我正在使用 Ubuntu 22.04 挂载远程 SMB 共享:
$ kinit [email protected]
Password for [email protected]:
$ sudo mount.cifs "//x.y.z.t1/Extension_2" /mnt/remoteShare/ --verbose -r -o [email protected],vers=3,sec=krb5i
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\x.y.z.t1\Extension_2,vers=3,sec=krb5i,[email protected],pass=********
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\x.y.z.t1\Extension_2,vers=3,sec=krb5i,cruid=1000,[email protected],pass=********
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ echo $?
32
dmesg说:
$ dmesg | tail
[10715718.454076] CIFS: VFS: \\x.y.z.t1 Send error in SessSetup = -126
[10715718.454446] CIFS: VFS: cifs_mount failed w/return code = -126
[10715928.839157] CIFS: Attempting to mount \\x.y.z.t1\Extension_2
[10715928.897209] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
[10715928.897613] CIFS: VFS: \\x.y.z.t1 Send error in SessSetup = -126
[10715928.897992] CIFS: VFS: cifs_mount failed w/return code = -126
[10715928.898812] CIFS: Attempting to mount \\x.y.z.t1\Extension_2
[10715928.988054] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
[10715928.988433] CIFS: VFS: \\x.y.z.t1 Send error in SessSetup = -126
[10715928.988872] CIFS: VFS: cifs_mount failed w/return code = -126
$
我的用户有一张 krb5 票证,并且keyutils确实已经安装:
$ klist -fea
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
04/09/2024 11:40:35 04/09/2024 15:40:35 krbtgt/[email protected]
renew until 04/09/2024 15:40:35, Flags: RIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Addresses: (none)
$ dpkg -l keyutils
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-==============-============-=================================
ii keyutils 1.6.1-2ubuntu3 amd64 Linux Key Management Utilities
$
myRemoteServerEDIT0:列出Windows AD 成员的SMB 的 SPN :
PS C:\> (Get-ADComputer myRemoteServer -Properties ServicePrincipalNames).ServicePrincipalNames | sort
HOST/myRemoteServer
HOST/myRemoteServer.myDOMAIN.lan
RestrictedKrbHost/myRemoteServer
RestrictedKrbHost/myRemoteServer.myDOMAIN.lan
PS C:\>
EDIT1:已尝试smbclient:
$ smbclient -U [email protected] //x.y.z.t1/Extension_2
session setup failed: NT_STATUS_ACCOUNT_RESTRICTION
$ echo $?
1
$
EDIT2:如果我使用主机名而不是IP地址,我会收到mount error(13): Permission denied错误:
$ sudo mount.cifs "//myRemoteServer.myDOMAIN.lan/Extension_2" /mnt/remoteShare/ --verbose -r -o [email protected],vers=3,sec=krb5i
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\myRemoteServer.myDOMAIN.lan\Extension_2,vers=3,sec=krb5i,[email protected],pass=********
mount.cifs kernel mount options: ip=x.y.z.t1,unc=\\myRemoteServer.myDOMAIN.lan\Extension_2,vers=3,sec=krb5i,cruid=1000,[email protected],pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ echo $?
32
$ dmesg -T | tail
[Tue Apr 9 19:10:02 2024] CIFS: VFS: \\myRemoteServer.myDOMAIN.lan Send error in SessSetup = -13
[Tue Apr 9 19:10:02 2024] CIFS: VFS: cifs_mount failed w/return code = -13
[Tue Apr 9 19:10:20 2024] CIFS: Attempting to mount \\myRemoteServer.myDOMAIN.lan\Extension_2
[Tue Apr 9 19:10:20 2024] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
[Tue Apr 9 19:10:20 2024] CIFS: VFS: \\myRemoteServer.myDOMAIN.lan Send error in SessSetup = -126
[Tue Apr 9 19:10:20 2024] CIFS: VFS: cifs_mount failed w/return code = -126
[Tue Apr 9 19:10:20 2024] CIFS: Attempting to mount \\myRemoteServer.myDOMAIN.lan\Extension_2
[Tue Apr 9 19:10:20 2024] CIFS: Status code returned 0xc000006d STATUS_LOGON_FAILURE
[Tue Apr 9 19:10:20 2024] CIFS: VFS: \\myRemoteServer.myDOMAIN.lan Send error in SessSetup = -13
[Tue Apr 9 19:10:20 2024] CIFS: VFS: cifs_mount failed w/return code = -13
$
EDIT3:尝试过smbclient -k:
$ smbclient -k -U [email protected] //myRemoteServer.myDOMAIN.lan/Extension_2
WARNING: The option -k|--kerberos is deprecated!
