CIFS 安装不再工作

CIFS 安装不再工作

我有几个配置相同的 RHEL6 系统。我已经使用 CIFS 安装多年了。然而,在过去的一个月里,它在我的一个系统上停止工作,我似乎无法弄清楚为什么。

(参见下面的配置)

我的密钥表中有一个有效的主机主体。当我尝试挂载 CIFS 挂载 ( /net/programs) 时,出现以下错误:

mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

该错误似乎与 cifs.upcall 有关,在比较调试日志时,我注意到日志中存在以下差异:

krb5_get_init_creds_keytab: -1765328203
handle_krb5_mech: getting service ticket for server0.domain0.local
cifs_krb5_get_req: unable to resolve (null) to ccache
handle_krb5_mech: failed to obtain service ticket (-1765328245)

错误 ( -1765328203) 似乎映射到KRB5_KT_NOTFOUND "Key table entry not found".

但是,权限看起来krb5.keytab正确并且与我的其他系统相匹配。klist -k显示正确的密钥(与我的其他系统匹配)并且kinit -k成功。

另一个奇怪的行为。作为临时解决方法,我可以使用我的用户名挂载共享NTLMSSPI,但挂载仅在我的会话中可见。如果我使用新会话登录,则不会出现挂载。/proc/mounts即使它在原始会话中出现,我什至都没有看到它 。

我的系统都是内核版本2.6.32-696-23.1并且有Samba版本3.6.23-46

配置:

SMB.CONF:
[global]
   workgroup = DOMAIN0
   password server = server0.DOMAIN0.LOCAL
   realm = DOMAIN0.LOCAL
   security = ads
   idmap config * : backend
   idmap config * : range = 300000-399999
   idmap config DOMAIN0:backend = rid
   idmap config DOMAIN0:range = 100000-199999
   idmap config DOMAIN0:base_rid = 0
   template shell = /bin/bash
   winbind enum users = no
   winbind enum groups = no
   winbind separator = +
   winbind use default domain = yes
   winbind offline logon = false
   kerberos method = secrets and keytab
   client signing = mandatory
   server signing = mandatory


NSSWITCH.CONF:
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns

SYSTEM-AUTH:
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        [default=die] pam_faillock.so authfail deny=3 unlock_time=604800 fail_interval=900
auth        required      pam_faillock.so authsucc deny=3 unlock_time=604800 fail_interval=900
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=14 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4 remember=24 maxrepeat=3
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     required      pam_lastlog.so showfailed
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

REQUEST-KEY.CONF
#OP     TYPE    DESCRIPTION     CALLOUT INFO    PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== =============== ===============================
create  user    debug:*         negate          /bin/keyctl negate %k 30 %S
create  user    debug:loop:*    *               |/bin/cat
create  user    debug:*         *               /usr/share/keyutils/request-key-debug.sh %k %d %c %S
negate  *       *               *               /bin/keyctl negate %k 30 %S
create  cifs.spnego  *          *               /usr/sbin/cifs.upcall %k
create  cifs.idmap      *       *               /usr/sbin/cifs.idmap %k
create  dns_resolver  *         *               /usr/sbin/cifs.upcall %k

KRB5.CONF
[libdefaults]
 default_realm = DOMAIN0.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 DOMAIN0.LOCAL = {
  kdc = server0.DOMAIN0.LOCAL
 }



FSTAB:
//server0.domain0.local/Programs       /net/programs   cifs    noauto,sec=krb5i,multiuser,cifsacl 0 0

RC.LOCAL
/sbin/ntpdate -u server0
/usr/bin/kinit -k
/bin/mount /net/programs

NTP.CONF
server server0.domain0.local iburst

相关内容