[Freeipa-users] Mount cifs share using kerberos
Alexander Bokovoy
abokovoy at redhat.com
Fri Jan 9 17:12:01 UTC 2015
On Fri, 09 Jan 2015, John Obaterspok wrote:
>>
>>
>> 2015-01-09 10:11 GMT+01:00 Alexander Bokovoy <abokovoy at redhat.com>:
>>>
>>> On Fedora 21 we have /etc/request-key.d/cifs.upcall.conf and
>>> /etc/request-key.d/cifs.idmap.conf to allow kernel to properly fetch
>>> Kerberos keys and map IDs of CIFS identities. These configurations are
>>> part of cifs-utils package which also supplies mount.cifs.
>>>
>>>
>>
>I have no /etc/request-key.d/cifs.upcall.conf on my F21. Is it suppose to
>be there?
No, it was my fault, forgetting the actual name -- it is
cifs.spnego.conf that you have listed below:
>This is what I have:
>
>[root at ipaserver etc]# cat request-key.conf
>###############################################################################
># .... snip ....
>################################################################################
>
>#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
>#====== ======= =============== ===============
>===============================
>create dns_resolver * * /sbin/key.dns_resolver %k
>create user debug:* negate /bin/keyctl negate %k 30 %S
>create user debug:* rejected /bin/keyctl reject %k 30 %c
>%S
>create user debug:* expired /bin/keyctl reject %k 30 %c
>%S
>create user debug:* revoked /bin/keyctl reject %k 30 %c
>%S
>create user debug:loop:* * |/bin/cat
>create user debug:* *
>/usr/share/keyutils/request-key-debug.sh %k %d %c %S
>negate * * * /bin/keyctl negate %k 30 %S
>
>[root at ipaserver etc]# ls request-key.d/
>cifs.idmap.conf cifs.spnego.conf id_resolver.conf
>
>[root at ipaserver etc]# cat request-key.d/cifs.idmap.conf
>create cifs.idmap * * /usr/sbin/cifs.idmap %k
>
>[root at ipaserver etc]# cat request-key.d/cifs.spnego.conf
>create cifs.spnego * * /usr/sbin/cifs.upcall %k
So if you have all these configs right, can you add --verbose to
mount.cifs arguments _before_ -o options?
mount -t cifs //ipaserver.MY.LAN/TheShare --verbose -o sec=krb5
and you can enable debugging before mounting in /proc/fs/cifs/, see
https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list