Jonathan Davis
2020-Sep-15 18:14 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
Hello all. I'm encountering an issue where smbclient seemingly ignores the kerberos ccache as configured in krb5.conf when using "krb5-user" as the kerberos package and will instead always default to using "FILE:/tmp/krb5cc_uid". I tested each valid default ccache name type but smbclient completely ignores whatever is set as the "default_ccache_name" in the conf file. I went on to test "heimdal-clients" as the kerberos package and smbclient appears to be using the ccache that is configured in the conf file. This behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5. Swapping krb5-user for heimdal-clients is not a desirable nor functional solution for me because I want to utilize either the "KEYRING:persistent:%{uid}" or "KCM:" ccaches; both of which I'm unable to get working with heimdal-clients. On the same system SSSD, pam_mount and mount, all work with krb5-user and honor the configured ccache. I'd like to point out that the smbclient on CentOS 7 and 8 doesn't have this issue and works with "krb5-workstation" and both the "KEYRING" and "KCM" ccaches. So... is smbclient on debian/ubuntu only compatible with heimdal and not MIT kerberos? What am I missing? Any help or clarity would be greatly appreciated. Thank you! Additional details below... I'm currently testing on Ubuntu 20.04, kernel 5.4.0-47-generic, smbclient 4.11.6-Ubuntu, and krb5-user 1.17 Steps I took: I run a kinit and obtain a valid ticket, klist confirms this and that it's stored in the configured ccache. I then run this command: smbclient //server.this.domain.com/share -k -d5 Here's a snippet of the debug output, pay particular attention to the "smb_gss_krb5_import_cred" line: ----- session request ok negotiated dialect[SMB3_11] against server[server.this.domain.com] cli_session_setup_spnego_send: Connect to server.this.domain.com as user at THIS.DOMAIN.COM using SPNEGO Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_11111] failed with [ Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT gensec_update_done: spnego[0x55857f9be090]: NT_STATUS_INVALID_PARAMETER SPNEGO login failed: An invalid parameter was passed to a service or function. ----- Here are the contents of the krb5.conf and smb.conf files: #----krb5.conf---- [libdefaults] default_realm = THIS.DOMAIN.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d kdc_timesync = 1 forwardable = true proxiable = true canonicalize = true rdns = false spake_preauth_groups = edwards25519 default_ccache_name = KEYRING:persistent:%{uid} #----krb5 end---- #----smb.conf---- [global] workgroup = DOMAIN netbios name = MACHINENAME logging = file log file = /var/log/samba/log.%m max log size = 1000 log level = 3 realm = THIS.DOMAIN.COM kerberos method = secrets and keytab client signing = mandatory client min protocol = SMB2 client max protocol = default client ipc signing = mandatory client ipc min protocol = SMB2 client ipc max protocol = default client ldap sasl wrapping = seal client NTLMv2 auth = yes client use spnego = yes ntlm auth = ntlmv2-only raw NTLMv2 auth = no restrict anonymous = 2 #----smb end---- -- Jonathan Davis Systems Administrator Leepfrog Technologies, Inc. www.leepfrog.com
Rowland penny
2020-Sep-15 19:33 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
On 15/09/2020 19:14, Jonathan Davis via samba wrote:> Hello all. > > I'm encountering an issue where smbclient seemingly ignores the kerberos > ccache as configured in krb5.conf when using "krb5-user" as the kerberos > package and will instead always default to using "FILE:/tmp/krb5cc_uid". > I tested each valid default ccache name type but smbclient completely > ignores whatever is set as the "default_ccache_name" in the conf file. I > went on to test "heimdal-clients" as the kerberos package and smbclient > appears to be using the ccache that is configured in the conf file. This > behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5. > > Swapping krb5-user for heimdal-clients is not a desirable nor functional > solution for me because I want to utilize either the > "KEYRING:persistent:%{uid}" or "KCM:" ccaches; both of which I'm unable to > get working with heimdal-clients. On the same system SSSD, pam_mount and > mount, all work with krb5-user and honor the configured ccache. I'd like to > point out that the smbclient on CentOS 7 and 8 doesn't have this issue and > works with "krb5-workstation" and both the "KEYRING" and "KCM" ccaches. > > So... is smbclient on debian/ubuntu only compatible with heimdal and not MIT > kerberos? What am I missing? Any help or clarity would be greatly > appreciated. > > Thank you! > > Additional details below... > I'm currently testing on Ubuntu 20.04, kernel 5.4.0-47-generic, smbclient > 4.11.6-Ubuntu, and krb5-user 1.17 > Steps I took: I run a kinit and obtain a valid ticket, klist confirms this > and that it's stored in the configured ccache. I then run this command: > smbclient //server.this.domain.com/share -k -d5 > Here's a snippet of the debug output, pay particular attention to the > "smb_gss_krb5_import_cred" line: > > ----- > session request ok > negotiated dialect[SMB3_11] against server[server.this.domain.com] > cli_session_setup_spnego_send: Connect to server.this.domain.com as > user at THIS.DOMAIN.COM using SPNEGO > Starting GENSEC mechanism spnego > Starting GENSEC submechanism gse_krb5 > smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_11111] failed with [ > Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840 > 113554 1 2 2] -the caller may retry after a kinit. > Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR > gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype > in NEG_TOKEN_INIT > gensec_update_done: spnego[0x55857f9be090]: NT_STATUS_INVALID_PARAMETER > SPNEGO login failed: An invalid parameter was passed to a service or > function. > ----- > > Here are the contents of the krb5.conf and smb.conf files: > > #----krb5.conf---- > [libdefaults] > default_realm = THIS.DOMAIN.COM > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > kdc_timesync = 1 > forwardable = true > proxiable = true > canonicalize = true > rdns = false > spake_preauth_groups = edwards25519 > default_ccache_name = KEYRING:persistent:%{uid} > #----krb5 end---- > > #----smb.conf---- > [global] > workgroup = DOMAIN > netbios name = MACHINENAME > logging = file > log file = /var/log/samba/log.%m > max log size = 1000 > log level = 3 > realm = THIS.DOMAIN.COM > kerberos method = secrets and keytab > client signing = mandatory > client min protocol = SMB2 > client max protocol = default > client ipc signing = mandatory > client ipc min protocol = SMB2 > client ipc max protocol = default > client ldap sasl wrapping = seal > client NTLMv2 auth = yes > client use spnego = yes > ntlm auth = ntlmv2-only > raw NTLMv2 auth = no > restrict anonymous = 2 > #----smb end----It works for me, either direction between an rpi running 4.9.5 and debian buster running 4.12.6 The only difference would seem to be that program I will not mention, but has a lot of letter 's' in its name, I do not use it. I also turned Samba off on the client end. Rowland
L.P.H. van Belle
2020-Sep-16 07:38 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
I believe you are hitting multiple things. 1. a bug in smblcient involving that kerberos cache. I seen something passing by on this. 2. krb5.conf has to much in it, just not needed. 3. faulty smb.conf. Its incomplete. But more comment below.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: dinsdag 15 september 2020 21:33 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] smbclient ignores configured kerberos > ccache when using krb5-user on ubuntu/debian > > On 15/09/2020 19:14, Jonathan Davis via samba wrote: > > Hello all. > > > > I'm encountering an issue where smbclient seemingly ignores > the kerberos > > ccache as configured in krb5.conf when using "krb5-user" as > the kerberos > > package and will instead always default to using > "FILE:/tmp/krb5cc_uid". > > I tested each valid default ccache name type but smbclient > completely > > ignores whatever is set as the "default_ccache_name" in the > conf file. I > > went on to test "heimdal-clients" as the kerberos package > and smbclient > > appears to be using the ccache that is configured in the > conf file. This > > behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5. > > > > Swapping krb5-user for heimdal-clients is not a desirable > nor functional > > solution for me because I want to utilize either the > > "KEYRING:persistent:%{uid}" or "KCM:" ccaches; both of > which I'm unable to > > get working with heimdal-clients. On the same system SSSD, > pam_mount and > > mount, all work with krb5-user and honor the configured > ccache. I'd like to > > point out that the smbclient on CentOS 7 and 8 doesn't have > this issue and > > works with "krb5-workstation" and