[Freeipa-users] Mount cifs share using kerberos

Alexander Bokovoy abokovoy at redhat.com
Fri Jan 9 17:12:01 UTC 2015 

On Fri, 09 Jan 2015, John Obaterspok wrote:
>>
>>
>> 2015-01-09 10:11 GMT+01:00 Alexander Bokovoy <abokovoy at redhat.com>:
>>>
>>> On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and
>>> /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch
>>> Kerberos keys and map IDs of CIFS identities. These configurations are
>>> part of cifs-utils package which also supplies mount.cifs.
>>>
>>>
>>
>I have no /etc/request-key.d/cifs.upcall.conf on my F21. Is it suppose to
>be there?
No, it was my fault, forgetting the actual name -- it is
cifs.spnego.conf that you have listed below:

>This is what I have:
>
>[root at ipaserver etc]# cat request-key.conf
>###############################################################################
># .... snip ....
>################################################################################
>
>#OP     TYPE    DESCRIPTION     CALLOUT INFO    PROGRAM ARG1 ARG2 ARG3 ...
>#====== ======= =============== ===============
>===============================
>create  dns_resolver *          *               /sbin/key.dns_resolver %k
>create  user    debug:*         negate          /bin/keyctl negate %k 30 %S
>create  user    debug:*         rejected        /bin/keyctl reject %k 30 %c
>%S
>create  user    debug:*         expired         /bin/keyctl reject %k 30 %c
>%S
>create  user    debug:*         revoked         /bin/keyctl reject %k 30 %c
>%S
>create  user    debug:loop:*    *               |/bin/cat
>create  user    debug:*         *
>/usr/share/keyutils/request-key-debug.sh %k %d %c %S
>negate  *       *               *               /bin/keyctl negate %k 30 %S
>
>[root at ipaserver etc]# ls request-key.d/
>cifs.idmap.conf   cifs.spnego.conf  id_resolver.conf
>
>[root at ipaserver etc]# cat request-key.d/cifs.idmap.conf
>create  cifs.idmap    * * /usr/sbin/cifs.idmap %k
>
>[root at ipaserver etc]# cat request-key.d/cifs.spnego.conf
>create  cifs.spnego    * * /usr/sbin/cifs.upcall %k
So if you have all these configs right, can you add --verbose to
mount.cifs arguments _before_ -o options?

mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5

and you can enable debugging before mounting in /proc/fs/cifs/, see
https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list