samba - Sep 2020 - smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian

Hello all.

I'm encountering an issue where smbclient seemingly ignores the kerberos
ccache as configured in krb5.conf when using "krb5-user" as the
kerberos
package and will instead always default to using
"FILE:/tmp/krb5cc_uid".
I tested each valid default ccache name type but smbclient completely
ignores whatever is set as the "default_ccache_name" in the conf file.
I
went on to test "heimdal-clients" as the kerberos package and
smbclient
appears to be using the ccache that is configured in the conf file. This
behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5.

Swapping krb5-user for heimdal-clients is not a desirable nor functional
solution for me because I want to utilize either the
"KEYRING:persistent:%{uid}" or "KCM:" ccaches; both of which
I'm unable to
get working with heimdal-clients. On the same system SSSD, pam_mount and
mount, all work with krb5-user and honor the configured ccache. I'd like to
point out that the smbclient on CentOS 7 and 8 doesn't have this issue and
works with "krb5-workstation" and both the "KEYRING" and
"KCM" ccaches.

So... is smbclient on debian/ubuntu only compatible with heimdal and not MIT
kerberos? What am I missing? Any help or clarity would be greatly
appreciated.

Thank you!

Additional details below...
I'm currently testing on Ubuntu 20.04, kernel 5.4.0-47-generic, smbclient
4.11.6-Ubuntu, and krb5-user 1.17
Steps I took: I run a kinit and obtain a valid ticket, klist confirms this
and that it's stored in the configured ccache. I then run this command:
smbclient //server.this.domain.com/share -k -d5
Here's a snippet of the debug output, pay particular attention to the
"smb_gss_krb5_import_cred" line:

-----
session request ok
negotiated dialect[SMB3_11] against server[server.this.domain.com]
cli_session_setup_spnego_send: Connect to server.this.domain.com as
user at THIS.DOMAIN.COM using SPNEGO
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_11111] failed with [
Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840
113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype
in NEG_TOKEN_INIT
gensec_update_done: spnego[0x55857f9be090]: NT_STATUS_INVALID_PARAMETER
SPNEGO login failed: An invalid parameter was passed to a service or
function.
-----

Here are the contents of the krb5.conf and smb.conf files:

#----krb5.conf----
[libdefaults]
default_realm = THIS.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
kdc_timesync = 1
forwardable = true
proxiable = true
canonicalize = true
rdns = false
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
#----krb5 end----

#----smb.conf----
[global]
workgroup = DOMAIN
netbios name = MACHINENAME
logging = file
log file = /var/log/samba/log.%m
max log size = 1000
log level = 3
realm = THIS.DOMAIN.COM
kerberos method = secrets and keytab
client signing = mandatory
client min protocol = SMB2
client max protocol = default
client ipc signing = mandatory
client ipc min protocol = SMB2
client ipc max protocol = default
client ldap sasl wrapping = seal
client NTLMv2 auth = yes
client use spnego = yes
ntlm auth = ntlmv2-only
raw NTLMv2 auth = no
restrict anonymous = 2
#----smb end----

--
Jonathan Davis
Systems Administrator
Leepfrog Technologies, Inc.
www.leepfrog.com

