Web lists-archives.com

Re: [Samba] cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'




On Thu, 2017-02-09 at 14:45 -0600, Chad William Seys wrote:
> Hi Jeff,
> Could you look at the following mailing list posting?
> 
> https://lists.samba.org/archive/samba/2017-February/206468.html
> 
> It looks like cifs.upcall has changed its behavior.  As described in 
> that post, I can mount with root / kerberos, but then cannot access with 
> another user who has credentials.
> 
> The logs indicate that cifs.upcall cannot find the kerberos ticket for 
> the non-root user.
> 
> This problem does not exist in cifs-utils 6.5 and does exist in 6.6 .
> 
> My best guess ATM is that the below commit caused the problem.
> 
> Thanks for your time!
> Chad.
> 
> commit 9be6e885c3bd63aa6ae9e6351e1b33a4b15d9183
> Author: Jeff Layton <jlayton@xxxxxxxxx>
> Date:   Sun Aug 21 09:42:59 2016 -0400
> 
>      cifs.upcall: use krb5 routines to get default ccname
>      Currently we end up groveling around in /tmp, trying to guess what 
> the credcache will be. Instead, just get the default ccname for the 
> user, and then see if it has a valid tgt. If it doesn't then we try to 
> use the keytab to init the credcache before proceeding.


Thanks... let's see...

The logs have this in the non-working case:

     Feb  8 09:48:14 trog cifs.upcall: get_tgt_time: unable to get principal

That corresponds to this bit of code in cifs.upcall:

        if (krb5_cc_get_principal(context, ccache, &principal)) {
                syslog(LOG_DEBUG, "%s: unable to get principal", __func__);
                goto err_cache;
        }

So we have a default credcache for the user for whom we are operating
as, but we can't get the default principal name from it. My guess is
that it's not finding the 

The big difference between 6.5 and 6.6 is that we changed to not trying
to scan /tmp for a credcache (which was always a bit sketchy). Instead,
we rely on the info in krb5.conf to point cifs.upcall to the correct
credcache. My guess is that that isn't working in your case for some
reason.

I'll see if I can cook up a patch to flesh out the debugging there a
bit. It'd be nice to see what it cifs.upcall thinks the current
credcache location is.

-- 
Jeff Layton <jlayton@xxxxxxxxx>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba