[Pkg-samba-maint] Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type

Vincent Danjean vdanjean at debian.org
Mon Nov 7 15:45:10 GMT 2022 

Package: smbclient
Version: 2:4.16.6+dfsg-5~bpo11+1
Severity: normal

  Hi,

  I'm trying to use smbclient with kerberos login, for example to
get the list of shares with somthing like:

smbclient -N --use-kerberos=required -gL samba-server.example.org

If using the FILE: ccache, it works.
If using a KEYRING: ccache, it does not work.

And the --use-krb5-ccache option does not seems to be taken into account

$ export KRB5CCNAME=FILE:/tmp/ccache_file
$ rm $KRB5CCNAME 
rm: cannot remove 'FILE:/tmp/ccache_file': No such file or directory
$ kinit
Password for XXX at XXX:
$ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/tmp/ccache_file -gL samba-server.example.org
[... list of shares ...]
$ smbclient -N --use-kerberos=required -gL samba-server.example.org
[... list of shares ...]
$ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/non-existant -gL samba-server.example.org
[... list of shares ...] <- probably a fail-back to KRB5CCNAME
$ export KRB5CCNAME=FILE:/non-existant
$ smbclient -N --use-kerberos=required -gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/tmp/ccache_file -gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient -N --use-kerberos=required --use-krb5-ccache=/tmp/ccache_file -gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ export KRB5CCNAME=KEYRING:persistent:`id -u`:krb_ccache
$ kinit
Password for XXX at XXX:
$ smbclient -N --use-kerberos=required -gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient -N --use-kerberos=required --use-krb5-ccache=$KRB5CCNAME -gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER


klist and other kerberos-enabled tools (such as ssh) work correctly
when KRB5CCNAME is set to FILE:... but also to KEYRING:...

So, from my experiments, it seems:
- the --use-krb5-ccache is never used (at least when KRB5CCNAME is set)
  [it was not the goal of this bug report, but I see it when trying my commands]
- smbclient does not handle ccache using the kernel keyring
  Perhaps this is due to samba using heimdal kerberos implementation?

  Regards,
    Vincent


-- System Information:
Debian Release: 11.5
  APT prefers stable-security
  APT policy: (990, 'stable-security'), (990, 'stable'), (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.0-0.bpo.3-amd64 (SMP w/6 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages smbclient depends on:
ii  libarchive13  3.4.3-2+deb11u1
ii  libbsd0       0.11.3-1
ii  libc6         2.31-13+deb11u4
ii  libgnutls30   3.7.1-5+deb11u2
ii  libpopt0      1.18-2
ii  libreadline8  8.1-1
ii  libsmbclient  2:4.16.6+dfsg-5~bpo11+1
ii  libtalloc2    2.3.3-4~bpo11+1
ii  libtevent0    0.11.0-1~bpo11+1
ii  samba-common  2:4.16.6+dfsg-5~bpo11+1
ii  samba-libs    2:4.16.6+dfsg-5~bpo11+1

smbclient recommends no packages.

Versions of packages smbclient suggests:
ii  cifs-utils       2:7.0-2~bpo11+1
pn  heimdal-clients  <none>

-- no debconf information

More information about the Pkg-samba-maint mailing list