Fc38 mount.cifs mount.smb mount.smb3 error -126

liviodaina · April 21, 2023, 7:18am

The command below works perfect on fc37 after update to fc38:

command: "sudo mount.smb3 -o username=USER,password=PWD,domain=DOMAIN (dfs share of ad domain) (mount point)
the problem after the update is:
"
mount error(126): Required key not available
dmesg say:
[ 214.450797] CIFS: Attempting to mount (dfs share of ad domain)
[ 214.462086] CIFS: VFS: cifs_mount failed w/return code = -126

"

vgaetera · April 21, 2023, 4:13pm

Try using the legacy crypto policy:

sudo update-crypto-policies --set LEGACY

Or decrease the minimum protocol version.

liviodaina · April 22, 2023, 9:29pm

tks for you reply, but none of two solution works.
far from fc35 the command indicated works until fedora 38.
so i think some changed in kernel or smb client.
tks again.
livio

liviodaina · April 26, 2023, 7:07am

i’ve find a temporary solution, may be some policy with selinux ie: i’ve set selinux for my admin workstation to permissive so i’m now able to mount ad dfs file system ad in f37.
so i think it’s necessary to investigate on selinux policy.
tks, livio

vgaetera · April 26, 2023, 8:56am

Try collecting the relevant SELinux warnings from the system journal:

journalctl --no-pager -g avc

liviodaina · April 26, 2023, 10:43am

Apr 26 09:04:06 [CUT clientname] audit[3716]: AVC avc: denied { execute } for pid=3716 comm=“request-key” name=“key.dns_resolver” dev=“nvme0n1p4” ino=26161140 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Apr 26 09:04:06 [CUT clientname] audit[3716]: AVC avc: denied { execute_no_trans } for pid=3716 comm=“request-key” path=“/usr/sbin/key.dns_resolver” dev=“nvme0n1p4” ino=26161140 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Apr 26 09:04:06 [CUT clientname] audit[3716]: AVC avc: denied { map } for pid=3716 comm=“key.dns_resolve” path=“/usr/sbin/key.dns_resolver” dev=“nvme0n1p4” ino=26161140 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Apr 26 09:04:06 [CUT clientname] audit[3716]: AVC avc: denied { read } for pid=3716 comm=“key.dns_resolve” name=“resolv.conf” dev=“nvme0n1p4” ino=12425713 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=1
Apr 26 09:04:06 [CUT clientname] audit[3716]: AVC avc: denied { search } for pid=3716 comm=“key.dns_resolve” name=“systemd” dev=“tmpfs” ino=2 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
Apr 26 09:04:06 [CUT clientname] audit[3716]: AVC avc: denied { getattr } for pid=3716 comm=“key.dns_resolve” path=“/run/systemd/resolve/stub-resolv.conf” dev=“tmpfs” ino=2095 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
Apr 26 09:04:06 [CUT clientname] audit[3716]: AVC avc: denied { read } for pid=3716 comm=“key.dns_resolve” name=“stub-resolv.conf” dev=“tmpfs” ino=2095 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
Apr 26 09:04:06 [CUT clientname] audit[3716]: AVC avc: denied { open } for pid=3716 comm=“key.dns_resolve” path=“/run/systemd/resolve/stub-resolv.conf” dev=“tmpfs” ino=2095 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file permissive=1
Apr 26 09:04:17 [CUT clientname] audit[3745]: AVC avc: denied { create } for pid=3745 comm=“key.dns_resolve” scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=netlink_route_socket permissive=1
Apr 26 09:04:17 [CUT clientname] audit[3745]: AVC avc: denied { bind } for pid=3745 comm=“key.dns_resolve” scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=netlink_route_socket permissive=1
Apr 26 09:04:17 [CUT clientname] audit[3745]: AVC avc: denied { getattr } for pid=3745 comm=“key.dns_resolve” scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=netlink_route_socket permissive=1
Apr 26 09:04:17 [CUT clientname] audit[3745]: AVC avc: denied { nlmsg_read } for pid=3745 comm=“key.dns_resolve” scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=netlink_route_socket permissive=1
Apr 26 09:04:17 [CUT clientname] audit[3745]: AVC avc: denied { create } for pid=3745 comm=“key.dns_resolve” scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=udp_socket permissive=1
Apr 26 09:04:17 [CUT clientname] audit[3745]: AVC avc: denied { connect } for pid=3745 comm=“key.dns_resolve” scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=udp_socket permissive=1
Apr 26 09:04:17 [CUT clientname] audit[3745]: AVC avc: denied { getattr } for pid=3745 comm=“key.dns_resolve” laddr=[CUT client ip] lport=46656 faddr=[CUT ip srv DC AD] scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:system_r:keyutils_request_t:s0 tclass=udp_socket permissive=1

vgaetera · April 26, 2023, 10:50am

You can create a permissive local policy to allow the above actions:

dustymabe · April 26, 2023, 7:36pm

Perhaps related: