samba - Sep 2020 - smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian

On 17/09/2020 02:44, L.P.H. van Belle via samba wrote:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941493
> https://bugzilla.samba.org/show_bug.cgi?id=14344
>
These appear they could be related to the issue I'm encountering.

So I did some additional testing and discovered something interesting, but
first some background:
I previously mentioned that part of my initial troubleshooting of this issue
involved using heimdal-clients
instead of krb5-user and that when using heimdal-clients for kerberos the
smbclient would use whatever ccache
was configured as the default ccache name in krb5.conf with the exception of
"KEYRING" and "KCM" because 
heimdal would consistently error out that both of those are "unknown
credential cache types".
Effectively, only "FILE" and "DIR" ccache types would work
with heimdal.
Continuing on...

The heimdal variant of kerberos uses a different parameter name for the
default ccache name property
than what is used by krb5-user. In heimdal the parameter name is
"default_cc_name" and in krb5-user 
the parameter name is "default_ccache_name". I was throwing the
kitchen sink
at the problem this morning and so,
with krb5-user installed, I decided to try substituting the parameter name
spelling to the heimdal parameter name.
So in the krb5.conf I used "default_cc_name =
KEYRING:persistent:%{uid}"
instead of
"default_ccache_name = KEYRING:persistent:%{uid}". As expected, after
making
this change the krb5 default ccache
name of "FILE:/tmp/krb5cc_%{uid}" is used since
"default_cc_name" is not
valid.

I ran the smbclient command and guess what happened?
Remember, the original error in the debug output with the valid parameter
name was this:
    smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the caller may
retry after a kinit

After I made the parameter name change to the heimdal version, the error
turned into this:
    Failed to resolve credential cache 'KEYRING:persistent:1000'!
(Unknown
credential cache type)
    free(): double free detected in tcache 2
    Aborted (core dumped)

Based off of this behavior change, to me it appears that the
"smb_gss_krb5_import_cred" step/function
in smbclient (perhaps other steps/functions too) is specifically looking for
or expecting "default_cc_name" and
likely other properties or files or etc that heimdal-clients does
differently than krb5-user.

Which lead me to this:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963899

So I guess I'm SOL unless Debian maintainers build smbclient against krb5??
This is depressing.

--
Jonathan Davis

On 17/09/2020 18:38, Jonathan Davis via samba wrote:
> On 17/09/2020 02:44, L.P.H. van Belle via samba wrote:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941493
>> https://bugzilla.samba.org/show_bug.cgi?id=14344
>>
> These appear they could be related to the issue I'm encountering.
>
> So I did some additional testing and discovered something interesting, but
> first some background:
> I previously mentioned that part of my initial troubleshooting of this
issue
> involved using heimdal-clients
> instead of krb5-user and that when using heimdal-clients for kerberos the
> smbclient would use whatever ccache
> was configured as the default ccache name in krb5.conf with the exception
of
> "KEYRING" and "KCM" because
> heimdal would consistently error out that both of those are "unknown
> credential cache types".
> Effectively, only "FILE" and "DIR" ccache types would
work with heimdal.
> Continuing on...
>
> The heimdal variant of kerberos uses a different parameter name for the
> default ccache name property
> than what is used by krb5-user. In heimdal the parameter name is
> "default_cc_name" and in krb5-user
> the parameter name is "default_ccache_name". I was throwing the
kitchen sink
> at the problem this morning and so,
> with krb5-user installed, I decided to try substituting the parameter name
> spelling to the heimdal parameter name.
> So in the krb5.conf I used "default_cc_name =
KEYRING:persistent:%{uid}"
> instead of
> "default_ccache_name = KEYRING:persistent:%{uid}". As expected,
after making
> this change the krb5 default ccache
> name of "FILE:/tmp/krb5cc_%{uid}" is used since
"default_cc_name" is not
> valid.
>
> I ran the smbclient command and guess what happened?
> Remember, the original error in the debug output with the valid parameter
> name was this:
>      smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the caller may
> retry after a kinit
>
> After I made the parameter name change to the heimdal version, the error
> turned into this:
>      Failed to resolve credential cache 'KEYRING:persistent:1000'!
(Unknown
> credential cache type)
>      free(): double free detected in tcache 2
>      Aborted (core dumped)
>
> Based off of this behavior change, to me it appears that the
> "smb_gss_krb5_import_cred" step/function
> in smbclient (perhaps other steps/functions too) is specifically looking
for
> or expecting "default_cc_name" and
> likely other properties or files or etc that heimdal-clients does
> differently than krb5-user.
>
> Which lead me to this:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963899
>
> So I guess I'm SOL unless Debian maintainers build smbclient against
krb5??
> This is depressing.
>
> --
> Jonathan Davis
>
>
Not sure that is the problem, winbind knows all about the different 
caches, so I wonder if things will work if you install winbind, don't 
run it, just install it.

Rowland

On 09/17/2020 13:51, Rowland via samba wrote:
> Not sure that is the problem, winbind knows all about the different
> caches, so I wonder if things will work if you install winbind, don't
run
> it, just install it.
> 
> Rowland
> 
> > On 09/17/2020 12:39, Jonathan Davis via samba wrote:
> > I ran the smbclient command and guess what happened?
> > Remember, the original error in the debug output with the valid
> > parameter name was this:
> >       smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the
> > caller may retry after a kinit
> > 
> > After I made the parameter name change to the heimdal version, the
> > error turned into this:
> >       Failed to resolve credential cache
'KEYRING:persistent:1000'!
> > (Unknown credential cache type)
> >       free(): double free detected in tcache 2
> >       Aborted (core dumped)
> > 
> > Based off of this behavior change, to me it appears that the
> > "smb_gss_krb5_import_cred" step/function in smbclient
(perhaps other
> > steps/functions too) is specifically looking for or expecting
> > "default_cc_name" and likely other properties or files or
etc that
>  > heimdal-clients does differently than krb5-user.
> > 
> > Which lead me to this:
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963899
> > 
> > So I guess I'm SOL unless Debian maintainers build smbclient
against
> > krb5??
> > This is depressing.
> > --
> > Jonathan Davis
> > 
I gave your suggestion to install winbind a shot but it was unsuccessful.
With the normal krb5 setup the same issue and behavior occurs - with and
without winbind running - post reboot, as well as from a clean install.

I appreciate the ideas and assistance with this Rowland.

I'm stumped.
--
Jonathan Davis