# klist Ticket cache: KEYRING:persistent:0:0 Default principal: Administrator@TEST.ALTLINUX Valid starting Expires Service principal 11.05.2017 19:30:55 12.05.2017 05:30:55 krbtgt/TEST.ALTLINUX@TEST.ALTLINUX renew until 18.05.2017 19:30:52 # grep default_ccache_name /etc/krb5.conf default_ccache_name = KEYRING:persistent:%{uid} # mount -t cifs '//test.altlinux/sysvol' /root/share --verbose -o user=root,uid=0,gid=0,sec=krb5,cruid=0,nounix,uid=0,gid=0,file_mode=0664,dir_mode=0775,sec=krb5 mount.cifs kernel mount options: ip=192.168.3.1,unc=\\test.altlinux\sysvol,sec=krb5,nounix,file_mode=0664,dir_mode=0775,sec=krb5,uid=0,cruid=0,gid=0,user=root,pass=******** mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) # journalctl -n2 -- Logs begin at Сб 2017-04-08 08:30:08 MSK, end at Чт 2017-05-11 19:54:51 MSK. -- май 11 19:54:51 client02.test.altlinux kernel: CIFS VFS: Send error in SessSetup = -126 май 11 19:54:51 client02.test.altlinux kernel: CIFS VFS: cifs_mount failed w/return code = -126
Это очень странно... Давайте разбираться. У меня работает: [sin@base ~]$ klist klist: Credentials cache keyring 'persistent:500:500' not found [sin@base ~]$ sudo mount -o noperm,cruid=sin,sec=krb5 //tor/srv ~/srv mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) [sin@base ~]$ kinit Password for sin@DARKMASTERSIN.NET: [sin@base ~]$ klist Ticket cache: KEYRING:persistent:500:500 Default principal: sin@DARKMASTERSIN.NET Valid starting Expires Service principal 17.05.2017 21:19:23 18.05.2017 21:19:19 krbtgt/DARKMASTERSIN.NET@DARKMASTERSIN.NET [sin@base ~]$ sudo mount -o noperm,cruid=sin,sec=krb5 //tor/srv ~/srv [sin@base ~]$ rpm -q cifs-utils cifs-utils-6.7-alt1.M80P.1 [sin@base ~]$ klist Ticket cache: KEYRING:persistent:500:500 Default principal: sin@DARKMASTERSIN.NET Valid starting Expires Service principal 17.05.2017 21:19:34 18.05.2017 21:19:19 cifs/tor@DARKMASTERSIN.NET 17.05.2017 21:19:34 18.05.2017 21:19:19 cifs/tor@ 17.05.2017 21:19:23 18.05.2017 21:19:19 krbtgt/DARKMASTERSIN.NET@DARKMASTERSIN.NET
Всё то же самое, только от рута и с вашими параметрами: [sin@base ~]$ su - Password: [root@base ~]# klist klist: Credentials cache keyring 'persistent:0:0' not found [root@base ~]# kinit sin Password for sin@DARKMASTERSIN.NET: [root@base ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: sin@DARKMASTERSIN.NET Valid starting Expires Service principal 17.05.2017 21:23:49 18.05.2017 21:23:45 krbtgt/DARKMASTERSIN.NET@DARKMASTERSIN.NET [root@base ~]# mkdir srv [root@base ~]# sudo mount -o user=root,uid=0,gid=0,sec=krb5,cruid=0,nounix,uid=0,gid=0,file_mode=0664,dir_mode=0775,sec=krb5 //tor/srv ~/srv [root@base ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: sin@DARKMASTERSIN.NET Valid starting Expires Service principal 17.05.2017 21:24:27 18.05.2017 21:23:45 cifs/tor@DARKMASTERSIN.NET 17.05.2017 21:24:27 18.05.2017 21:23:45 cifs/tor@ 17.05.2017 21:23:49 18.05.2017 21:23:45 krbtgt/DARKMASTERSIN.NET@DARKMASTERSIN.NET Без ключей, как и ожидается, не работает. [root@base ~]# umount ~/srv/ [root@base ~]# kdestroy [root@base ~]# mount -o user=root,uid=0,gid=0,sec=krb5,cruid=0,nounix,uid=0,gid=0,file_mode=0664,dir_mode=0775,sec=krb5 //tor/srv ~/srv mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Попробую обновиться и перепроверить.
