Hi @all,
I have some problems when using pam_mount.conf.xml to mount shares via kerberos (and also for ntlm) regarding reliability of the mount. I have tested the issue with 2 different environments. My environments are: 2 Microsoft Domain Controllers + a separate fileserver and Ubuntu 18.04 or 22.04 as clients. My other tested environment is one Microsoft Server 2019 (as domain controller and fileserver) + Ubuntu 22.04 as client. The login with my configuration works all the time reliably, but sometimes the shares are not getting mounted. I have read a ton of documentation, but can not figure out where the problem really is.
I have also tried with the kernel cache, but that seems to even increase the problem.
Steps to reproduce (client side): - Microsoft Server 2019 as Domain Controller - Install Ubuntu 22.04 - configure domain name in /etc/krb5.conf - join the domain with realm -v join -U Administrator - install krb5-user package - restart sssd (systemctl restart sssd) - make the necessary entries in pam_mount.conf.xml
Most of the time the mounting works while login, but when restarting sometimes it can happen that the shares are not getting mounted.
The relevant syslog is here: ========================================= Oct 11 22:45:32 pc-jm kernel: [ 13.725094] FS-Cache: Loaded Oct 11 22:45:32 pc-jm kernel: [ 13.752265] Key type cifs.spnego registered Oct 11 22:45:32 pc-jm kernel: [ 13.752272] Key type cifs.idmap registered Oct 11 22:45:32 pc-jm kernel: [ 13.752483] CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3.1.1 (or even SMB3 or SMB2.1) specify vers=1.0 on mount. Oct 11 22:45:32 pc-jm kernel: [ 13.752484] CIFS: Attempting to mount \srv-dc01.example.localnet\Daten$ Oct 11 22:45:32 pc-jm cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=srv-dc01.example.localnet;ip4=192.168.0.36;sec=krb5;uid=0x14163c77;creduid=0x14163c77;user=tester;pid=0xaa8 Oct 11 22:45:32 pc-jm cifs.upcall: ver=2 Oct 11 22:45:32 pc-jm cifs.upcall: host=srv-dc01.example.localnet Oct 11 22:45:32 pc-jm cifs.upcall: ip=192.168.0.36 Oct 11 22:45:32 pc-jm cifs.upcall: sec=1 Oct 11 22:45:32 pc-jm cifs.upcall: uid=337001591 Oct 11 22:45:32 pc-jm cifs.upcall: creduid=337001591 Oct 11 22:45:32 pc-jm cifs.upcall: user=tester Oct 11 22:45:32 pc-jm cifs.upcall: pid=2728 Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: pathname=/proc/2728/environ Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: cachename = FILE:/tmp/krb5cc_337001591 Oct 11 22:45:32 pc-jm cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_337001591 Oct 11 22:45:32 pc-jm kernel: [ 13.764725] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed Oct 11 22:45:32 pc-jm kernel: [ 13.764728] CIFS: VFS: \srv-dc01.example.localnet Send error in SessSetup = -126 Oct 11 22:45:32 pc-jm kernel: [ 13.764733] CIFS: VFS: cifs_mount failed w/return code = -126 Oct 11 22:45:32 pc-jm cifs.upcall: krb5_get_init_creds_keytab: -1765328174 Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:68): Messages from underlying mount program: Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): mount error(126): Required key not available Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) Oct 11 22:45:32 pc-jm sddm[2274]: (pam_mount.c:522): mount of Daten$ failed Oct 11 22:45:32 pc-jm cifs.upcall: Exit status 1 Oct 11 22:45:32 pc-jm kernel: [ 13.771412] CIFS: Attempting to mount \srv-dc01.example.localnet\Home$ Oct 11 22:45:32 pc-jm cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=srv-dc01.example.localnet;ip4=192.168.0.36;sec=krb5;uid=0x14163c77;creduid=0x14163c77;user=tester;pid=0xabb Oct 11 22:45:32 pc-jm cifs.upcall: ver=2 Oct 11 22:45:32 pc-jm cifs.upcall: host=srv-dc01.example.localnet Oct 11 22:45:32 pc-jm cifs.upcall: ip=192.168.0.36 Oct 11 22:45:32 pc-jm cifs.upcall: sec=1 Oct 11 22:45:32 pc-jm cifs.upcall: uid=337001591 Oct 11 22:45:32 pc-jm cifs.upcall: creduid=337001591 Oct 11 22:45:32 pc-jm cifs.upcall: user=tester Oct 11 22:45:32 pc-jm cifs.upcall: pid=2747 Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: pathname=/proc/2747/environ Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: cachename = FILE:/tmp/krb5cc_337001591 Oct 11 22:45:32 pc-jm cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_337001591 Oct 11 22:45:32 pc-jm cifs.upcall: krb5_get_init_creds_keytab: -1765328174 Oct 11 22:45:32 pc-jm cifs.upcall: Exit status 1 Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:68): Messages from underlying mount program: Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): mount error(126): Required key not available Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) Oct 11 22:45:32 pc-jm sddm[2274]: (pam_mount.c:522): mount of Home$ failed
=========================================
This is my sssd configuration:
========================================= [sssd] domains = example.localnet config_file_version = 2 services = nss, pam
[domain/example.localnet] krb5_ccname_template=FILE:%d/krb5cc_%U ad_gpo_access_control = enforcing ad_gpo_map_remote_interactive = +xrdp-sesman default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = EXAMPLE.LOCALNET realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u ad_domain = example.localnet use_fully_qualified_names = False ldap_id_mapping = True access_provider = ad =========================================
This is my pam_mount.conf.xml:
========================================= <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd"> <!-- See pam_mount.conf(5) for a description. --> <pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="0"/> <!-- Volume definitions --> <!-- pam_mount parameters: General tunables --> <!-- <luserconf name=".pam_mount.conf.xml" /> --> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other"/> <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev"/> <!-- requires ofl from hxtools to be present --> <logout wait="0" hup="no" term="no" kill="no"/> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true"/> <volume fstype="cifs" server="srv-dc01.example.localnet" path="Daten$" mountpoint="/media/%(USER)/Daten" options="iocharset=utf8,nosuid,nodev,echo_interval=15,sec=krb5i,cruid=%(USERUID)," uid="5000-999999999"/> <volume fstype="cifs" server="srv-dc01.example.localnet" path="Home$" mountpoint="/media/%(USER)/Home" options="iocharset=utf8,nosuid,nodev,echo_interval=15,sec=krb5i,cruid=%(USERUID)," uid="5000-999999999"/> </pam_mount> =========================================
Any ideas?
Thanks majojoe
I had a similar problem but not with SMB, it was with NFS.
My problem turned out to be that the DNS service was not yet available at the time the mount issue request was processed.
So my NFS DNS name for the NFS server would fail. If I replaced it with a IP it worked flawlessly always.
I ended up slightly altering the boot sequence to mount the NFS shares LAST by starting autofs last.
On Thu, Oct 19, 2023 at 1:48 PM Johannes Maier majo050279@gmail.com wrote:
Hi @all,
I have some problems when using pam_mount.conf.xml to mount shares via kerberos (and also for ntlm) regarding reliability of the mount. I have tested the issue with 2 different environments. My environments are: 2 Microsoft Domain Controllers + a separate fileserver and Ubuntu 18.04 or 22.04 as clients. My other tested environment is one Microsoft Server 2019 (as domain controller and fileserver) + Ubuntu 22.04 as client. The login with my configuration works all the time reliably, but sometimes the shares are not getting mounted. I have read a ton of documentation, but can not figure out where the problem really is.
I have also tried with the kernel cache, but that seems to even increase the problem.
Steps to reproduce (client side):
- Microsoft Server 2019 as Domain Controller
- Install Ubuntu 22.04
- configure domain name in /etc/krb5.conf
- join the domain with realm -v join -U Administrator
- install krb5-user package
- restart sssd (systemctl restart sssd)
- make the necessary entries in pam_mount.conf.xml
Most of the time the mounting works while login, but when restarting sometimes it can happen that the shares are not getting mounted.