both the "KEYRING" and > "KCM" ccaches. > > > > So... is smbclient on debian/ubuntu only compatible with > heimdal and not MIT > > kerberos? What am I missing? Any help or clarity would be greatly > > appreciated. > > > > Thank you! > > > > Additional details below... > > I'm currently testing on Ubuntu 20.04, kernel > 5.4.0-47-generic, smbclient > > 4.11.6-Ubuntu, and krb5-user 1.17 > > Steps I took: I run a kinit and obtain a valid ticket, > klist confirms this > > and that it's stored in the configured ccache. I then run > this command: > > smbclient //server.this.domain.com/share -k -d5 > > Here's a snippet of the debug output, pay particular > attention to the > > "smb_gss_krb5_import_cred" line: > > > > ----- > > session request ok > > negotiated dialect[SMB3_11] against server[server.this.domain.com] > > cli_session_setup_spnego_send: Connect to server.this.domain.com as > > user at THIS.DOMAIN.COM using SPNEGO > > Starting GENSEC mechanism spnego > > Starting GENSEC submechanism gse_krb5 > > smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_11111] > failed with [ > > Miscellaneous failure (see text): unknown mech-code 2 for > mech 1 2 840 > > 113554 1 2 2] -the caller may retry after a kinit. > > Failed to start GENSEC client mech gse_krb5: > NT_STATUS_INTERNAL_ERROR > > gensec_spnego_client_negTokenInit_step: Could not find a > suitable mechtype > > in NEG_TOKEN_INIT > > gensec_update_done: spnego[0x55857f9be090]: > NT_STATUS_INVALID_PARAMETER > > SPNEGO login failed: An invalid parameter was passed to a service or > > function. > > ----- > > > > Here are the contents of the krb5.conf and smb.conf files:Krb5.conf remove the last 3 lines.> > > > #----krb5.conf---- > > [libdefaults] > > default_realm = THIS.DOMAIN.COM > > dns_lookup_realm = true > > dns_lookup_kdc = true > > ticket_lifetime = 24h > > renew_lifetime = 7d > > kdc_timesync = 1 > > forwardable = true > > proxiable = true > > canonicalize = true > > rdns = false > > spake_preauth_groups = edwards25519 > > default_ccache_name = KEYRING:persistent:%{uid} > > #----krb5 end----This is just a "faulty" smb.conf file. Where is the "backend" definition https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member> > #----smb.conf---- > > [global] > > workgroup = DOMAIN > > netbios name = MACHINENAME > > logging = file > > log file = /var/log/samba/log.%m > > max log size = 1000 > > log level = 3 > > realm = THIS.DOMAIN.COM > > kerberos method = secrets and keytab > > client signing = mandatory > > client min protocol = SMB2 > > client max protocol = default > > client ipc signing = mandatory > > client ipc min protocol = SMB2 > > client ipc max protocol = default > > client ldap sasl wrapping = seal > > client NTLMv2 auth = yes > > client use spnego = yes > > ntlm auth = ntlmv2-only > > raw NTLMv2 auth = no > > restrict anonymous = 2 > > #----smb end---- > > It works for me, either direction between an rpi running 4.9.5 and > debian buster running 4.12.6 > > The only difference would seem to be that program I will not mention, > but has a lot of letter 's' in its name, I do not use it. I > also turned > Samba off on the client end. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland penny
2020-Sep-16 08:07 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
On 16/09/2020 08:38, L.P.H. van Belle via samba wrote:> This is just a "faulty" smb.conf file. > Where is the "backend" definition >The OP is using sssd Rowland
L.P.H. van Belle
2020-Sep-16 08:16 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
I know, and i have him the "samba" solution, because ... I dont know sssd also. And i dont get the fuss on samba+winbind or samba+sssd I have 3 services running minimal : samba winbind user-homes.automount Everything works as it should. I hope, and i'll add the note here also. NOTE ! My packages are NOT sssd compliant, you need to recompile SSSD yourselfs agains my samba packages. Greetz, louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: woensdag 16 september 2020 10:07 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] smbclient ignores configured kerberos > ccache when using krb5-user on ubuntu/debian > > On 16/09/2020 08:38, L.P.H. van Belle via samba wrote: > > This is just a "faulty" smb.conf file. > > Where is the "backend" definition > > > The OP is using sssd > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- [Bug 2775] New: Improve kerberos credential forwarding support