On 15/09/2020 19:14, Jonathan Davis via samba wrote:
> Hello all.
>
> I'm encountering an issue where smbclient seemingly ignores the
kerberos
> ccache as configured in krb5.conf when using "krb5-user" as the
kerberos
> package and will instead always default to using
"FILE:/tmp/krb5cc_uid".
> I tested each valid default ccache name type but smbclient completely
> ignores whatever is set as the "default_ccache_name" in the conf
file. I
> went on to test "heimdal-clients" as the kerberos package and
smbclient
> appears to be using the ccache that is configured in the conf file. This
> behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5.
>
> Swapping krb5-user for heimdal-clients is not a desirable nor functional
> solution for me because I want to utilize either the
> "KEYRING:persistent:%{uid}" or "KCM:" ccaches; both of
which I'm unable to
> get working with heimdal-clients. On the same system SSSD, pam_mount and
> mount, all work with krb5-user and honor the configured ccache. I'd
like to
> point out that the smbclient on CentOS 7 and 8 doesn't have this issue
and
> works with "krb5-workstation" and both the "KEYRING"
and "KCM" ccaches.
>
> So... is smbclient on debian/ubuntu only compatible with heimdal and not
MIT
> kerberos? What am I missing? Any help or clarity would be greatly
> appreciated.
>
> Thank you!
>
> Additional details below...
> I'm currently testing on Ubuntu 20.04, kernel 5.4.0-47-generic,
smbclient
> 4.11.6-Ubuntu, and krb5-user 1.17
> Steps I took: I run a kinit and obtain a valid ticket, klist confirms this
> and that it's stored in the configured ccache. I then run this command:
> smbclient //server.this.domain.com/share -k -d5
> Here's a snippet of the debug output, pay particular attention to the
> "smb_gss_krb5_import_cred" line:
>
> -----
> session request ok
> negotiated dialect[SMB3_11] against server[server.this.domain.com]
> cli_session_setup_spnego_send: Connect to server.this.domain.com as
> user at THIS.DOMAIN.COM using SPNEGO
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_11111] failed with [
> Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840
> 113554 1 2 2] -the caller may retry after a kinit.
> Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
> gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype
> in NEG_TOKEN_INIT
> gensec_update_done: spnego[0x55857f9be090]: NT_STATUS_INVALID_PARAMETER
> SPNEGO login failed: An invalid parameter was passed to a service or
> function.
> -----
>
> Here are the contents of the krb5.conf and smb.conf files:
>
> #----krb5.conf----
> [libdefaults]
> default_realm = THIS.DOMAIN.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> kdc_timesync = 1
> forwardable = true
> proxiable = true
> canonicalize = true
> rdns = false
> spake_preauth_groups = edwards25519
> default_ccache_name = KEYRING:persistent:%{uid}
> #----krb5 end----
>
> #----smb.conf----
> [global]
> workgroup = DOMAIN
> netbios name = MACHINENAME
> logging = file
> log file = /var/log/samba/log.%m
> max log size = 1000
> log level = 3
> realm = THIS.DOMAIN.COM
> kerberos method = secrets and keytab
> client signing = mandatory
> client min protocol = SMB2
> client max protocol = default
> client ipc signing = mandatory
> client ipc min protocol = SMB2
> client ipc max protocol = default
> client ldap sasl wrapping = seal
> client NTLMv2 auth = yes
> client use spnego = yes
> ntlm auth = ntlmv2-only
> raw NTLMv2 auth = no
> restrict anonymous = 2
> #----smb end----
It works for me, either direction between an rpi running 4.9.5 and 
debian buster running 4.12.6

The only difference would seem to be that program I will not mention, 
but has a lot of letter 's' in its name, I do not use it. I also turned 
Samba off on the client end.

Rowland

I believe you are hitting multiple things. 

1. a bug in smblcient involving that kerberos cache. I seen something passing by
on this.
2. krb5.conf has to much in it, just not needed.
3. faulty smb.conf. Its incomplete. 

