The smbc client uses Kerberos to authenticate to SMB servers, which requires smbc to obtain a TGT (ticket granting ticket) for an SPN (service principal name) that represents the "cifs" service on the SMB server. If the Kerberos server does not recognize the SPN, the request for a TGT is denied and the share fails to mount.
The mount command fails with this message.
There was an error connecting the share or the server. Make sure the lsdev command shows that device nsmb0 is in the Available state. Also make sure that the share name, user name and password are accurate.
This error message is generic and can occur for many reasons. Diagnostic data must be gathered with syslog or iptrace to determine whether a missing or incorrect SPN is the root cause.
To request a TGT to authenticate to the SMB server, smbc formulates an SPN by combining these values:
- The string "cifs".
- The forward slash character "/".
- The lowercase, short host name of the SMB server.
- A period ".".
- The Kerberos realm name, in lowercase, specified with the wrkgrp mount option.
For example, if the SMB server's full host name is "smbsrv1.int.domain.com" and the value of the wrkgrp value is "AD.US.DOMAIN.COM", then the SPN is "cifs/smbsrv1.ad.us.domain.com".
If any of the following items is found in the diagnostic data, then there is a problem with the SPN.
The output from syslog contains one of these messages.
user:debug smbcd: smbfs_gssAuthenticate: Returning smbfs_gssGetSessionKey gt.gerror:851968kern:err|error unix: smb_smb2_ssnsetup: gerror = D0000- The Kerberos error codes "-1765328343" or "-1765328377", which can appear instead as "96C73A29" or "96C73A07".
The iptrace has a Kerberos response packet with the error "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN" or "eRR-S-PRINCIPAL-UNKNOWN" for the server user "cifs".
The SPN required by smbc must be added to the Kerberos server. The SPN can be formulated with the items in the "Cause" section or by looking for the TGS-REQ packet in the iptrace that receives the unknown principal response.
Combine the two SNameString values with a "/" character to form the SPN.
If the Kerberos server is Windows, the SPN can be added in one of two ways--with the setspn command or with the Active Directory Users and Computers snap-in. In both cases, the account to which the SPN must be added is the computer account for the Kerberos server. It is typically located in the "Domain Controllers" folder in the snap-in and is the short host name of the server. For example, if the SPN is "cifs/smbsrv1.ad.us.domain.com" and the Kerberos server name is "adsrv1", use this setspn command.
setspn -S cifs/smbsrv1.ad.us.domain.com adsrv1
In the snap-in, select the server account in the "Domain Controllers" folder, right-click, and select "Properties", click the "Attribute Editor" tab, scroll down to the "servicePrincipalName" attribute, and click "Edit". Type the SPN value into the "Value to add:" box, click "Add", "OK", then "Apply" or "OK".
Once the SPN is added, try again to mount the share.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
|
SUPPORT:
If the instructions in this document do not lead to resolution of the problem, follow these instructions to open a case. The product must be under warranty or have an active and valid support contract.
a. Document or take screen captures of all symptoms, errors, or messages.
b. Capture any logs or data relevant to the issue.
c. Contact IBM® to open a case.
-For electronic support, visit the IBM Support Community:
https://www.ibm.com/mysupport
-If you require telephone support, visit this web page:
https://www.ibm.com/planetwide/
d. Provide a detailed description of the issue and reference this technote.
e. Upload all of the details and data to the case.
-You can attach files to the case in the IBM Support Community, or
-Upload data to IBM test case server analysis at this URL:
http://www.ibm.com/support/docview.wss?uid=ibm10733581
f. Click here to submit feedback for this document.
|
[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvx1AAA","label":"Communication Applications-\u003ECIFS\/SMB"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