The relevant syslog is here:
Oct 11 22:45:32 pc-jm kernel: [ 13.725094] FS-Cache: Loaded Oct 11 22:45:32 pc-jm kernel: [ 13.752265] Key type cifs.spnego registered Oct 11 22:45:32 pc-jm kernel: [ 13.752272] Key type cifs.idmap registered Oct 11 22:45:32 pc-jm kernel: [ 13.752483] CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3.1.1 (or even SMB3 or SMB2.1) specify vers=1.0 on mount. Oct 11 22:45:32 pc-jm kernel: [ 13.752484] CIFS: Attempting to mount \srv-dc01.example.localnet\Daten$ Oct 11 22:45:32 pc-jm cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=srv-dc01.example.localnet;ip4=192.168.0.36;sec=krb5;uid=0x14163c77;creduid=0x14163c77;user=tester;pid=0xaa8 Oct 11 22:45:32 pc-jm cifs.upcall: ver=2 Oct 11 22:45:32 pc-jm cifs.upcall: host=srv-dc01.example.localnet Oct 11 22:45:32 pc-jm cifs.upcall: ip=192.168.0.36 Oct 11 22:45:32 pc-jm cifs.upcall: sec=1 Oct 11 22:45:32 pc-jm cifs.upcall: uid=337001591 Oct 11 22:45:32 pc-jm cifs.upcall: creduid=337001591 Oct 11 22:45:32 pc-jm cifs.upcall: user=tester Oct 11 22:45:32 pc-jm cifs.upcall: pid=2728 Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: pathname=/proc/2728/environ Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: cachename = FILE:/tmp/krb5cc_337001591 Oct 11 22:45:32 pc-jm cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_337001591 Oct 11 22:45:32 pc-jm kernel: [ 13.764725] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed Oct 11 22:45:32 pc-jm kernel: [ 13.764728] CIFS: VFS: \srv-dc01.example.localnet Send error in SessSetup = -126 Oct 11 22:45:32 pc-jm kernel: [ 13.764733] CIFS: VFS: cifs_mount failed w/return code = -126 Oct 11 22:45:32 pc-jm cifs.upcall: krb5_get_init_creds_keytab: -1765328174 Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:68): Messages from underlying mount program: Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): mount error(126): Required key not available Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) Oct 11 22:45:32 pc-jm sddm[2274]: (pam_mount.c:522): mount of Daten$ failed Oct 11 22:45:32 pc-jm cifs.upcall: Exit status 1 Oct 11 22:45:32 pc-jm kernel: [ 13.771412] CIFS: Attempting to mount \srv-dc01.example.localnet\Home$ Oct 11 22:45:32 pc-jm cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=srv-dc01.example.localnet;ip4=192.168.0.36;sec=krb5;uid=0x14163c77;creduid=0x14163c77;user=tester;pid=0xabb Oct 11 22:45:32 pc-jm cifs.upcall: ver=2 Oct 11 22:45:32 pc-jm cifs.upcall: host=srv-dc01.example.localnet Oct 11 22:45:32 pc-jm cifs.upcall: ip=192.168.0.36 Oct 11 22:45:32 pc-jm cifs.upcall: sec=1 Oct 11 22:45:32 pc-jm cifs.upcall: uid=337001591 Oct 11 22:45:32 pc-jm cifs.upcall: creduid=337001591 Oct 11 22:45:32 pc-jm cifs.upcall: user=tester Oct 11 22:45:32 pc-jm cifs.upcall: pid=2747 Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: pathname=/proc/2747/environ Oct 11 22:45:32 pc-jm cifs.upcall: get_cachename_from_process_env: cachename = FILE:/tmp/krb5cc_337001591 Oct 11 22:45:32 pc-jm cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_337001591 Oct 11 22:45:32 pc-jm cifs.upcall: krb5_get_init_creds_keytab: -1765328174 Oct 11 22:45:32 pc-jm cifs.upcall: Exit status 1 Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:68): Messages from underlying mount program: Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): mount error(126): Required key not available Oct 11 22:45:32 pc-jm sddm[2274]: (mount.c:72): Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) Oct 11 22:45:32 pc-jm sddm[2274]: (pam_mount.c:522): mount of Home$ failed
=========================================
This is my sssd configuration:
========================================= [sssd] domains = example.localnet config_file_version = 2 services = nss, pam