But more comment below. 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 15 september 2020 21:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] smbclient ignores configured kerberos 
> ccache when using krb5-user on ubuntu/debian
> 
> On 15/09/2020 19:14, Jonathan Davis via samba wrote:
> > Hello all.
> >
> > I'm encountering an issue where smbclient seemingly ignores 
> the kerberos
> > ccache as configured in krb5.conf when using "krb5-user" as 
> the kerberos
> > package and will instead always default to using 
> "FILE:/tmp/krb5cc_uid".
> > I tested each valid default ccache name type but smbclient 
> completely
> > ignores whatever is set as the "default_ccache_name" in the 
> conf file. I
> > went on to test "heimdal-clients" as the kerberos package 
> and smbclient
> > appears to be using the ccache that is configured in the 
> conf file. This
> > behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5.
> >
> > Swapping krb5-user for heimdal-clients is not a desirable 
> nor functional
> > solution for me because I want to utilize either the
> > "KEYRING:persistent:%{uid}" or "KCM:" ccaches;
both of
> which I'm unable to
> > get working with heimdal-clients. On the same system SSSD, 
> pam_mount and
> > mount, all work with krb5-user and honor the configured 
> ccache. I'd like to
> > point out that the smbclient on CentOS 7 and 8 doesn't have 
> this issue and
> > works with "krb5-workstation" and both the
"KEYRING" and
> "KCM" ccaches.
> >
> > So... is smbclient on debian/ubuntu only compatible with 
> heimdal and not MIT
> > kerberos? What am I missing? Any help or clarity would be greatly
> > appreciated.
> >
> > Thank you!
> >
> > Additional details below...
> > I'm currently testing on Ubuntu 20.04, kernel 
> 5.4.0-47-generic, smbclient
> > 4.11.6-Ubuntu, and krb5-user 1.17
> > Steps I took: I run a kinit and obtain a valid ticket, 
> klist confirms this
> > and that it's stored in the configured ccache. I then run 
> this command:
> > smbclient //server.this.domain.com/share -k -d5
> > Here's a snippet of the debug output, pay particular 
> attention to the
> > "smb_gss_krb5_import_cred" line:
> >
> > -----
> > session request ok
> > negotiated dialect[SMB3_11] against server[server.this.domain.com]
> > cli_session_setup_spnego_send: Connect to server.this.domain.com as
> > user at THIS.DOMAIN.COM using SPNEGO
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gse_krb5
> > smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_11111] 
> failed with [
> > Miscellaneous failure (see text): unknown mech-code 2 for 
> mech 1 2 840
> > 113554 1 2 2] -the caller may retry after a kinit.
> > Failed to start GENSEC client mech gse_krb5: 
> NT_STATUS_INTERNAL_ERROR
> > gensec_spnego_client_negTokenInit_step: Could not find a 
> suitable mechtype
> > in NEG_TOKEN_INIT
> > gensec_update_done: spnego[0x55857f9be090]: 
> NT_STATUS_INVALID_PARAMETER
> > SPNEGO login failed: An invalid parameter was passed to a service or
> > function.
> > -----
> >
> > Here are the contents of the krb5.conf and smb.conf files:
Krb5.conf remove the last 3 lines. 
> >
> > #----krb5.conf----
> > [libdefaults]
> > default_realm = THIS.DOMAIN.COM
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > kdc_timesync = 1
> > forwardable = true
> > proxiable = true
> > canonicalize = true
> > rdns = false
> > spake_preauth_groups = edwards25519
> > default_ccache_name = KEYRING:persistent:%{uid}
> > #----krb5 end----
This is just a "faulty" smb.conf file. 
Where is the "backend" definition 

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > #----smb.conf----
> > [global]
> > workgroup = DOMAIN
> > netbios name = MACHINENAME
> > logging = file
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > log level = 3
> > realm = THIS.DOMAIN.COM
> > kerberos method = secrets and keytab
> > client signing = mandatory
> > client min protocol = SMB2
> > client max protocol = default
> > client ipc signing = mandatory
> > client ipc min protocol = SMB2
> > client ipc max protocol = default
> > client ldap sasl wrapping = seal
> > client NTLMv2 auth = yes
> > client use spnego = yes
> > ntlm auth = ntlmv2-only
> > raw NTLMv2 auth = no
> > restrict anonymous = 2
> > #----smb end----
> 
> It works for me, either direction between an rpi running 4.9.5 and 
> debian buster running 4.12.6
> 
> The only difference would seem to be that program I will not mention, 
> but has a lot of letter 's' in its name, I do not use it. I 
> also turned 
> Samba off on the client end.
> 
> Rowland
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 16/09/2020 08:38, L.P.H. van Belle via samba wrote:
> This is just a "faulty" smb.conf file.
> Where is the "backend" definition
>
The OP is using sssd

Rowland

I know,  and i have him the "samba" solution, because ...
I dont know sssd also. 

And i dont get the fuss on samba+winbind or samba+sssd 

I have 3 services running minimal : samba winbind user-homes.automount 
Everything works as it should. 

I hope, and i'll add the note here also. 

NOTE ! 
My packages are NOT sssd compliant, you need to recompile SSSD yourselfs agains
my samba packages.


Greetz, 

louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: woensdag 16 september 2020 10:07
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] smbclient ignores configured kerberos 
> ccache when using krb5-user on ubuntu/debian
> 
> On 16/09/2020 08:38, L.P.H. van Belle via samba wrote:
> > This is just a "faulty" smb.conf file.
> > Where is the "backend" definition
> >
> The OP is using sssd
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>