mount error(126): Required key not available (using sec=krb5)

aye coder acoder1999 at gmail.com
Thu Sep 17 10:13:26 EDT 2015


My application needs to securely mount an Isilon share using CIFS and
Kerberos. My mount attempt returns: Required key not available:

--- mount -t cifs //fileserver.example.com/client123/files
/mnt/client123/files -o username=acoder,password=XXXXXX,sec=krb5

Response:

--- mount error(126): Required key not available
--- Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Here are corresponding entries from /var/log/messages

--- Sep 16 16:33:49 clientbox kernel: CIFS VFS: Send error in SessSetup = -126
--- Sep 16 16:33:49 clientbox kernel: CIFS VFS: cifs_mount failed
w/return code = -126

I enabled debugging in CIFS, and attempted to mount the share again.
Here's that dmesg output:

--- fs/cifs/cifsfs.c: Devname: //fileserver.example.com/client123/files flags: 0
--- fs/cifs/connect.c: prefix path /files
--- fs/cifs/connect.c: Username: acoder
--- fs/cifs/connect.c: file mode: 0x1ed  dir mode: 0x1ed
--- fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 8 with uid: 0
--- fs/cifs/connect.c: UNC: \\fileserver.example.com/client123/files ip: 1.2.3.4
--- fs/cifs/connect.c: Socket created
--- fs/cifs/connect.c: sndbuf 19800 rcvbuf 87380 rcvtimeo 0x1b58
--- fs/cifs/connect.c: CIFS VFS: in cifs_get_smb_ses as Xid: 9 with uid: 0
--- fs/cifs/connect.c: Demultiplex PID: 22937
--- fs/cifs/connect.c: Existing smb sess not found
--- fs/cifs/cifssmb.c: secFlags 0x9
--- fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security
--- fs/cifs/transport.c: For smb_command 114
--- fs/cifs/transport.c: Sending smb: smb_len=78
--- fs/cifs/connect.c: RFC1002 header 0xbc
--- fs/cifs/transport.c: cifs_sync_mid_result: cmd=114 mid=1 state=4
--- fs/cifs/cifssmb.c: Dialect: 2
--- fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
--- fs/cifs/asn1.c: OID len = 6 oid = 0x1 0x3 0x5 0x1
--- fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
--- fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
--- fs/cifs/asn1.c: Need to call asn1_octets_decode() function for
not_defined_in_RFC4178 at please_ignore
--- fs/cifs/cifssmb.c: negprot rc 0
--- fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x8000e2fc TimeAdjust: 0
--- fs/cifs/sess.c: sess setup type 4
--- fs/cifs/cifs_spnego.c: key description =
ver=0x2;host=fileserver.example.com;ip4=1.2.3.4;sec=krb5;uid=0x0;creduid=0x0;user=acoder;pid=0xXXXXX
--- fs/cifs/sess.c: ssetup freeing small buf ffff8804359b02701
--- CIFS VFS: Send error in SessSetup = -126
--- fs/cifs/connect.c: CIFS VFS: leaving cifs_get_smb_ses (xid = 9) rc = -126
--- fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 8) rc = -126
--- CIFS VFS: cifs_mount failed w/return code = -126




*** Background & Config ***

I added a keytab using:

--- /usr/bin/ktutil
--- addent -password -p acoder at EXAMPLE.COM -k 1 -e rc4-hmac
--- addent -password -p acoder at EXAMPLE.COM -k 1 -e aes256-cts
--- wkt /etc/krb5.keytab

Checked with klist -kte:

--- [acoder at clientbox]# klist -kte
--- Keytab name: FILE:/etc/krb5.keytab
--- KVNO Timestamp         Principal
--- ---- -----------------
--------------------------------------------------------
---    1 09/16/15 16:24:32 acoder at EXAMPLE.COM (arcfour-hmac)
---    1 09/16/15 16:25:46 acoder at EXAMPLE.COM (aes256-cts-hmac-sha1-96)

Here's request-key.conf:

--- #OP TYPE    DESCRIPTION CALLOUT INFO    PROGRAM ARG1 ARG2 ARG3 ...
--- #====== ======= =============== ===============
===============================
--- create  user        debug:*     negate      /bin/keyctl negate %k 30 %S
--- create  user        debug:loop:*    *       |/bin/cat
--- create  user        debug:*     *
/usr/share/keyutils/request-key-debug.sh %k %d %c %S
--- negate  *       *       *       /bin/keyctl negate %k 30 %S
--- create  cifs.spnego     *       *       /usr/sbin/cifs.upcall %k
--- create  dns_resolver    *       *       /usr/sbin/cifs.upcall %k

Ticket cache:

--- # klist | grep "Ticket cache:"
--- Ticket cache: FILE:/tmp/krb5cc_0


What could be causing the "Required key not available" error?


More information about the Kerberos mailing list