samba - Feb 2017 - cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'

Hi Aurélien,
   Thanks for the idea!
For Debian packages:
   6.4-1 works
   6.5-1 works
   6.5-2 works
   6.6-1 fails
   6.6-5 fails

So looks like something changed from 6.5 to 6.6...
When I have time I'll figure out how to compile the upcall binary.

Hi Jeff,
Could you look at the following mailing list posting?

https://lists.samba.org/archive/samba/2017-February/206468.html

It looks like cifs.upcall has changed its behavior.  As described in 
that post, I can mount with root / kerberos, but then cannot access with 
another user who has credentials.

The logs indicate that cifs.upcall cannot find the kerberos ticket for 
the non-root user.

This problem does not exist in cifs-utils 6.5 and does exist in 6.6 .

My best guess ATM is that the below commit caused the problem.

Thanks for your time!
Chad.

commit 9be6e885c3bd63aa6ae9e6351e1b33a4b15d9183
Author: Jeff Layton <jlayton at samba.org>
Date:   Sun Aug 21 09:42:59 2016 -0400

     cifs.upcall: use krb5 routines to get default ccname
     Currently we end up groveling around in /tmp, trying to guess what 
the credcache will be. Instead, just get the default ccname for the 
user, and then see if it has a valid tgt. If it doesn't then we try to 
use the keytab to init the credcache before proceeding.

On Thu, 2017-02-09 at 14:45 -0600, Chad William Seys
wrote:
> Hi Jeff,
> Could you look at the following mailing list posting?
> 
> https://lists.samba.org/archive/samba/2017-February/206468.html
> 
> It looks like cifs.upcall has changed its behavior.  As described in 
> that post, I can mount with root / kerberos, but then cannot access with 
> another user who has credentials.
> 
> The logs indicate that cifs.upcall cannot find the kerberos ticket for 
> the non-root user.
> 
> This problem does not exist in cifs-utils 6.5 and does exist in 6.6 .
> 
> My best guess ATM is that the below commit caused the problem.
> 
> Thanks for your time!
> Chad.
> 
> commit 9be6e885c3bd63aa6ae9e6351e1b33a4b15d9183
> Author: Jeff Layton <jlayton at samba.org>
> Date:   Sun Aug 21 09:42:59 2016 -0400
> 
>      cifs.upcall: use krb5 routines to get default ccname
>      Currently we end up groveling around in /tmp, trying to guess what 
> the credcache will be. Instead, just get the default ccname for the 
> user, and then see if it has a valid tgt. If it doesn't then we try to 
> use the keytab to init the credcache before proceeding.

Thanks... let's see...

The logs have this in the non-working case:

     Feb  8 09:48:14 trog cifs.upcall: get_tgt_time: unable to get principal

That corresponds to this bit of code in cifs.upcall:

        if (krb5_cc_get_principal(context, ccache, &principal)) {
                syslog(LOG_DEBUG, "%s: unable to get principal",
__func__);
                goto err_cache;
        }

So we have a default credcache for the user for whom we are operating
as, but we can't get the default principal name from it. My guess is
that it's not finding the 

The big difference between 6.5 and 6.6 is that we changed to not trying
to scan /tmp for a credcache (which was always a bit sketchy). Instead,
we rely on the info in krb5.conf to point cifs.upcall to the correct
credcache. My guess is that that isn't working in your case for some
reason.

I'll see if I can cook up a patch to flesh out the debugging there a
bit. It'd be nice to see what it cifs.upcall thinks the current
credcache location is.

-- 
Jeff Layton <jlayton at samba.org>