Нужно проверить настройки сервера. У меня такие: [sin@tor ~]$ sudo klist -k [sudo] password for sin: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/tor.darkmastersin.net@DARKMASTERSIN.NET 2 host/tor.darkmastersin.net@DARKMASTERSIN.NET 2 host/tor.darkmastersin.net@DARKMASTERSIN.NET 2 cifs/tor.darkmastersin.net@DARKMASTERSIN.NET 2 cifs/tor.darkmastersin.net@DARKMASTERSIN.NET 2 cifs/tor.darkmastersin.net@DARKMASTERSIN.NET 3 cifs/tor@DARKMASTERSIN.NET 3 cifs/tor@DARKMASTERSIN.NET 3 cifs/tor@DARKMASTERSIN.NET 10 host/tor.darkmastersin.net@DARKMASTERSIN.NET 10 host/tor.darkmastersin.net@DARKMASTERSIN.NET 10 host/tor.darkmastersin.net@DARKMASTERSIN.NET 3 cifs/tor.darkmastersin.net@DARKMASTERSIN.NET 3 cifs/tor.darkmastersin.net@DARKMASTERSIN.NET 3 cifs/tor.darkmastersin.net@DARKMASTERSIN.NET 4 cifs/tor@DARKMASTERSIN.NET 4 cifs/tor@DARKMASTERSIN.NET 4 cifs/tor@DARKMASTERSIN.NET [sin@tor ~]$ testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[homes]" Processing section "[srv]" Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] realm = DARKMASTERSIN.NET server string = Samba Server Version %v workgroup = DARKMASTERSIN log file = /var/log/samba/log.%m max log size = 50 disable spoolss = Yes load printers = No printcap name = /dev/null kerberos method = system keytab map to guest = Bad User security = USER username map = /etc/samba/smbusers idmap config * : backend = tdb use sendfile = Yes [homes] comment = Home Directories browseable = No read only = No [srv] comment = Server Data path = /srv read only = No
К вопросу о сути проблемы cifs-utils "Не использует кэш Kerberos в KEYRING". А без KEYRING пробовали? Получалось? У меня тоже работает: [sin@base ~]$ klist klist: Credentials cache keyring 'persistent:500:500' not found [sin@base ~]$ export KRB5CCNAME=FILE:/tmp/krb5cc_sin [sin@base ~]$ klist klist: No credentials cache found (filename: /tmp/krb5cc_sin) [sin@base ~]$ kinit Password for sin@DARKMASTERSIN.NET: [sin@base ~]$ klist Ticket cache: FILE:/tmp/krb5cc_sin Default principal: sin@DARKMASTERSIN.NET Valid starting Expires Service principal 17.05.2017 21:41:24 18.05.2017 21:41:14 krbtgt/DARKMASTERSIN.NET@DARKMASTERSIN.NET [sin@base ~]$ sudo mount -o noperm,cruid=sin,sec=krb5 //tor/srv ~/srv [sin@base ~]$ klist Ticket cache: FILE:/tmp/krb5cc_sin Default principal: sin@DARKMASTERSIN.NET Valid starting Expires Service principal 17.05.2017 21:41:24 18.05.2017 21:41:14 krbtgt/DARKMASTERSIN.NET@DARKMASTERSIN.NET 17.05.2017 21:41:36 18.05.2017 21:41:14 cifs/tor@ 17.05.2017 21:41:36 18.05.2017 21:41:14 cifs/tor@DARKMASTERSIN.NET
(В ответ на комментарий №4) > К вопросу о сути проблемы cifs-utils "Не использует кэш Kerberos в KEYRING". А > без KEYRING пробовали? Получалось? Нет, тоже не работает. А вот подключение по имени пользователя и паролю работает. Сервер на Samba DC ставил давно.