session setup failed: NT_STATUS_ACCESS_DENIED
$
EDIT4:在调试模式下尝试smbclient -k -d 15:
$ smbclient -k -d 15 -U [email protected] //myRemoteServer.myDOMAIN.lan/Extension_2
INFO: Current debug levels:
all: 15
tdb: 15
printdrivers: 15
lanman: 15
smb: 15
rpc_parse: 15
rpc_srv: 15
rpc_cli: 15
passdb: 15
sam: 15
auth: 15
winbind: 15
vfs: 15
idmap: 15
quota: 15
acls: 15
locking: 15
msdfs: 15
dmapi: 15
registry: 15
scavenger: 15
dns: 15
ldb: 15
tevent: 15
auth_audit: 15
auth_json_audit: 15
kerberos: 15
drs_repl: 15
smb2: 15
smb2_credits: 15
dsdb_audit: 15
dsdb_json_audit: 15
dsdb_password_audit: 15
dsdb_password_json_audit: 15
dsdb_transaction_audit: 15
dsdb_transaction_json_audit: 15
dsdb_group_audit: 15
dsdb_group_json_audit: 15
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 15
tdb: 15
printdrivers: 15
lanman: 15
smb: 15
rpc_parse: 15
rpc_srv: 15
rpc_cli: 15
passdb: 15
sam: 15
auth: 15
winbind: 15
vfs: 15
idmap: 15
quota: 15
acls: 15
locking: 15
msdfs: 15
dmapi: 15
registry: 15
scavenger: 15
dns: 15
ldb: 15
tevent: 15
auth_audit: 15
auth_json_audit: 15
kerberos: 15
drs_repl: 15
smb2: 15
smb2_credits: 15
dsdb_audit: 15
dsdb_json_audit: 15
dsdb_password_audit: 15
dsdb_password_json_audit: 15
dsdb_transaction_audit: 15
dsdb_transaction_json_audit: 15
dsdb_group_audit: 15
dsdb_group_json_audit: 15
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter server string = %h server (Samba, Ubuntu)
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface ens160 ip=x.y.z.t bcast=x.y.z.255 netmask=255.255.255.0
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied
gencache_init: Opening user cache file /home/administrateur/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up myRemoteServer.myDOMAIN.lan#20 (sitename (null))
namecache_fetch: name myRemoteServer.myDOMAIN.lan#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to x.y.z.138 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[myRemoteServer.myDOMAIN.lan]
cli_session_setup_spnego_send: Connect to myRemoteServer.myDOMAIN.lan as [email protected] using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x5618cd09cc80]: subreq: 0x5618cd07fe30
gensec_update_send: spnego[0x5618cd0966d0]: subreq: 0x5618cd09afa0
gensec_update_done: gse_krb5[0x5618cd09cc80]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5618cd07fe30/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x5618cd07fff0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x5618cd0966d0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x5618cd09afa0/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x5618cd09b160)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE
$
并且没有-U ....:
$ smbclient -k -d 15 //myRemoteServer.myDOMAIN.lan/Extension_2
INFO: Current debug levels:
all: 15
tdb: 15
printdrivers: 15
lanman: 15
smb: 15
rpc_parse: 15
rpc_srv: 15
rpc_cli: 15
passdb: 15
sam: 15
auth: 15
winbind: 15
vfs: 15
idmap: 15
quota: 15
acls: 15
locking: 15
msdfs: 15
dmapi: 15
registry: 15
scavenger: 15
dns: 15
ldb: 15
tevent: 15
auth_audit: 15
auth_json_audit: 15
kerberos: 15
drs_repl: 15
smb2: 15
smb2_credits: 15
dsdb_audit: 15
dsdb_json_audit: 15
dsdb_password_audit: 15
dsdb_password_json_audit: 15
dsdb_transaction_audit: 15
dsdb_transaction_json_audit: 15
dsdb_group_audit: 15
dsdb_group_json_audit: 15
WARNING: The option -k|--kerberos is deprecated!
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 15
tdb: 15
printdrivers: 15
lanman: 15
smb: 15
rpc_parse: 15
rpc_srv: 15
rpc_cli: 15
passdb: 15
sam: 15
auth: 15
winbind: 15
vfs: 15
idmap: 15
quota: 15
acls: 15
locking: 15
msdfs: 15
dmapi: 15
registry: 15
scavenger: 15
dns: 15
ldb: 15
tevent: 15
auth_audit: 15
auth_json_audit: 15
kerberos: 15
drs_repl: 15
smb2: 15
smb2_credits: 15
dsdb_audit: 15
dsdb_json_audit: 15
dsdb_password_audit: 15
dsdb_password_json_audit: 15
dsdb_transaction_audit: 15
dsdb_transaction_json_audit: 15
dsdb_group_audit: 15
dsdb_group_json_audit: 15
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter server string = %h server (Samba, Ubuntu)
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface ens160 ip=x.y.z.246 bcast=x.y.z.255 netmask=255.255.255.0
Client started (version 4.15.13-Ubuntu).
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied
gencache_init: Opening user cache file /home/administrateur/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up myRemoteServer.myDOMAIN.lan#20 (sitename (null))
namecache_fetch: name myRemoteServer.myDOMAIN.lan#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to x.y.z.t at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[myRemoteServer.myDOMAIN.lan]
cli_session_setup_spnego_send: Connect to myRemoteServer.myDOMAIN.lan as [email protected] using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x55920886daf0]: subreq: 0x559208850e30
gensec_update_send: spnego[0x55920886a4f0]: subreq: 0x55920886be10
gensec_update_done: gse_krb5[0x55920886daf0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x559208850e30/../../source3/librpc/crypto/gse.c:848]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x559208850ff0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:859]
gensec_update_done: spnego[0x55920886a4f0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55920886be10/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55920886bfd0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE
$
答案1
Kerberos 与 TLS 非常相似,要求您连接到主机名与服务器配置相匹配的 IP 地址通常不是工作。
一般来说,这并不会以“拿到票”结束——你还需要获取您要验证的特定服务的票证。每个服务都有自己的密钥,与 Kerberos KDC 共享,由“服务主体名称”标识,例如cifs/nas.example.comSMB 文件服务器或HTTP/blogWeb 应用程序(或krbtgt/EXAMPLE.COM“票证发行”服务)。如果一切顺利,“mount”命令将自动获取服务票证,它将显示在 klist 中:
$ klist
Valid starting Expires Service principal
04/09/2024 17:52:46 04/10/2024 03:39:06 krbtgt/[email protected]
04/09/2024 18:00:02 04/10/2024 03:39:06 HTTP/[email protected]
04/09/2024 18:00:02 04/10/2024 03:39:06 nfs/[email protected]
04/09/2024 18:00:05 04/10/2024 03:39:06 imap/[email protected]
04/09/2024 18:00:05 04/10/2024 03:39:06 host/[email protected]
04/09/2024 18:00:06 04/10/2024 03:39:06 nfs/[email protected]
这意味着,为了让客户端成功获取正确的 Kerberos 服务的票证,需要为其提供 KDC 知道的该服务的正确主机名或子域名——任何随机地址都不行。
通用的“所需密钥不可用”错误代码来自“cifs.upcall”程序未能获取票证;您可以在系统日志或系统日志(journalctl)中看到更详细的错误消息。
(Linux Kerberos 有时通过使用“反向 DNS”通过 PTR 记录从 IP 地址查找主机名来实现这一点,但大多数网络没有可用于其内部 IP 的 rDNS。)
当服务器加入 AD 时,其计算机帐户会自动获取其完整域名cifs/nas02.example.com和短计算机名的SPN cifs/nas02,但不是他们的 IP 地址(也不适用于任何手动创建的 DNS CNAME 别名)。因此,您需要找出 Synology NAS 的“真实”AD 主机名,然后在“mount”命令中使用它。
您通常可以通过 LDAP 在 Active Directory 中查找计算机 SPN ldapsearch(除非 AD 管理员故意隐藏了它们),或者您可以使用工具手动猜测可能的 SPN kvno(例如)。kvno cifs/[email protected]
查找 DC 名称:
host -t srv _ldap._tcp.example.com => dc01.example.com搜索非 Windows 服务器的 SPN:
ldapsearch -H ldap://dc01.example.com -Y GSS-SPNEGO -Q \ '(&(objectCategory=computer)(!(operatingSystem=Windows*)))' \ servicePrincipalName \ | grep -i '\bhost/' | sort -f