[Pkg-samba-maint] Bug#986168: cifs-utils: cifs.upcall, krb5.conf have different credential cache defaults, cifs.mount with sec=krb5 broken

Karl O. Pinc kop at karlpinc.com
Tue Mar 30 19:43:58 BST 2021 

Package: cifs-utils
Severity: normal

Hello,

I am unable to setup the appropriate environment to confirm that this
bug can be reproduced on Debian.  I strongly believe it can, and that
someone familiar with the cifs.upcall code (or familiar with setting
up SMB or Active Directory file shares) should be easily able to
verify the problem.  I have reproduced the bug on Ubuntu 18 and 20.
Given that the Debian and Ubuntu devs work together and based on my
limited attempts to compare the Debian and Ubuntu code I hope this bug
report will be useful to both distros.  (And hold out vague hope that
the bug will be fixed for Bullseye.)

The problem is that the default Kerberos credential cache
is in a file with a name that looks like: /tmp/krb5cc_10011_r0AC1F

But cifs.upcall looks for credentials in a file with a name
that looks like: /tmp/krb5cc_10011

This creates problems with sec=krb5* cifs mounts, breaking the
"multiuser" option.

I see no options to adjust the credential cache file name
used by cifs.upcall.  However, a work-around is to put:

  [libdefaults]
    default_ccache_name = FILE:/tmp/krb5cc_%{euid}

into /etc/krb5.conf.

I cannot speak to what effect the above work-around has on security.

As near as I can tell the Kerberos docs at MIT say that the default
credential cache name is "krb5cc_%{euid}", and have not determined
where, or why, the change was made.

Setting "log level = 3" in /etc/samba/smb.conf ([global]) is helpful
when debugging this.  I found more detail in the journalctl logs than
in the syslogs, although I configured for syslogging.

FYI.  The Ubuntu tests I ran were against an Microsoft Windows Active
Directory share.

After spending some time attempting to reproduce this on Debian and
failing to setup a SAMBA test environment, and failing to spend
enough time with the code to come up with a patch, and not having the
resources to reproduce the Ubuntu environments in a lab, I cannot
presently continue.  It seems better to send in a partial bug report
than leave the problem outstanding.

This may be related to Debian bug #968943.  It is almost surely
related to Ubuntu bug number # 1900856:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1900856

-- System Information:
Debian Release: 10.9
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cifs-utils depends on:
ii  libc6         2.28-10
ii  libcap-ng0    0.7.9-2
ii  libkeyutils1  1.6-6
ii  libkrb5-3     1.17-3+deb10u1
ii  libpam0g      1.3.1-5
ii  libtalloc2    2.1.14-2
ii  libwbclient0  2:4.9.5+dfsg-5+deb10u1

cifs-utils recommends no packages.

Versions of packages cifs-utils suggests:
ii  keyutils   1.6-6
ii  smbclient  2:4.9.5+dfsg-5+deb10u1
pn  winbind    <none>

More information about the Pkg-samba-maint mailing list