diff mbox

cifs autofs krb5i

Message ID 20121118210040.05cd3eb2@corrin.poochiereds.net (mailing list archive)
State New, archived
Headers show

Commit Message

Jeff Layton Nov. 19, 2012, 2 a.m. UTC 
On Sat, 17 Nov 2012 18:22:57 +0100
"sergio.conrad" <sergio.conrad@laposte.net> wrote:

> 
> 
> 
> > Message du 17/11/12 16:28
> > De : "Jeff Layton" 
> > A : "sergio.conrad" 
> > Copie à : linux-cifs@vger.kernel.org
> > Objet : Re: cifs autofs krb5i
> >
> > On Sat, 17 Nov 2012 14:56:54 +0100
> > "sergio.conrad"  wrote:
> > 
> > > 
> > > 
> > > 
> > > > Message du 17/11/12 11:44
> > > > De : "Jeff Layton" 
> > > > A : "sergio.conrad" 
> > > > Copie à : linux-cifs@vger.kernel.org
> > > > Objet : Re: cifs autofs krb5i
> > > >
> > > > On Sat, 17 Nov 2012 08:53:02 +0100
> > > > "sergio.conrad" wrote:
> > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > > Message du 17/11/12 03:01
> > > > > > De : "Jeff Layton" 
> > > > > > A : "sergio.conrad" 
> > > > > > Copie à : linux-cifs@vger.kernel.org
> > > > > > Objet : Re: cifs autofs krb5i
> > > > > >
> > > > > > On Fri, 16 Nov 2012 23:37:52 +0100
> > > > > > "sergio.conrad" wrote:
> > > > > > 
> > > > > > > Hi,
> > > > > > > 
> > > > > > > I am able to connect to cifs share on Windows 2008 with Kerberos security via 
> > > autofs 
> > > > > with 
> > > > > > > this map : 
> > > > > > > * -
> > > > > > > 
> > > > > 
> > > 
> fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> > > > > > > o ://figue/data/&
> > > > > > > 
> > > > > > > Is it working fine with alpha numeric login 
> > > > > > > fs/cifs/cifs_spnego.c: key description = 
> > > > > > > 
> > > > > 
> > > 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0x1000001;creduid=0x1000001;user=conrad3
> > > > > > > ;pid=0xd331
> > > > > > > 
> > > > > > > 
> > > > > > > But if i use numeric only login like 12345678 i have a problem :
> > > > > > > fs/cifs/cifs_spnego.c: key description = 
> > > > > > > 
> > > > > 
> > > 
> ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;creduid=0xbc614e;user=12345678;
> > > > > > > pid=0xe5db
> > > > > > > fs/cifs/sess.c: ssetup freeing small buf ffff88003a838140
> > > > > > > CIFS VFS: Send error in SessSetup = -126
> > > > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 223) rc = -126
> > > > > > > fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 222) rc = -126
> > > > > > > CIFS VFS: cifs_mount failed w/return code = -126
> > > > > > > 
> > > > > > > What can I do to solve this issue ?
> > > > > > 
> > > > > > 
> > > > > > cifs.upcall logs at daemon.debug level. Set up syslog to log that and
> > > > > > you'll get some details about what it's doing.
> > > > > > 
> > > > > > -- 
> > > > > > Jeff Layton 
> > > > > > 
> > > > > 
> > > > > Thanks for your response, 
> > > > > I got the error 
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned 
> by 
> > > > > 16777221, not 12345678
> > > > > 
> > > > > Perhaps it is a confusion about the uid and the login in a numeric value
> > > > > 
> > > > > [12345678@centad5 ~]$ id
> > > > > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> > > > > groupes=16777216(utilisateurs du domaine),16777217(profs)
> > > > > 
> > > > > The full log is :
> > > > > 
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: key description: 
> > > > > 
> > > 
> cifs.spnego;0;0;3f000000;ver=0x2;host=figue;ip4=130.120.8.11;sec=krb5;uid=0xbc614e;credui
> > > > > d=0xbc614e;user=12345678;pid=0x9b5
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: ver=2
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: host=figue
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: ip=130.120.8.11
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: sec=1
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: uid=12345678
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: creduid=12345678
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: user=12345678
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: pid=2485
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering 
> /tmp/krb5cc_16777221
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777221 is owned 
> by 
> > > > > 16777221, not 12345678
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: considering 
> /tmp/krb5cc_16777216
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: find_krb5_cc: /tmp/krb5cc_16777216 is owned 
