cifs所需密钥不可用
cifs所需密钥不可用
提问于 2014-12-04 12:24:10
我已经使用PowerBroker IS加入了一个zentyal域(AD域),我希望它在远程用户登录时挂载我的远程主目录。这是PBIS的配置:
AllowDeleteTo ""
AllowReadTo ""
AllowWriteTo ""
MaxDiskUsage 104857600
MaxEventLifespan 90
MaxNumEvents 100000
DomainSeparator "\\"
SpaceReplacement "^"
EnableEventlog false
Providers "ActiveDirectory"
DisplayMotd false
PAMLogLevel "error"
UserNotAllowedError "Access denied"
AssumeDefaultDomain true
CreateHomeDir true
CreateK5Login true
SyncSystemTime true
TrimUserMembership true
LdapSignAndSeal false
LogADNetworkConnectionEvents true
NssEnumerationEnabled true
NssGroupMembersQueryCacheOnly true
NssUserMembershipQueryCacheOnly false
RefreshUserCredentials true
CacheEntryExpiry 14400
DomainManagerCheckDomainOnlineInterval 300
DomainManagerUnknownDomainCacheTimeout 3600
MachinePasswordLifespan 2592000
MemoryCacheSizeCap 0
HomeDirPrefix "/home"
HomeDirTemplate "%H/%U"
RemoteHomeDirTemplate "%H/%U"
HomeDirUmask "022"
LoginShellTemplate "/bin/bash"
SkeletonDirs "/etc/skel"
UserDomainPrefix "mosek.zentyal"
DomainManagerIgnoreAllTrusts false
DomainManagerIncludeTrustsList
DomainManagerExcludeTrustsList
RequireMembershipOf
Local_AcceptNTLMv1 true
Local_HomeDirTemplate "%H/%U"
Local_HomeDirUmask "022"
Local_LoginShellTemplate "/bin/sh"
Local_SkeletonDirs "/etc/skel"
UserMonitorCheckInterval 1800
LsassAutostart true
EventlogAutostart true据我所知,只要设置了RemoteHomeDirTemplate,就应该安装它,但问题是,它没有安装。
因此,我想尝试找到一个用户,看看它是如何显示的,如果是这样的话:
# /opt/pbis/bin/find-objects --user tomas
User object [1 of 1] (S-1-5-21-755094111-53741902-1678977104-1108)
============
Enabled: yes
Distinguished name: CN=Tomas Nielsen,CN=Users,DC=mosek,DC=zentyal
SAM account name: tomas
NetBIOS domain name: MOSEK
UPN: tomas@MOSEK.ZENTYAL
Display Name: Tomas Nielsen
Alias: <null>
UNIX name: MOSEK\tomas
GECOS: Tomas Nielsen
Shell: /bin/bash
Home directory: /home/tomas
Windows home directory: \\nyborg.MOSEK.ZENTYAL\tomas
Local windows home directory: /home/tomas
UID: 1588593748
Primary group SID: S-1-5-21-755094111-53741902-1678977104-513
Primary GID: 1588593153
Password expired: no
Password never expires: no
Change password on next logon: no
User can change password: yes
Account disabled: no
Account expired: no
Account locked: no所以它有一个home dir路径,无论是unix还是windows,所以我看不出有什么问题。
在我的/var/log/messages中,我发现了一些错误:
Dec 4 12:55:30 winbind lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5i,user=tomas@MOSEK.ZENTYAL,uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40188 (errno 126)
Dec 4 12:55:30 winbind lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas, error 3690996880 (errno 40188)
Dec 4 12:55:30 winbind lsass: [lsass] Failed to mount directory for user (tomas), actual error 40188
Dec 4 12:55:30 winbind lsass: [lsass] Failed to open session for user (name = 'tomas') -> error = 40188, symbol = LW_ERROR_UNKNOWN, client pid = 2329
Dec 4 12:55:30 winbind kernel: CIFS VFS: Send error in SessSetup = -126
Dec 4 12:55:30 winbind kernel: CIFS VFS: cifs_mount failed w/return code = -126我尝试手动运行该命令,并得到了错误126的正确错误消息:
#mount -t cifs -o sec=krb5i,user=tomas@MOSEK.ZENTYAL,uid=1588593748,gid=1588592152,cruid=1588593748,ip=172.16.0.5 //nyborg.MOSEK.ZENTYAL/tomas /home/tomas
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)我查过我有一张krb的票:
#klist
Ticket cache: KEYRING:persistent:0:0
Default principal: tomas@MOSEK.ZENTYAL
Valid starting Expires Service principal
12/09/2014 12:20:36 12/09/2014 22:20:36 krbtgt/MOSEK.ZENTYAL@MOSEK.ZENTYAL
renew until 12/16/2014 12:20:33好的,我发现如果我和用户做了一张票,我可以手动挂载它。如果我在tomas用户上进入并使用kinit tomas@MOSEK.ZENTYAL,则PBIS将得到cifs error 16。
那么,怎样才能解决这个问题呢?
编辑:
我试着安装新版本的PBIS(PBISOpen8.2.1),现在我得到的错误是不同的:
[root@centosy tomas]# tail /var/log/messages
Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5i,user=tomas@MOSEK.ZENTYAL,uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40158 (errno 13)
Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas, error 1879066032 (errno 40158)
Jan 22 12:43:36 centosy lsass: [lsass] Failed to mount directory for user (tomas), actual error 40158
Jan 22 12:43:36 centosy lsass: [lsass] Failed to open session for user (name = 'tomas') -> error = 40158, symbol = LW_ERROR_ACCESS_DENIED, client pid = 2353
Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5,user=tomas@MOSEK.ZENTYAL,uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40158 (errno 13)
Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas with data sec=krb5i,user=tomas@MOSEK.ZENTYAL,uid=1588593748,gid=1588593153,cruid=1588593748,ip=172.16.0.5, error 40158 (errno 13)
Jan 22 12:43:36 centosy lsass: [lsass] Failed mount of //nyborg.MOSEK.ZENTYAL/tomas on /home/tomas, error 1879066032 (errno 40158)
Jan 22 12:43:36 centosy lsass: [lsass] Failed to mount directory for user (tomas), actual error 40158
Jan 22 12:43:36 centosy lsass: [lsass] Failed to open session for user (name = 'tomas') -> error = 40158, symbol = LW_ERROR_ACCESS_DENIED, client pid = 2353
Jan 22 12:44:11 centosy su: (to root) tomas on pts/0回答 2
Server Fault用户
发布于 2015-09-08 11:57:21
我想我找到了你问题的答案,看看我自己的问题:
CentOS 7使用systemd,并将PBIS服务配置为使用私有"tmp“文件夹。不幸的是,这会导致在错误的目录中创建Kerberos票证(它是在/tmp/systemd-私有-xxx而不是/tmp中生成的)。我编辑了服务配置lwsmd.service并设置了PrivateTmp=no。现在一切正常..。
Server Fault用户
发布于 2021-01-26 11:16:56
昨天我收到了同样的错误消息;在我的例子中,这是一个通过DNS寻址服务器(在DNS中有多个名称)的问题,与AD服务器所知道的相同。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/649133
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号