Bug 14012 - Missing request-key configuration entry for key type logon
Summary: Missing request-key configuration entry for key type logon
Status: NEW
Alias: None
Product: CifsVFS
Classification: Unclassified
Component: kernel fs (show other bugs)
Version: 3.x
Hardware: All All
: P5 normal
Target Milestone: ---
Assignee: Steve French
QA Contact: cifs QA contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-25 15:54 UTC by Ronny Blomme
Modified: 2020-07-16 00:12 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ronny Blomme 2019-06-25 15:54:28 UTC
When I try to access a cifs filesystem that is mounted with the "multiuser" option, there is an error message in the authlog: "request-key: Cannot find command to construct key ****"

I mount a share at boot time as user1 and want to use the share as user2, user3, ... I added the mount option "multiuser". The mount operation succeeds, but when I try to access the share as user2, I get a 
"permission denied" message, with the error message in the authlog  "request-key: Cannot find command to construct key ****"

Platform:
- Ubuntu 18.04.2 LTS
- samba -V: Version 4.7.6-Ubuntu
- keyutils: 1.5.9-9.2ubuntu2
- cifs-utils: 6.8-1

Detailed info:

/etc/fstab contains:
//myserver.mydomain/ea06test /mnt/myshare cifs rw,auto,multiuser,mfsymlinks,vers=3.0,sec=ntlmssp,credentials=/var/keytabs/mountcreds 0 0

/var/keytabs/mountcreds contains the credentials of user1

output of the "mount" command contains:
//myserver.mydomain/ea06test on /mnt/myshare type cifs (rw,relatime,vers=3.0,sec=ntlmssp,cache=strict,multiuser,domain=mydomain,uid=0,noforceuid,gid=0,noforcegid,addr=<server ip address>,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,mfsymlinks,noperm,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)

I login as user2:

$ id
uid=1507005289(user2) gid=1507000513(domain users) ...
$ cifscreds add -d mydomain
Password: *****
$ ls /mnt/myshare
ls: cannot access '/mnt/myshare': Permission denied
$ keyctl show
Session Keyring
 447290447 --alswrv  1507005289 1507000513  keyring: _ses
 451265523 --alswrv  1507005289 65534   \_ keyring: _uid.1507005289
 111699691 --alsw-v  1507005289 1507000513   \_ logon: cifs:a:<server ip address>
1044635621 ----sw-v  1507005289 1507000513   \_ logon: cifs:d:mydomain

I set the debug flag for request-key => the auth.log contains:

Jun 21 16:48:03 ea06c533 request-key: Key descriptor: "logon;1507005289;1507000513;3d010000;cifs:d:mydomain"
Jun 21 16:48:03 ea06c533 request-key: Key type: logon
Jun 21 16:48:03 ea06c533 request-key: Key desc: cifs:d:mydomain
Jun 21 16:48:03 ea06c533 request-key: CALLOUT: ''
Jun 21 16:48:03 ea06c533 request-key: Opened config file '/etc/request-key.conf'
Jun 21 16:48:03 ea06c533 request-key: match(create,create)
Jun 21 16:48:03 ea06c533 request-key:  = yes
Jun 21 16:48:03 ea06c533 request-key: match(dns_resolver,logon)
Jun 21 16:48:03 ea06c533 request-key:  = no
Jun 21 16:48:03 ea06c533 request-key: match(create,create)
Jun 21 16:48:03 ea06c533 request-key:  = yes
Jun 21 16:48:03 ea06c533 request-key: match(cifs.idmap,logon)
Jun 21 16:48:03 ea06c533 request-key:  = no
Jun 21 16:48:03 ea06c533 request-key: match(create,create)
Jun 21 16:48:03 ea06c533 request-key:  = yes
Jun 21 16:48:03 ea06c533 request-key: match(cifs.spnego,logon)
Jun 21 16:48:03 ea06c533 request-key:  = no
Jun 21 16:48:03 ea06c533 request-key: match(create,create)
Jun 21 16:48:03 ea06c533 request-key:  = yes
Jun 21 16:48:03 ea06c533 request-key: match(user,logon)
Jun 21 16:48:03 ea06c533 request-key:  = no
Jun 21 16:48:03 ea06c533 request-key: match(create,create)
Jun 21 16:48:03 ea06c533 request-key:  = yes
Jun 21 16:48:03 ea06c533 request-key: match(user,logon)
Jun 21 16:48:03 ea06c533 request-key:  = no
Jun 21 16:48:03 ea06c533 request-key: match(create,create)
Jun 21 16:48:03 ea06c533 request-key:  = yes
Jun 21 16:48:03 ea06c533 request-key: match(user,logon)
Jun 21 16:48:03 ea06c533 request-key:  = no
Jun 21 16:48:03 ea06c533 request-key: match(create,create)
Jun 21 16:48:03 ea06c533 request-key:  = yes
Jun 21 16:48:03 ea06c533 request-key: match(user,logon)
Jun 21 16:48:03 ea06c533 request-key:  = no
Jun 21 16:48:03 ea06c533 request-key: match(create,create)
Jun 21 16:48:03 ea06c533 request-key:  = yes
Jun 21 16:48:03 ea06c533 request-key: match(user,logon)
Jun 21 16:48:03 ea06c533 request-key:  = no
Jun 21 16:48:03 ea06c533 request-key: match(create,create)
Jun 21 16:48:03 ea06c533 request-key:  = yes
Jun 21 16:48:03 ea06c533 request-key: match(user,logon)
Jun 21 16:48:03 ea06c533 request-key:  = no
Jun 21 16:48:03 ea06c533 request-key: match(negate,create)
Jun 21 16:48:03 ea06c533 request-key:  = no
Jun 21 16:48:03 ea06c533 request-key: Cannot find command to construct key ****

=> There is a missing entry for "key type = logon" in the files

/etc/request-key.conf 
/etc/request-key.d/*

An strace of the request-key command confirms this:
openat(AT_FDCWD, "/etc/request-key.d/logon.conf", O_RDONLY) = -1 ENOENT (No such file or directory)

Anyone who knows what is missing?

P.S. 
I can access the share as user1 (i.e. the user in the mount command)
$ cifscreds add -u user1 -d mydomain
Password: *****
$ ls /mnt/myshare 
=> success