Из /var/log/daemons/info: May 12 18:52:36 client02 cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=test.altlinux;ip4=192.168.3.1;sec=krb5;uid=0x1f10e5e6;creduid=0x1f10e5e6;user=cas;pid=0x2ef8 May 12 18:52:36 client02 cifs.upcall: ver=2 May 12 18:52:36 client02 cifs.upcall: host=test.altlinux May 12 18:52:36 client02 cifs.upcall: ip=192.168.3.1 May 12 18:52:36 client02 cifs.upcall: sec=1 May 12 18:52:36 client02 cifs.upcall: uid=521201126 May 12 18:52:36 client02 cifs.upcall: creduid=521201126 May 12 18:52:36 client02 cifs.upcall: user=cas May 12 18:52:36 client02 cifs.upcall: pid=12024 May 12 18:52:36 client02 cifs.upcall: get_cachename_from_process_env: pathname=/proc/12024/environ May 12 18:52:36 client02 cifs.upcall: get_existing_cc: default ccache is KEYRING:persistent:521201126:krb_ccache_u06gFrp May 12 18:52:36 client02 cifs.upcall: handle_krb5_mech: getting service ticket for test.altlinux May 12 18:52:36 client02 cifs.upcall: cifs_krb5_get_req: unable to get credentials for test.altlinux May 12 18:52:36 client02 cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377) May 12 18:52:36 client02 cifs.upcall: Unable to obtain service ticket May 12 18:52:36 client02 cifs.upcall: Exit status -1765328377 $ klist Ticket cache: KEYRING:persistent:521201126:krb_ccache_u06gFrp Default principal: cas@TEST.ALTLINUX Valid starting Expires Service principal 12.05.2017 15:23:35 13.05.2017 01:23:35 krbtgt/TEST.ALTLINUX@TEST.ALTLINUX renew until 18.05.2017 19:23:31 # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/client02.test.altlinux@TEST.ALTLINUX 2 host/CLIENT02@TEST.ALTLINUX 2 host/client02.test.altlinux@TEST.ALTLINUX 2 host/CLIENT02@TEST.ALTLINUX 2 host/client02.test.altlinux@TEST.ALTLINUX 2 host/CLIENT02@TEST.ALTLINUX 2 host/client02.test.altlinux@TEST.ALTLINUX 2 host/CLIENT02@TEST.ALTLINUX 2 host/client02.test.altlinux@TEST.ALTLINUX 2 host/CLIENT02@TEST.ALTLINUX 2 CLIENT02$@TEST.ALTLINUX 2 CLIENT02$@TEST.ALTLINUX 2 CLIENT02$@TEST.ALTLINUX 2 CLIENT02$@TEST.ALTLINUX 2 CLIENT02$@TEST.ALTLINUX
$ kinit -k host/test.altlinux@TEST.ALTLINUX kinit: Client 'host/test.altlinux@TEST.ALTLINUX' not found in Kerberos database while getting initial credentials Вот и вопрос: почему хост сервера не попал в keytab? И как сделать, чтобы он там был?
Да... вот оно: - May 12 18:52:36 client02 cifs.upcall: cifs_krb5_get_req: unable to get credentials for test.altlinux - kinit: Client 'host/test.altlinux@TEST.ALTLINUX' not found in Kerberos database while getting initial credentials Ну, так и должно быть. Как сервер-то называется? test.altlinux или server.test.altlinux? У домена нет SPN'а.
(В ответ на комментарий №8) > Ну, так и должно быть. Как сервер-то называется? test.altlinux или > server.test.altlinux? > > У домена нет SPN'а. Да, точно! С полным именем сервера всё заработало.