[domain/example.localnet] krb5_ccname_template=FILE:%d/krb5cc_%U ad_gpo_access_control = enforcing ad_gpo_map_remote_interactive = +xrdp-sesman default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = EXAMPLE.LOCALNET realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u ad_domain = example.localnet use_fully_qualified_names = False ldap_id_mapping = True access_provider = ad =========================================
This is my pam_mount.conf.xml:
=========================================
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!-- See pam_mount.conf(5) for a description. -->
<pam_mount> <!-- debug should come before everything else, since this file is still processed in a single pass from top-to-bottom --> <debug enable="0"/> <!-- Volume definitions --> <!-- pam_mount parameters: General tunables --> <!-- <luserconf name=".pam_mount.conf.xml" /> --> <!-- Note that commenting out mntoptions will give you the defaults. You will need to explicitly initialize it with the empty string to reset the defaults to nothing. --> <mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other"/> <!-- <mntoptions deny="suid,dev" /> <mntoptions allow="*" /> <mntoptions deny="*" /> --> <mntoptions require="nosuid,nodev"/> <!-- requires ofl from hxtools to be present --> <logout wait="0" hup="no" term="no" kill="no"/> <!-- pam_mount parameters: Volume-related --> <mkmountpoint enable="1" remove="true"/> <volume fstype="cifs" server="srv-dc01.example.localnet" path="Daten$" mountpoint="/media/%(USER)/Daten" options="iocharset=utf8,nosuid,nodev,echo_interval=15,sec=krb5i,cruid=%(USERUID)," uid="5000-999999999"/> <volume fstype="cifs" server="srv-dc01.example.localnet" path="Home$" mountpoint="/media/%(USER)/Home" options="iocharset=utf8,nosuid,nodev,echo_interval=15,sec=krb5i,cruid=%(USERUID)," uid="5000-999999999"/> </pam_mount> =========================================
Any ideas?
Thanks majojoe _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 19/10/2023 21:47, Johannes Maier wrote:
Hi @all,
I have some problems when using pam_mount.conf.xml to mount shares via kerberos (and also for ntlm) regarding reliability of the mount. I have tested the issue with 2 different environments. My environments are: 2 Microsoft Domain Controllers + a separate fileserver and Ubuntu 18.04 or 22.04 as clients. My other tested environment is one Microsoft Server 2019 (as domain controller and fileserver) + Ubuntu 22.04 as client. The login with my configuration works all the time reliably, but sometimes the shares are not getting mounted. I have read a ton of documentation, but can not figure out where the problem really is.
You might have better luck with a regular mount entry in /etc/fstab but with the x-systemd.automount option, which will cause the mount to be deferred to when it's first accesssed. That way a temporary problem won't permanently prevent the mount from occurring.
Alternatively, use good old ma; both ways use the same underlying autofs(5) mechanism.
Thanks Gregory and Sam for your answers. I have tested the idea with the DNS stuff. I have set the IP of the fileserver in /etc/hosts. It didn't make a difference. So I think that is not the problem. Regarding the autofs and fstab idea: I don't want to use that since this needs a lot of maintenance if you want to administer multiple users that can be logged in. This nice for e.g. server systems. But for the use case here it isn't an option for me. Does nobody of the developers have an idea what the problem is? Or can anyone tell me what the line "pc-jm cifs.upcall: krb5_get_init_creds_keytab: -1765328174" triggers? What is the problem? Really the network? And how can I solve this?
For easier reproduction of the problem the following script ca be used: https://github.com/majojoe/domain_join
Thanks majojoe
sssd-users@lists.fedorahosted.org
-
Gregory Carter -
Johannes Maier -
Sam Morris