I'm using Ubuntu 22.04 to mount a remote SMB share :
$ kinit [email protected]
Password for [email protected]:
$ sudo mount.cifs "//x.y.z.t1/Extension_2" /mnt/remoteShare/ --verbose -r -o [email protected],vers=3,sec=krb5i
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\x.y.z.t1\Extension_2,vers=3,sec=krb5i,[email protected],pass=********
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\x.y.z.t1\Extension_2,vers=3,sec=krb5i,cruid=1000,[email protected],pass=********
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ echo $?
32
dmesg
says :
$ dmesg | tail
[10715718.454076] CIFS: VFS: \\x.y.z.t1 Send error in SessSetup = -126
[10715718.454446] CIFS: VFS: cifs_mount failed w/return code = -126
[10715928.839157] CIFS: Attempting to mount \\x.y.z.t1\Extension_2
[10715928.897209] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
[10715928.897613] CIFS: VFS: \\x.y.z.t1 Send error in SessSetup = -126
[10715928.897992] CIFS: VFS: cifs_mount failed w/return code = -126
[10715928.898812] CIFS: Attempting to mount \\x.y.z.t1\Extension_2
[10715928.988054] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
[10715928.988433] CIFS: VFS: \\x.y.z.t1 Send error in SessSetup = -126
[10715928.988872] CIFS: VFS: cifs_mount failed w/return code = -126
$
My user has a krb5 ticket and that keyutils
is indeed installed :
$ klist -fea
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
04/09/2024 11:40:35 04/09/2024 15:40:35 krbtgt/[email protected]
renew until 04/09/2024 15:40:35, Flags: RIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Addresses: (none)
$ dpkg -l keyutils
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-==============-============-=================================
ii keyutils 1.6.1-2ubuntu3 amd64 Linux Key Management Utilities
$
EDIT0 : Listed SPNs for the SMB myRemoteServer
for a windows AD member :
PS C:\> (Get-ADComputer myRemoteServer -Properties ServicePrincipalNames).ServicePrincipalNames | sort
HOST/myRemoteServer
HOST/myRemoteServer.myDOMAIN.lan
RestrictedKrbHost/myRemoteServer
RestrictedKrbHost/myRemoteServer.myDOMAIN.lan
PS C:\>
EDIT1: Tried smbclient
:
$ smbclient -U [email protected] //x.y.z.t1/Extension_2
session setup failed: NT_STATUS_ACCOUNT_RESTRICTION
$ echo $?
1
$
EDIT2 : If I use the hostname instead of the IP address I get a mount error(13): Permission denied
error :
$ sudo mount.cifs "//myRemoteServer.myDOMAIN.lan/Extension_2" /mnt/remoteShare/ --verbose -r -o [email protected],vers=3,sec=krb5i
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\myRemoteServer.myDOMAIN.lan\Extension_2,vers=3,sec=krb5i,[email protected],pass=********
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\myRemoteServer.myDOMAIN.lan\Extension_2,vers=3,sec=krb5i,cruid=1000,[email protected],pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ echo $?
32
$ dmesg -T | tail
[Tue Apr 9 19:10:02 2024] CIFS: VFS: \\myRemoteServer.myDOMAIN.lan Send error in SessSetup = -13
[Tue Apr 9 19:10:02 2024] CIFS: VFS: cifs_mount failed w/return code = -13
[Tue Apr 9 19:10:20 2024] CIFS: Attempting to mount \\myRemoteServer.myDOMAIN.lan\Extension_2
[Tue Apr 9 19:10:20 2024] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
[Tue Apr 9 19:10:20 2024] CIFS: VFS: \\myRemoteServer.myDOMAIN.lan Send error in SessSetup = -126
[Tue Apr 9 19:10:20 2024] CIFS: VFS: cifs_mount failed w/return code = -126
[Tue Apr 9 19:10:20 2024] CIFS: Attempting to mount \\myRemoteServer.myDOMAIN.lan\Extension_2
[Tue Apr 9 19:10:20 2024] CIFS: Status code returned 0xc000006d STATUS_LOGON_FAILURE
[Tue Apr 9 19:10:20 2024] CIFS: VFS: \\myRemoteServer.myDOMAIN.lan Send error in SessSetup = -13
[Tue Apr 9 19:10:20 2024] CIFS: VFS: cifs_mount failed w/return code = -13
$
EDIT3 : Tried with smbclient -k
:
$ smbclient -k -U [email protected] //myRemoteServer.myDOMAIN.lan/Extension_2
WARNING: The option -k|--kerberos is deprecated!
session setup failed: NT_STATUS_ACCESS_DENIED
$
EDIT4 : Tried in debug mode with smbclient -k -d 15
:
$ smbclient -k -d 15 -U [email protected] //myRemoteServer.myDOMAIN.lan/Extension_2
INFO: Current debug levels:
all: 15
tdb: 15
printdrivers: 15
lanman: 15
smb: 15
rpc_parse: 15
rpc_srv: 15
rpc_cli: 15
passdb: 15
sam: 15
auth: 15
winbind: 15
vfs: 15
idmap: 15
quota: 15
acls: 15
locking: 15
msdfs: 15
dmapi: 15
registry: 15
scavenger: 15
dns: 15
ldb: 15
tevent: 15
auth_audit: 15
auth_json_audit: 15
kerberos: 15
drs_repl: 15
smb2: 15
smb2_credits: 15
dsdb_audit: 15
dsdb_json_audit: 15
dsdb_password_audit: 15
dsdb_password_json_audit: 15
dsdb_transaction_audit: 15
dsdb_transaction_json_audit: 15
dsdb_group_audit: 15
dsdb_group_json_audit: 15
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 15
tdb: 15
printdrivers: 15
lanman: 15
smb: 15
rpc_parse: 15
rpc_srv: 15
rpc_cli: 15
passdb: 15
sam: 15
auth: 15
winbind: 15
vfs: 15
idmap: 15
quota: 15
acls: 15
locking: 15
msdfs: 15
dmapi: 15
registry: 15
scavenger: 15
dns: 15
ldb: 15
tevent: 15
auth_audit: 15
auth_json_audit: 15
kerberos: 15
drs_repl: 15
smb2: 15
smb2_credits: 15
dsdb_audit: 15
dsdb_json_audit: 15
dsdb_password_audit: 15
dsdb_password_json_audit: 15
dsdb_transaction_audit: 15
dsdb_transaction_json_audit: 15
dsdb_group_audit: 15
dsdb_group_json_audit: 15
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter server string = %h server (Samba, Ubuntu)
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface ens160 ip=x.y.z.t bcast=x.y.z.255 netmask=255.255.255.0
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied
gencache_init: Opening user cache file /home/administrateur/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up myRemoteServer.myDOMAIN.lan#20 (sitename (null))
namecache_fetch: name myRemoteServer.myDOMAIN.lan#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to x.y.z.138 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[myRemoteServer.myDOMAIN.lan]
cli_session_setup_spnego_send: Connect to myRemoteServer.myDOMAIN.lan as [email protected] using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x5618cd09cc80]: subreq: 0x5618cd07fe30
gensec_update_send: spnego[0x5618cd0966d0]: subreq: 0x5618cd09afa0
gensec_update_done: gse_krb5[0x5618cd09cc80]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5618cd07fe30/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x5618cd07fff0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x5618cd0966d0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5618cd09afa0/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x5618cd09b160)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE
$
And without the -U ....
:
$ smbclient -k -d 15 //myRemoteServer.myDOMAIN.lan/Extension_2
INFO: Current debug levels:
all: 15
tdb: 15
printdrivers: 15
lanman: 15
smb: 15
rpc_parse: 15
rpc_srv: 15
rpc_cli: 15
passdb: 15
sam: 15
auth: 15
winbind: 15
vfs: 15
idmap: 15
quota: 15
acls: 15
locking: 15
msdfs: 15
dmapi: 15
registry: 15
scavenger: 15
dns: 15
ldb: 15
tevent: 15
auth_audit: 15
auth_json_audit: 15
kerberos: 15
drs_repl: 15
smb2: 15
smb2_credits: 15
dsdb_audit: 15
dsdb_json_audit: 15
dsdb_password_audit: 15
dsdb_password_json_audit: 15
dsdb_transaction_audit: 15
dsdb_transaction_json_audit: 15
dsdb_group_audit: 15
dsdb_group_json_audit: 15
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 15
tdb: 15
printdrivers: 15
lanman: 15
smb: 15
rpc_parse: 15
rpc_srv: 15
rpc_cli: 15
passdb: 15
sam: 15
auth: 15
winbind: 15
vfs: 15
idmap: 15
quota: 15
acls: 15
locking: 15
msdfs: 15
dmapi: 15
registry: 15
scavenger: 15
dns: 15
ldb: 15
tevent: 15
auth_audit: 15
auth_json_audit: 15
kerberos: 15
drs_repl: 15
smb2: 15
smb2_credits: 15
dsdb_audit: 15
dsdb_json_audit: 15
dsdb_password_audit: 15
dsdb_password_json_audit: 15
dsdb_transaction_audit: 15
dsdb_transaction_json_audit: 15
dsdb_group_audit: 15
dsdb_group_json_audit: 15
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter server string = %h server (Samba, Ubuntu)
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface ens160 ip=x.y.z.246 bcast=x.y.z.255 netmask=255.255.255.0
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied
gencache_init: Opening user cache file /home/administrateur/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up myRemoteServer.myDOMAIN.lan#20 (sitename (null))
namecache_fetch: name myRemoteServer.myDOMAIN.lan#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to x.y.z.t at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[myRemoteServer.myDOMAIN.lan]
cli_session_setup_spnego_send: Connect to myRemoteServer.myDOMAIN.lan as [email protected] using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x55920886daf0]: subreq: 0x559208850e30
gensec_update_send: spnego[0x55920886a4f0]: subreq: 0x55920886be10
gensec_update_done: gse_krb5[0x55920886daf0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x559208850e30/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x559208850ff0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x55920886a4f0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55920886be10/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55920886bfd0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE
$
Kerberos service principal
is. I know that the remote SMB server is a Synology DSM 7.0myDOMAIN.LAN
, they are 4 IPs behind this DNS entry.