From: Frank Loeffler <frank.loeffler@uni-jena.de>
To: linux-cifs@vger.kernel.org
Subject: specifying password when using krb5
Date: Sat, 27 Mar 2021 12:32:53 +0100 [thread overview]
Message-ID: <20210327113252.GC8814@topf.wg> (raw)
[-- Attachment #1: Type: text/plain, Size: 4425 bytes --]
Hi,
after hours of debugging, I finally write to this list to see if I
understood things. Let me first explain what I tried to do and I'll post
my question towards the end.
What I want to do is mount a Windows-share via 'mount.cifs'. I can see
stuff on that directory using smbclient, so login credentials ect. are
ok:
# smbclient -A /etc/my-credentials -L \\\\share.name.org
Sharename Type Comment
--------- ---- -------
... some content ...
# smbclient -A /etc/my-credentials //share.name.org/home
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jan 31 12:36:03 2014
.. D 0 Fri Jan 29 07:38:10
2021
...
smb: \>
So far, so good. Now I want to mount:
# mount -t cifs '\\share.name.org\home' -o credentials=/etc/my-credentials /mnt/win
domain=MYDOMAIN
mount.cifs kernel mount options:
ip=10.10.10.10,unc=\\share.name.org\home,user=me@myorg.org,domain=MYDOMAIN,pass=********
mount error(13): Permission denied
Looking at wireshark-captures of the smbclient-connect I see it using
krb5, so let's do that too with cifs:
# mount -t cifs '\\share.name.org\home' -o credentials=/etc/my-credentials,sec=krb5 /mnt/win
domain=MYDOMAIN
mount.cifs kernel mount options:
ip=10.10.10.10,unc=\\share.name.org\home,sec=krb5,user=me@myorg.org,domain=MYDOMAIN,pass=********
mount error(2): No such file or directory
Note, I do not have active krb5-tickets on this machine, I do not even have kinit installed.
Even more strange, trying without actually specifying a password:
# mount -v -t cifs '\\share.name.org\home' -o username=me@myorg.org,domain=MYDOMAIN,sec=krb5 /mnt/win
mount.cifs kernel mount options: ip=10.10.10.10,unc=\\share.name.org\home,sec=krb5,user=me@myorg.org,domain=MYDOMAIN,pass=********
mount error(2): No such file or directory
Shows the same: it does not even ask me for the password (but still
shows 'pass=********' in the kernel mount options). This is strange,
because the docs say:
password=arg|pass=arg
specifies the CIFS password. If this option is not given
then the environment variable PASSWD is used. If the password is not
specified directly or indirectly via an argument to mount, mount.cifs
will prompt for a password, unless the guest option is specified.
Trying without password and without sec=krb5 does indeed give me the
expected prompt.
Digging deeper, into the source of mount.cifs, I find
(cifs.upcall.c:582)
/*
* Prepares AP-REQ data for mechToken and gets session key
* Uses credentials from cache. It will not ask for password
* you should receive credentials for yuor name manually using
* kinit or whatever you wish.
*/
According to that source-code comment, sec=krb5 will ignore any password
setting - it will not even ask for one. mount.cifs.c:918 shows similar
intentions:
if (!strncmp(value, "krb5", 4)) {
parsed_info->is_krb5 = 1;
parsed_info->got_password = 1;
}
So, now my questions:
1. Is it intended that mount.cifs will not ask for a password when using
sec=krb5 and will ignore any set password?
2. I don't want to setup krb5-tokens for users. All I want is
authenticate using krb5 to get the smb-session and then forget about
krb5. smbclient seems to be able to do this. I don't know how they do
it, I suspect they create a temporary token, open the session, and then
drop it again. Whatever smbclient does: couldn't mount.cifs do the same
or something similar? This would make the 'password' setting meaningful
for sec=krb5. This does not mean that existing tokens couldn't and
shouldn't be used. It would just mean that users would not *have* to use
an external mechanism for this.
3. For the moment (and only if my observations are correct): could the
documentation be updated to reflect that "password" is ignored for
"sec=krb5"? Users shouldn't need to dig inside the source code to find
out things like that.
4. Currently, trying sec=krb5 without token cache files results in the
rather obscure error "mount error(2): No such file or directory". Could
this me changed into something that points users to the actual cause of
the error?
5. Am I even remotely correct with any of this? :)
thanks, Frank
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next reply other threads:[~2021-03-27 11:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-27 11:32 Frank Loeffler [this message]
2021-03-29 14:56 ` specifying password when using krb5 Shyam Prasad N
2021-03-29 16:25 ` Aurélien Aptel
2021-03-29 17:08 ` Frank Loeffler
2021-03-31 17:42 ` Aurélien Aptel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210327113252.GC8814@topf.wg \
--to=frank.loeffler@uni-jena.de \
--cc=linux-cifs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox