L.P.H. van Belle
2020-Sep-16 08:16 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
I know, and i have him the "samba" solution, because ... I dont know sssd also. And i dont get the fuss on samba+winbind or samba+sssd I have 3 services running minimal : samba winbind user-homes.automount Everything works as it should. I hope, and i'll add the note here also. NOTE ! My packages are NOT sssd compliant, you need to recompile SSSD yourselfs agains my samba packages. Greetz, louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland penny via samba > Verzonden: woensdag 16 september 2020 10:07 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] smbclient ignores configured kerberos > ccache when using krb5-user on ubuntu/debian > > On 16/09/2020 08:38, L.P.H. van Belle via samba wrote: > > This is just a "faulty" smb.conf file. > > Where is the "backend" definition > > > The OP is using sssd > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Jonathan Davis
2020-Sep-16 16:39 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
On 16/09/2020 03:16, L.P.H. van Belle via samba wrote:> I know, and i have him the "samba" solution, because ... > I dont know sssd also. > And i dont get the fuss on samba+winbind or samba+sssd > I have 3 services running minimal : samba winbind user-homes.automountEverything works as it should.> > > On 16/09/2020 03:07, Rowland via samba wrote: > > The OP is using sssd > > > > Rowland > >To add clarity and more detail: these are workstations - smbd is not installed and I am not utilizing samba for the machine to be a domain member of AD. We simply need the smbclient to browse samba shares on domain member servers; where there is only samba btw - sssd is not installed on those servers but sssd is used on the workstations. On 16/09/2020 02:38, L.P.H. van Belle via samba wrote:> I believe you are hitting multiple things. > 1. a bug in smblcient involving that kerberos cache. I seen somethingpassing by on this.> 2. krb5.conf has to much in it, just not needed. > 3. faulty smb.conf. Its incomplete. > > Krb5.conf remove the last 3 lines. > "rdns = false, spake_preauth_groups = edwards25519, default_ccache_name KEYRING:persistent:%{uid}" > > This is just a "faulty" smb.conf file. Where is the "backend" definition >I'd be interested in any additional information or sources you have concerning the suspected bug. The three parameters you noted are present in my krb5.conf for documentation, to facilitate changing the values when testing, as well as to specifically set the ccache location to either "KEYRING" or "KCM" - not the default of "FILE". I'm fairly certain I do not have a "faulty" smb.conf. The file is a trimmed copy of what we use on our samba servers. So there are a few unnecessary parameters declared in there for my usage case but they are harmless. Running "testparm" reports back that everything is OK - server role is standalone and the idmap config backend is set to "tdb"... Which is the standard default and wouldn't need to be specified in the conf file. I don't believe any parameter present (or missing) in my smb.conf would be involved with the issue I'm encountering, but I very well could be wrong. Which brings me to this mail list. :) To reiterate the issue at hand: smbclient does not use the configured kerberos ccache as specified in the krb5.conf file. I can reproduce this behavior on a "clean" Ubuntu 20.04 system; steps: - perform a new OS install (minimal and download updates selected) - open terminal, run "sudo apt install -y krb5-user", overwrite the krb5.conf with the custom one - run "kinit domainuser" then "klist" to confirm a valid ticket has been obtained and that it's in the correct ccache (for this test it's the KEYRING) - run "sudo apt install -y smbclient", overwrite the smb.conf with the custom one - run "smbclient //server.this.domain.com/share -U domainuser -k -d5" - smbclient tries to import the incorrect, non-existent kerberos ccache and fails to authenticate - key debug output snippet: "smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] failed ... the caller may retry after a kinit" - the versions of the components are: smbclient 4.11.6-Ubuntu and krb5 1.17 If I follow a similar process as above on CentOS the smbclient imports from the correct ccache and successfully authenticates - CentOS release 8.2.2004, smbclient 4.11.2, and krb5 1.17 Any other thoughts or suggestions will be much appreciated. -- Jonathan Davis
L.P.H. van Belle
2020-Sep-17 07:43 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jonathan Davis via samba > Verzonden: woensdag 16 september 2020 18:39 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] smbclient ignores configured kerberos > ccache when using krb5-user on ubuntu/debian > > On 16/09/2020 03:16, L.P.H. van Belle via samba wrote: > > I know, and i have him the "samba" solution, because ... > > I dont know sssd also. > > And i dont get the fuss on samba+winbind or samba+sssd > > I have 3 services running minimal : samba winbind > user-homes.automount > Everything works as it should.Well, great, thats what we want in the end.