> by 
> > > > > 16777216, not 12345678
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: krb5_get_init_creds_keytab: 13
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: handle_krb5_mech: getting service ticket for 
> > > figue
> > > > > Nov 17 08:42:53 centad5 cifs.upcall: cifs_krb5_get_req: unable to resolve (null) 
> to 
> > > > > ccache
> > > > > @
> > > > 
> > > > What a bizarre setup you have. I imagine all sorts of things get
> > > > confused by numeric usernames. Many programs will assume that when
> > > > given a numeric username that it's a uid, not a name. You might
> > > > reconsider that setup -- maybe prefix the numbers with a letter or
> > > > something...
> > > > 
> > > It seems it is a little late for this, we are already in a production state with 
> Active 
> > > Directory and winbind for authentication, Windows 2008 as a cifs server, Fedora 15 
> for 
> > > client and using pam_mount for mounting partition.
> > > As we are experiencing some CIFS VFS: Unexpected SMB signature with this 
> > > I am testing some others ways...
> > > 
> > > > In any case, it does seem like there is confusion somewhere with
> > > > numeric uids, but I don't think that confusion is with cifs.upcall. If
> > > > that is the correct credcache for this user, then it looks like its
> > > > being created with the wrong ownership.
> > > > 
> > > > What does the output of "klist" look like when you're logged in as this
> > > > user?
> > > > 
> > > 
> > > [12345678@centad5 ~]$ klist
> > > Ticket cache: FILE:/tmp/krb5cc_16777221
> > > Default principal: 12345678@DOMAIN.LOCAL
> > > 
> > > Valid starting Expires Service principal
> > > 11/17/12 14:34:04 11/18/12 00:34:04 krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL
> > > renew until 11/24/12 14:34:04
> > > 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
> > > renew until 11/24/12 14:34:04
> > > 11/17/12 14:34:04 11/18/12 00:34:04 CENTAD5$@DOMAIN.LOCAL
> > > renew until 11/24/12 14:34:04
> > > [12345678@centad5 ~]$
> > > 
> > > > How about the output of "stat /tmp/krb5cc_16777216" ?
> > > 
> > > 16777216 or 16777221 ? 
> > > I did it for the two files 
> > > 
> > > [12345678@centad5 ~]$ id
> > > uid=16777221(12345678) gid=16777216(utilisateurs du domaine) 
> > > groupes=16777216(utilisateurs du domaine),16777217(profs)
> > > [12345678@centad5 ~]$
> > > 
> > > 
> > > [12345678@centad5 ~]$ stat /tmp/krb5cc_16777221 
> > > File: « /tmp/krb5cc_16777221 »
> > > Size: 3830 Blocks: 8 IO Block: 4096 fichier
> > > Device: 801h/2049d Inode: 1985377 Links: 1
> > > Access: (0600/-rw-------) Uid: (16777221/12345678) Gid: ( 0/ root)
> > > Access: 2012-11-17 14:41:37.056868612 +0100
> > > Modify: 2012-11-17 14:41:32.251850184 +0100
> > > Change: 2012-11-17 14:41:32.251850184 +0100
> > > 
> > > 
> > > [12345678@centad5 ~]$ stat /tmp/krb5cc_16777216 
> > > File: « /tmp/krb5cc_16777216 »
> > > Size: 3751 Blocks: 8 IO Block: 4096 fichier
> > > Device: 801h/2049d Inode: 1966082 Links: 1
> > > Access: (0600/-rw-------) Uid: (16777216/ conrad5) Gid: ( 0/ root)
> > > Access: 2012-11-16 23:11:47.948511483 +0100
> > > Modify: 2012-11-16 23:11:47.948511483 +0100
> > > Change: 2012-11-16 23:11:47.948511483 +0100
> > > > 
> > 
> > Ok, I think I see now. I believe your problem is in the options you're
> > passing in at mount time:
> > 
> > 
> fstype=cifs,sec=krb5i,user=&,uid=&,cruid=&,file_mode=0700,dir_mode=0700,nounix,noserverin
> o ://figue/data/&
> > 
> > ...specifically, the 'uid=&' and 'cruid=&' options. When mount.cifs gets
> > a numeric value for those options, it assumes that it's a uid, not a
> > username. You should probably replace those options in your automount
> > map with something like:
> > 
> > uid=$UID,cruid=$UID
> > 
> > ...which will make it pass in the numeric uid instead (that should also
> > be slightly more efficient since you won't need to go to NSS to resolve
> > username to uid). You may also want to consider adding:
> > 
> > gid=$GID
> > 
> > ...but that depends on your needs. See the section on "Variable
> > Substitution" in autofs(5) for info on $UID and $GID.
> > 
> > Best of luck!
> 
> It works !
> Thank you, you saved my day, as always !
> I will post here if i resolve the unexpected smb signature with this technique
> Serge
> 

Great! Now that I think about it though, there's a problem with my
suggestion. $UID and $GID represent the uid/gid of the user who's
triggering the mount, and that's not necessarily the same as the user
who owns the directory (which is what you were trying to do with your
original map).

What may make more sense is to reinstate your original autofs map, and
apply something like this (untested) patch something like this to
mount.cifs. Note too that you can use the '-v' option to the mount
command to see what options it's passing in.

Really though, what you may best off with is to consider setting
up //figue/data as a multiuser mount...

---------------------[snip]----------------------

mount.cifs: treat uid=,gid=,cruid= options as name before assuming they're a number

Sergio Conrad reported a problem trying to set up an autofs map to do
a krb5 mount. In his environment, many users have usernames that are
comprised entirely of numbers. While that's a bit odd, POSIX apparently
allows for it.

The current code assumes that when a numeric argument is passed to one
of the above options, that it's a uid or gid. Instead, try to treat the
argument as a user or group name first, and only try to treat it as a
number if that fails.

Signed-off-by: Jeff Layton <jlayton@samba.org>
---
 mount.cifs.c | 50 ++++++++++++++++++++++++--------------------------
 1 file changed, 24 insertions(+), 26 deletions(-)
diff mbox

Patch

diff --git a/mount.cifs.c b/mount.cifs.c
index a9632b4..9760d1f 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -1003,57 +1003,55 @@  parse_options(const char *data, struct parsed_mount_info *parsed_info)
 				goto nocopy;
 
 			got_uid = 1;
+			pw = getpwnam(value);
+			if (pw) {
+				uid = pw->pw_uid;
+				goto nocopy;
+			}
+
 			errno = 0;
 			uid = strtoul(value, &ep, 10);
 			if (errno == 0 && *ep == '\0')
 				goto nocopy;
 
-			pw = getpwnam(value);
-			if (pw == NULL) {
-				fprintf(stderr, "bad user name \"%s\"\n", value);
-				return EX_USAGE;
-			}
-
-			uid = pw->pw_uid;
-			goto nocopy;
-
+			fprintf(stderr, "bad option uid=\"%s\"\n", value);
+			return EX_USAGE;
 		case OPT_CRUID:
 			if (!value || !*value)
 				goto nocopy;
 
 			got_cruid = 1;
+			pw = getpwnam(value);
+			if (pw) {
+				cruid = pw->pw_uid;
+				goto nocopy;
+			}
+
 			errno = 0;
 			cruid = strtoul(value, &ep, 10);
 			if (errno == 0 && *ep == '\0')
 				goto nocopy;
 
-			pw = getpwnam(value);
-			if (pw == NULL) {
-				fprintf(stderr, "bad user name \"%s\"\n", value);
-				return EX_USAGE;
-			}
-			cruid = pw->pw_uid;
-			goto nocopy;
-
+			fprintf(stderr, "bad option: cruid=\"%s\"\n", value);
+			return EX_USAGE;
 		case OPT_GID:
 			if (!value || !*value)
 				goto nocopy;
 
 			got_gid = 1;
+			gr = getgrnam(value);
+			if (gr) {
+				gid = gr->gr_gid;
+				goto nocopy;
+			}
+
 			errno = 0;
 			gid = strtoul(value, &ep, 10);
 			if (errno == 0 && *ep == '\0')
 				goto nocopy;
 
-			gr = getgrnam(value);
-			if (gr == NULL) {
-				fprintf(stderr, "bad group name \"%s\"\n", value);
-				return EX_USAGE;
-			}
-
-			gid = gr->gr_gid;
-			goto nocopy;
-
+			fprintf(stderr, "bad option: gid=\"%s\"\n", value);
+			return EX_USAGE;
 		/* fmask fall through to file_mode */
 		case OPT_FMASK:
 			fprintf(stderr,