [ ] ? kmap_atomic_ prot+0xd5/ 0xf0
May 12 04:46:22 ubuntu kernel: [43380.856735] [ ] ? cifs_d_ revalidate+ 0x1f/0xe0 [cifs]
May 12 04:46:22 ubuntu kernel: [43380.856739] [ ] ? do_lookup+0x41/0xc0
May 12 04:46:22 ubuntu kernel: [43380.856743] [ ] ? generic_ permission+ 0x1f/0xa0
May 12 04:46:22 ubuntu kernel: [43380.856747] [ ] ? __link_ path_walk+ 0x15d/0xca0
May 12 04:46:22 ubuntu kernel: [43380.856750] [ ] ? kunmap_ atomic+ 0x60/0x70
May 12 04:46:22 ubuntu kernel: [43380.856753] [ ] ? path_walk+0x54/0xc0
May 12 04:46:22 ubuntu kernel: [4338.
On a other computer slightly different maybe cause of the slightly older kernel? :
May 12 04:57:04 ict143 kernel: [162817.458671] Pid: 331, comm: cp Tainted: P (2.6.32-30-generic #59-Ubuntu) HP Compaq dc7800p Small Form Factor
May 12 04:57:04 ict143 kernel: [162817.458674] EIP: 0060:[ ] EFLAGS: 00210246 CPU: 0
May 12 04:57:04 ict143 kernel: [162817.458677] EIP is at wait_for_ key_constructio n+0x2a/ 0x70
May 12 04:57:04 ict143 kernel: [162817.458679] EAX: 00000000 EBX: 00000000 ECX: c02f4790 EDX: 00000000
May 12 04:57:04 ict143 kernel: [162817.458682] ESI: 00000002 EDI: f15e2700 EBP: c89cdb18 ESP: c89cdb0c
May 12 04:57:04 ict143 kernel: [162817.458684] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
May 12 04:57:04 ict143 kernel: [162817.458690] f8d7a8a0 00000000 f2128e00 c89cdb40 c02f50da 00000000 00000000 00000000
May 12 04:57:04 ict143 kernel: [162817.458697] 00000000 f8d6cfec ef963cc0 ef963cc0 f2128e00 c89cdb6c f8d663dc ef963d0f
May 12 04:57:04 ict143 kernel: [162817.458704] f8d6cfe2 0000014b f6815780 f6815780 f15e27a2 f15e2700 00000800 00004058
May 12 04:57:04 ict143 kernel: [162817.458715] [ ] ? request_ key+0x5a/ 0x90
May 12 04:57:04 ict143 kernel: [162817.458725] [ ] ? cifs_get_ spnego_ key+0x17c/ 0x1d0 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458733] [ ] ? CIFS_SessSetup+ 0x66d/0xc10 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458738] [ ] ? extract_ buf+0x7e/ 0xe0
May 12 04:57:04 ict143 kernel: [162817.458745] [ ] ? cifs_setup_ session+ 0x69/0x1a0 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458751] [ ] ? cifs_reconnect_ tcon+0x1ab/ 0x280 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458757] [ ] ? smb_init+0x24/0x80 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458764] [ ] ? CIFSSMBUnixQPat hInfo+0x55/ 0x250 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458771] [ ] ? cifs_get_ inode_info_ unix+0x5e/ 0x100 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458776] [ ] ? kmap_atomic_ prot+0x4c/ 0xf0
May 12 04:57:04 ict143 kernel: [162817.458783] [ ] ? build_path_ from_dentry+ 0xa5/0x1e0 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458790] [ ] ? build_path_ from_dentry+ 0x17c/0x1e0 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458795] [ ] ? get_page_ from_freelist+ 0x147/0x360
May 12 04:57:04 ict143 kernel: [162817.458800] [ ] ? _spin_lock+0xd/0x10
May 12 04:57:04 ict143 kernel: [162817.458807] [ ] ? cifs_revalidate +0x1f4/ 0x3e0 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458811] [ ] ? __mem_cgroup_ commit_ charge+ 0x4a/0xc0
May 12 04:57:04 ict143 kernel: [162817.458818] [ ] ? cifs_d_ revalidate+ 0x1f/0xe0 [cifs]
May 12 04:57:04 ict143 kernel: [162817.458822] [ ] ? do_lookup+0x41/0xc0
May 12 04:57:04 ict143 kernel: [162817.458826] [ ] ? generic_ permission+ 0x1f/0xa0
May 12 04:57:04 ict143 kernel: [162817.458830] [ ] ? __link_ path_walk+ 0x15d/0xca0
May 12 04:57:04 ict143 kernel: [162817.458834] [ ] ? handle_ mm_fault+ 0x338/0x390
May 12 04:57:04 ict143 kernel: [162817.458837] [ ] ? path_walk+0x54/0xc0
May 12 04:57:04 ict143 ker.
| tags: | added: cifs kernel lucid samba |
More logging
May 20 15:52:41 kernel: [27120.280287] [ ] cifs_file_ aio_write+ 0x2f/0x60 [cifs]
May 20 15:52:41 kernel: [27120.280294] [ ] do_sync_ write+0xc4/ 0x100
May 20 15:52:41 kernel: [27120.280299] [ ] ? autoremove_ wake_function+ 0x0/0x50
May 20 15:52:41 kernel: [27120.280307] [ ] ? security_ file_permission +0x14/0x20
May 20 15:52:41 kernel: [27120.280311] [ ] ? rw_verify_ area+0x64/ 0xe0
May 20 15:52:41 kernel: [27120.280318] [ ] vfs_write+ 0xa2/0x1a0
May 20 15:52:41 kernel: [27120.280321] [ ] ? do_sync_ write+0x0/ 0x100
May 20 15:52:41 kernel: [27120.280329] [ ] ? do_page_ fault+0x160/ 0x3a0
May 20 15:52:41 kernel: [27120.280333] [ ] sys_write+0x42/0x70
May 20 15:52:41 kernel: [27120.280340] [ ] sysenter_ do_call+ 0x12/0x28
May 20 15:52:41 kernel:
May 20 15:50:40 kernel: Send error in SessSetup = -126 Send error in SessSetup = -126
May 20 15:50:41 kernel: [27000. 5763IFSSenr iSet1267000.25 er Sep = .25 CI: Sror in270655S Vnd in tup6
May 20 15:50:41 kernel:
Hi, the «CIFS VFS: No response for cmd 50» problem appears because you shutting down the network service before the Samba unmount the shares. In many other case this happens when you stop the OS and it not unmount correctly the shares.
Now I try and then we will continue to post about your bug. Many Thanks.
I am mounting the home directory of a user with mount.cifs if a packets gets lost while logged in the cifs error appears and the machine gets unuseable.
If I mount the home directory with libpam-mount everything goes fine.
If you need more informatie please let me know.
Hi, try to mount with this command: «mount.cifs //foobar. local/san/ $PAM_USER $HOME_mount -verobse -o sec=krb5» for debug the mount works command. Many thanks.
Allright will try it on thuesday and paste the verbose information.
mount.cifs kernel mount option unc=//foobar. localsan, user=root, ver=1,sec= krb5,prefixpath =$username, ip=$ip- adres
Not much other verbose information while mounting.
Jul 19 08:26:56 ubuntu cifs.upcall: key description: cifs.spnego; 0;513;3f000000; ver=0x2; host=foobar. local;ip4= $ip;sec= krb5;uid= 0xb373; user=$username; pid=0x1239
Jul 19 08:26:56 ubuntu cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_ pam_0SFxOq
Jul 19 08:26:56 ubuntu cifs.upcall: find_krb5_cc: /tmp/krb5cc_ pam_0SFxOq is owned by 0, not 45939
Jul 19 08:26:56 ubuntu cifs.upcall: handle_krb5_mech: getting service ticket for cifs/foorbar.local
Jul 19 08:26:56 ubuntu cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328189)
Jul 19 08:26:56 ubuntu cifs.upcall: handle_krb5_mech: getting service ticket for host/foobar.local
Jul 19 08:26:56 ubuntu cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328189)
Jul 19 08:26:56 ubuntu kernel: [ 1003.356085] CIFS VFS: Send error in SessSetup = -126
Jul 19 08:26:56 ubuntu kernel: [ 1003.356093] CIFS VFS: cifs_mount failed w/return code = -126
Machine is fully updates Lucid 10.4-3
Hi, thanks for your debug reporting. The information I need are these:
Jul 19 08:26:56 ubuntu cifs.upcall: handle_krb5_mech: getting service ticket for cifs/foorbar.local
Jul 19 08:26:56 ubuntu cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328189)
Jul 19 08:26:56 ubuntu cifs.upcall: handle_krb5_mech: getting service ticket for host/foobar.local
Jul 19 08:26:56 ubuntu cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328189)
The sane thing was discussed in Red Hat Bug with a solution. To not copy all the Red Hat bug, i post to you the interesting link:
Let me know your opinion about the discussion done in above link. Thanks.