> > > > > On 16/09/2020 03:07, Rowland via samba wrote: > > > The OP is using sssd > > > > > > Rowland > > > > > To add clarity and more detail: these are workstations - smbd is not > installed and I am not utilizing samba for the machine to be > a domain member > of AD. > We simply need the smbclient to browse samba shares on domain member > servers; where there is only samba btw - sssd is not > installed on those > servers but sssd is used on the workstations. > > On 16/09/2020 02:38, L.P.H. van Belle via samba wrote: > > I believe you are hitting multiple things. > > 1. a bug in smblcient involving that kerberos cache. I seen > something > passing by on this. > > 2. krb5.conf has to much in it, just not needed. > > 3. faulty smb.conf. Its incomplete. > > > > Krb5.conf remove the last 3 lines. > > "rdns = false, spake_preauth_groups = edwards25519, > default_ccache_name > KEYRING:persistent:%{uid}" > > > > This is just a "faulty" smb.conf file. Where is the > "backend" definition > > > > I'd be interested in any additional information or sources you have > concerning the suspected bug.https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941493 https://bugzilla.samba.org/show_bug.cgi?id=14344> > The three parameters you noted are present in my krb5.conf for > documentation, to facilitate changing the values when testing, > as well as to specifically set the ccache location to either > "KEYRING" or "KCM" - not the default of "FILE". > I'm fairly certain I do not have a "faulty" smb.conf. The > file is a trimmed copy of what we use on our samba servers. > So there are a few unnecessary parameters declared in there > for my usage case but they are harmless.> Running "testparm" reports back that everything is OK - server role is > standalone and the idmap config backend is set to "tdb"... > Which is the standard default and wouldn't need to be > specified in the conf file.Ok stand-alone, yes, then it looks fine, im was thinking this was a member server> > I don't believe any parameter present (or missing) in my > smb.conf would be involved with the issue I'm encountering, but I very well > could be wrong. Which brings me to this mail list. :) > > To reiterate the issue at hand: smbclient does not use the configured > kerberos ccache as specified in the krb5.conf file. > > I can reproduce this behavior on a "clean" Ubuntu 20.04 system; steps: > - perform a new OS install (minimal and download updates selected) > - open terminal, run "sudo apt install -y krb5-user", overwrite the > krb5.conf with the custom one > - run "kinit domainuser" then "klist" to confirm a valid > ticket has been > obtained and that it's in the correct ccache (for this test it's the > KEYRING) > - run "sudo apt install -y smbclient", overwrite the > smb.conf with the > custom one > - run "smbclient //server.this.domain.com/share -U domainuser -k -d5" > - smbclient tries to import the incorrect, non-existent > kerberos ccache and > fails to authenticate > - key debug output snippet: "smb_gss_krb5_import_cred > ccache[FILE:/tmp/krb5cc_1000] failed ... the caller may retry > after a kinit" > - the versions of the components are: smbclient > 4.11.6-Ubuntu and krb5 1.17 > > If I follow a similar process as above on CentOS the > smbclient imports from > the correct ccache and successfully authenticates - CentOS > release 8.2.2004, > smbclient 4.11.2, and krb5 1.17 > > Any other thoughts or suggestions will be much appreciated. > > -- > Jonathan Davis > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Jonathan Davis
2020-Sep-17 17:38 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
On 17/09/2020 02:44, L.P.H. van Belle via samba wrote:> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941493 > https://bugzilla.samba.org/show_bug.cgi?id=14344 >These appear they could be related to the issue I'm encountering. So I did some additional testing and discovered something interesting, but first some background: I previously mentioned that part of my initial troubleshooting of this issue involved using heimdal-clients instead of krb5-user and that when using heimdal-clients for kerberos the smbclient would use whatever ccache was configured as the default ccache name in krb5.conf with the exception of "KEYRING" and "KCM" because heimdal would consistently error out that both of those are "unknown credential cache types". Effectively, only "FILE" and "DIR" ccache types would work with heimdal. Continuing on... The heimdal variant of kerberos uses a different parameter name for the default ccache name property than what is used by krb5-user. In heimdal the parameter name is "default_cc_name" and in krb5-user the parameter name is "default_ccache_name". I was throwing the kitchen sink at the problem this morning and so, with krb5-user installed, I decided to try substituting the parameter name spelling to the heimdal parameter name. So in the krb5.conf I used "default_cc_name = KEYRING:persistent:%{uid}" instead of "default_ccache_name = KEYRING:persistent:%{uid}". As expected, after making this change the krb5 default ccache name of "FILE:/tmp/krb5cc_%{uid}" is used since "default_cc_name" is not valid. I ran the smbclient command and guess what happened? Remember, the original error in the debug output with the valid parameter name was this: smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the caller may retry after a kinit After I made the parameter name change to the heimdal version, the error turned into this: Failed to resolve credential cache 'KEYRING:persistent:1000'! (Unknown credential cache type) free(): double free detected in tcache 2 Aborted (core dumped) Based off of this behavior change, to me it appears that the "smb_gss_krb5_import_cred" step/function in smbclient (perhaps other steps/functions too) is specifically looking for or expecting "default_cc_name" and likely other properties or files or etc that heimdal-clients does differently than krb5-user. Which lead me to this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963899 So I guess I'm SOL unless Debian maintainers build smbclient against krb5?? This is depressing. -- Jonathan Davis
Apparently Analagous Threads
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian