Mounting cifs-share with kerberos fails: mount error(126): Required key not available
Mounting cifs-share with kerberos fails: mount error(126): Required key not available
最近使用 Kerberos 安装 samba 共享停止工作。在另一台服务器上具有相同挂载选项的相同共享有效。所以我假设我们的 DNS 设置和/或 Active Directory 设置没有任何问题。好像是客户端问题。
的输出
mount share
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
fstab 条目如下所示:
//servername/share /home/username/share cifs _netdev,users,sec=krb5,noperm,noauto 0 0
日志显示:
Feb 21 10:01:11 clientserver cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=192.168.0.7;ip4=192.168.0.7;sec=krb5;uid=0x2b9d;creduid=0x2b9d;user=username;pid=0x68c6
Feb 21 10:01:11 clientserver cifs.upcall: ver=2
Feb 21 10:01:11 clientserver cifs.upcall: host=192.168.0.7
Feb 21 10:01:11 clientserver cifs.upcall: ip=192.168.0.7
Feb 21 10:01:11 clientserver cifs.upcall: sec=1
Feb 21 10:01:11 clientserver cifs.upcall: uid=11165
Feb 21 10:01:11 clientserver cifs.upcall: creduid=11165
Feb 21 10:01:11 clientserver cifs.upcall: user=username
Feb 21 10:01:11 clientserver cifs.upcall: pid=26822
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: scandir error on directory '/run/user/11165': No such file or directory
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_11165
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_11165 is valid ccache
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_11167
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: /tmp/krb5cc_11167 is owned by 11167, not 11165
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_0
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: /tmp/krb5cc_0 is owned by 0, not 11165
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_11176
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: /tmp/krb5cc_11176 is owned by 11176, not 11165
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_11174
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: /tmp/krb5cc_11174 is owned by 11174, not 11165
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_11308
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: /tmp/krb5cc_11308 is owned by 11308, not 11165
Feb 21 10:01:11 clientserver cifs.upcall: handle_krb5_mech: getting service ticket for 192.168.0.7
Feb 21 10:01:11 clientserver cifs.upcall: cifs_krb5_get_req: unable to get credentials for 192.168.0.7
Feb 21 10:01:11 clientserver cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Feb 21 10:01:11 clientserver cifs.upcall: Unable to obtain service ticket
Feb 21 10:01:11 clientserver cifs.upcall: Exit status -1765328377
主机名解析似乎无法正常工作。我不知道 cifs.upcall 如何获取主机名,但如果我检查 DNS 记录 A,PTR 似乎没问题。 netbios 解析也可以。
那么 kerberos 如何查找主机名。它是否从 UNC 路径中提取主机名?
将主机名写入/etc/hosts 也不起作用。然而,另一台具有相同 windbind、samba、cifs.upcall 和 kerberos 版本的服务器确实可以工作。 resolv.conf 也有相同的条目。
还有一些其他的 samba-shares 可以与 kerberos 完美配合。所以我现在有点卡住了。任何帮助将不胜感激。
尝试在 /etc/request-key.d/
中对 cifs.upcall 的调用添加 '-t' 选项
在我的例子中 (ubuntu) 它是文件 /etc/request-key.d/cifs.spnego.conf
是:
创建 cifs.spnego * * /usr/sbin/cifs.upcall %k
更改:
创建 cifs.spnego * * /usr/sbin/cifs.upcall -t %k
最近使用 Kerberos 安装 samba 共享停止工作。在另一台服务器上具有相同挂载选项的相同共享有效。所以我假设我们的 DNS 设置和/或 Active Directory 设置没有任何问题。好像是客户端问题。
的输出mount share
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
fstab 条目如下所示:
//servername/share /home/username/share cifs _netdev,users,sec=krb5,noperm,noauto 0 0
日志显示:
Feb 21 10:01:11 clientserver cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=192.168.0.7;ip4=192.168.0.7;sec=krb5;uid=0x2b9d;creduid=0x2b9d;user=username;pid=0x68c6
Feb 21 10:01:11 clientserver cifs.upcall: ver=2
Feb 21 10:01:11 clientserver cifs.upcall: host=192.168.0.7
Feb 21 10:01:11 clientserver cifs.upcall: ip=192.168.0.7
Feb 21 10:01:11 clientserver cifs.upcall: sec=1
Feb 21 10:01:11 clientserver cifs.upcall: uid=11165
Feb 21 10:01:11 clientserver cifs.upcall: creduid=11165
Feb 21 10:01:11 clientserver cifs.upcall: user=username
Feb 21 10:01:11 clientserver cifs.upcall: pid=26822
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: scandir error on directory '/run/user/11165': No such file or directory
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_11165
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_11165 is valid ccache
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_11167
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: /tmp/krb5cc_11167 is owned by 11167, not 11165
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_0
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: /tmp/krb5cc_0 is owned by 0, not 11165
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_11176
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: /tmp/krb5cc_11176 is owned by 11176, not 11165
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_11174
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: /tmp/krb5cc_11174 is owned by 11174, not 11165
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_11308
Feb 21 10:01:11 clientserver cifs.upcall: find_krb5_cc: /tmp/krb5cc_11308 is owned by 11308, not 11165
Feb 21 10:01:11 clientserver cifs.upcall: handle_krb5_mech: getting service ticket for 192.168.0.7
Feb 21 10:01:11 clientserver cifs.upcall: cifs_krb5_get_req: unable to get credentials for 192.168.0.7
Feb 21 10:01:11 clientserver cifs.upcall: handle_krb5_mech: failed to obtain service ticket (-1765328377)
Feb 21 10:01:11 clientserver cifs.upcall: Unable to obtain service ticket
Feb 21 10:01:11 clientserver cifs.upcall: Exit status -1765328377
主机名解析似乎无法正常工作。我不知道 cifs.upcall 如何获取主机名,但如果我检查 DNS 记录 A,PTR 似乎没问题。 netbios 解析也可以。
那么 kerberos 如何查找主机名。它是否从 UNC 路径中提取主机名?
将主机名写入/etc/hosts 也不起作用。然而,另一台具有相同 windbind、samba、cifs.upcall 和 kerberos 版本的服务器确实可以工作。 resolv.conf 也有相同的条目。 还有一些其他的 samba-shares 可以与 kerberos 完美配合。所以我现在有点卡住了。任何帮助将不胜感激。
尝试在 /etc/request-key.d/
中对 cifs.upcall 的调用添加 '-t' 选项在我的例子中 (ubuntu) 它是文件 /etc/request-key.d/cifs.spnego.conf
是: 创建 cifs.spnego * * /usr/sbin/cifs.upcall %k
更改: 创建 cifs.spnego * * /usr/sbin/cifs.upcall -t %k