This is still a problem in 2019? I’ve attached my Ubuntu 18.04.2 desktop to an Active Directory using:
Everything appears to work perfectly until some sort of failure — I can reproduce it under high load, or just waiting. I’ll try pulling the network cable next. After than, any access to the mount, causes a hang for that process.
dmesg offers:
[91051.156847] CIFS VFS: Send error in SessSetup = -126
[91051.156860] CIFS VFS: Send error in SessSetup = -126
[91229.140916] INFO: task kworker/3:1:11816 blocked for more than 120 seconds.
[91229.140922] Not tainted 4.18.0-18-generic #19
Источник
Binary package hint: cifs-utils
Im mounting a samba file server with a kerberos ticket, this works fine until a network failure.
I am able to reproduce this error by pulling the network cable while the samba share is mounted, and putting it back in. It seems like it not able to find/renew the ticket. The ticket seems fine since I am able to use the internet which requires kerberos as well.
After the failure syslog get flooded(several logging rules per second) sometimes it eats all my diskspace in /var/log and results in a non use able system.
zcat syslog.2.gz|grep «CIFS VFS: Send error in SessSetup» |wc -l
22449972
If more information is needed let me know.
Technical stuff :
Mount command : mount.cifs //foobar.local/san/$PAM_USER $HOME_mount -o sec=krb5
Ubuntu Lucid LTS 32Bit
Kernel : uname -a
Linux ubuntu-lucid 2.6.32-30-generic #59-Ubuntu SMP Tue Mar 1 21:30:21 UTC 2011 i686 GNU/Linux
Samba-common : 2:3.4.7~dfsg-1ubuntu3.5
Apr 14 12:20:37 ubuntu-lucid kernel: [ 169.308684] e1000e: eth0 NIC Link is Down
Apr 14 12:20:37 ubuntu-lucid NetworkManager: <info> (eth0): carrier now OFF (device state 1)
Apr 14 12:20:54 ubuntu-lucid kernel: [ 186.924066] CIFS VFS: No response for cmd 50 mid 2759
Apr 14 12:20:55 ubuntu-lucid kernel: [ 187.924030] CIFS VFS: No response for cmd 50 mid 2763
Apr 14 12:20:55 ubuntu-lucid kernel: [ 187.925008] CIFS VFS: No response for cmd 50 mid 2760
Apr 14 12:20:55 ubuntu-lucid kernel: [ 187.925516] CIFS VFS: No response for cmd 50 mid 2761
Apr 14 12:20:55 ubuntu-lucid kernel: [ 187.926014] CIFS VFS: No response for cmd 50 mid 2762
Apr 14 12:20:58 ubuntu-lucid kernel: [ 190.564831] e1000e: eth0 NIC Link is Up 100 Mbps Full Duplex, Flow Control: None
Apr 14 12:20:58 ubuntu-lucid kernel: [ 190.564835] 0000:00:19.0: eth0: 10/100 speed: disabling TSO
Apr 14 12:20:58 ubuntu-lucid NetworkManager: <info> (eth0): carrier now ON (device state 1)
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: key description: cifs.spnego;45939;21920;3f000000;ver=0x2;host=foobar.local;ip4=x.x.x.x;sec=krb5;uid=0x0;user=root;pid=0x887
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_45939_ui4AgC
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: find_krb5_cc: /tmp/krb5cc_45939_ui4AgC is owned by 45939, not 0
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: handle_krb5_mech: getting service ticket for cifs/foobar.local
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328189)
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: handle_krb5_mech: getting service ticket for host/foobar.local
Apr 14 12:21:06 ubuntu-lucid cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328189)
Apr 14 12:21:06 ubuntu-lucid kernel: [ 198.955402] CIFS VFS: Send error in SessSetup = -126
Apr 14 12:21:06 ubuntu-lucid kernel: [ 198.956295] CIFS VFS: Unexpected lookup error -126
klist show a valid ticket for foorbar.local
ls -l /tmp/krb
-rw——- 1 l.user somegroup 938 2011-04-14 13:40 krb5cc_45939_iVfJt6
Issue
- CIFS with kerberos key invalid causes kernel log to be spammed with messages such as
CIFS VFS: Send error in SessSetup = -126
[176985.801866] CIFS VFS: Send error in SessSetup = -126
[176985.801875] CIFS VFS: Send error in SessSetup = -126
[176989.157490] cifs_vfs_err: 410300 callbacks suppressed
[176989.157494] CIFS VFS: Send error in SessSetup = -126
Environment
- Red Hat Enterprise Linux 7 (cifs client)
- seen on kernel-3.10.0-957.3.1.el7
- other RHEL7 kernels likely affected
- cifs with kerberos
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
Current Customers and Partners
Log in for full access
Log In
I have joined to a zentyal domain (AD Domain) using PowerBroker IS and I want it to mount my remote home directories when a remote user logs in.
this is the config for PBIS:
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\"
SpaceReplacement "^"
EnableEventlog false
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "error"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate "%H/%U"
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "mosek.zentyal"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true
As i understand it, so long RemoteHomeDirTemplate is set, it should mount, but the problem is, that it doesn’t.
So I thought of trying to find a user, and see how it’s home dir path is shown, if it is at all:
# /opt/pbis/bin/find-objects --user tomas
User object [1 of 1] (S-1-5-21-755094111-53741902-1678977104-1108)
============
Enabled: yes
Distinguished name: CN=Tomas Nielsen,CN=Users,DC=mosek,DC=zentyal
SAM account name: tomas
NetBIOS domain name: MOSEK
UPN: tomas@MOSEK.ZENTYAL
Display Name: Tomas Nielsen
Alias: <null>
UNIX name: MOSEKtomas
GECOS: Tomas Nielsen
Shell: /bin/bash
Home directory: /home/tomas
Windows home directory: \nyborg.MOSEK.ZENTYALtomas
Local windows home directory: /home/tomas
UID: 1588593748
Primary group SID: S-1-5-21-755094111-53741902-1678977104-513
Primary GID: 1588593153
Password expired: no
Password never expires: no
Change password on next logon: no
User can change password: yes
Account disabled: no
Account expired: no
Account locked: no
so It has a home dir path, both for unix and windows, so I don’t see what could be the problem.
In my /var/log/messages I found some errors:
Dec 4 12:55:30 winbind lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5i,user=tomas@MOSEK.ZENTYAL,uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40188 (errno 126)
Dec 4 12:55:30 winbind lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas, error 3690996880 (errno 40188)
Dec 4 12:55:30 winbind lsass: [lsass] Failed to mount directory for user (tomas), actual error 40188
Dec 4 12:55:30 winbind lsass: [lsass] Failed to open session for user (name = 'tomas') -> error = 40188, symbol = LW_ERROR_UNKNOWN, client pid = 2329
Dec 4 12:55:30 winbind kernel: CIFS VFS: Send error in SessSetup = -126
Dec 4 12:55:30 winbind kernel: CIFS VFS: cifs_mount failed w/return code = -126
I tried running the command manually and got the correct error message to error 126:
#mount -t cifs -o sec=krb5i,user=tomas@MOSEK.ZENTYAL,uid=1588593748,gid=1588592152,cruid=1588593748,ip=172.16.0.5 //nyborg.MOSEK.ZENTYAL/tomas /home/tomas
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
I checked that I have a krb ticket:
#klist
Ticket cache: KEYRING:persistent:0:0
Default principal: tomas@MOSEK.ZENTYAL
Valid starting Expires Service principal
12/09/2014 12:20:36 12/09/2014 22:20:36 krbtgt/MOSEK.ZENTYAL@MOSEK.ZENTYAL
renew until 12/16/2014 12:20:33
Okay I found out that if I made a ticket with the user, I could mount it manually.
If I go in and kinit tomas@MOSEK.ZENTYAL while on the tomas user, PBIS gets the cifs error 16 instead
so what could course this problem?
EDIT:
I tried installing the new version of pbis(PBIS Open 8.2.1), and the error I get is different now:
[root@centosy tomas]# tail /var/log/messages
Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5i,user=tomas@MOSEK.ZENTYAL,uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40158 (errno 13)
Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas, error 1879066032 (errno 40158)
Jan 22 12:43:36 centosy lsass: [lsass] Failed to mount directory for user (tomas), actual error 40158
Jan 22 12:43:36 centosy lsass: [lsass] Failed to open session for user (name = 'tomas') -> error = 40158, symbol = LW_ERROR_ACCESS_DENIED, client pid = 2353
Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5,user=tomas@MOSEK.ZENTYAL,uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40158 (errno 13)
Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5i,user=tomas@MOSEK.ZENTYAL,uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40158 (errno 13)
Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas, error 1879066032 (errno 40158)
Jan 22 12:43:36 centosy lsass: [lsass] Failed to mount directory for user (tomas), actual error 40158
Jan 22 12:43:36 centosy lsass: [lsass] Failed to open session for user (name = 'tomas') -> error = 40158, symbol = LW_ERROR_ACCESS_DENIED, client pid = 2353
Jan 22 12:44:11 centosy su: (to root) tomas on pts/0
I have a Synology NAS and multiple Ubuntu Clients in my network. I setup Active Directory integration on the clients following the instructions here https://ubuntu.com/server/docs/service-sssd.
Everything works splendid.
However, trying to setup a mount action on login following these instructions here https://wiki.ubuntu.com/MountWindowsSharesPermanently fails.
I setup the mount using the instructions from chapter «Mount password protected shares using libpam_mount (Ubuntu 9.04)». I setup the .pam_mount.conf.xml file and added
<?xml version="1.0" encoding="utf-8" ?>
<pam_mount>
<volume options="uid=$USER,gid=100,dmask=0700" user="*" mountpoint="/mnt/shares/pictures" path="Pictures" server="serverIpAddress" >
</pam_mount>
Following the debugging strategy I tried to mount everything manually to see where it gets stuck. I can mount the share when using sudo and using default security type with user and password
sudo mount -t cifs -ousername=myname //myserver/Pictures /media/shares/test
When trying to use sec=krb5
sudo mount -t cifs -osec=krb5 //myserver/Pictures /media/shares/test
it returns the very helpful message mount error(2): No such file or directory. Dmesg is showing this
CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
CIFS: VFS: \myserver Send error in SessSetup = -126
CIFS: VFS: cifs_mount failed w/return code = -2
Researching the web I spend hours trying to set the version, gid, uid, cruid in the mount command but nothing works. From what I can see I am also getting a correct kerberos ticket using klist. Some post suggested this check.
Ticket cache: FILE:/tmp/krb5cc_710201106_e2vIcu
Default principal: myName@ZIMMI.LOCALE
Valid starting Expires Service principal
12.04.2021 08:52:57 12.04.2021 18:52:57 krbtgt/MYDOMAIN.LOCALE@MYDOMAIN.LOCALE
renew until 13.04.2021 08:52:57
I also checked with smbclient if I can see the shares from my NAS using the kerberos ticket and that works fine too.
smbclient -k -L myserver.mydomain.locale
There is a similar post bases on Ubuntu 18.04, I am using 20.04 LTS, here Mount.cifs with krb5 fails while smbclient with same krb5-ticket works
I checked that keyutils is installed but don’t know how to implement that answer about te keytab file and I lack the knowledge to judge if that is actually the problem («mount» needs a corresponding entry in the keytab file pointing to kerberos).
Thanks for any suggestion that might help to resolve this.