Jonathan Davis
2020-Sep-17 17:38 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
On 17/09/2020 02:44, L.P.H. van Belle via samba wrote:> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941493 > https://bugzilla.samba.org/show_bug.cgi?id=14344 >These appear they could be related to the issue I'm encountering. So I did some additional testing and discovered something interesting, but first some background: I previously mentioned that part of my initial troubleshooting of this issue involved using heimdal-clients instead of krb5-user and that when using heimdal-clients for kerberos the smbclient would use whatever ccache was configured as the default ccache name in krb5.conf with the exception of "KEYRING" and "KCM" because heimdal would consistently error out that both of those are "unknown credential cache types". Effectively, only "FILE" and "DIR" ccache types would work with heimdal. Continuing on... The heimdal variant of kerberos uses a different parameter name for the default ccache name property than what is used by krb5-user. In heimdal the parameter name is "default_cc_name" and in krb5-user the parameter name is "default_ccache_name". I was throwing the kitchen sink at the problem this morning and so, with krb5-user installed, I decided to try substituting the parameter name spelling to the heimdal parameter name. So in the krb5.conf I used "default_cc_name = KEYRING:persistent:%{uid}" instead of "default_ccache_name = KEYRING:persistent:%{uid}". As expected, after making this change the krb5 default ccache name of "FILE:/tmp/krb5cc_%{uid}" is used since "default_cc_name" is not valid. I ran the smbclient command and guess what happened? Remember, the original error in the debug output with the valid parameter name was this: smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the caller may retry after a kinit After I made the parameter name change to the heimdal version, the error turned into this: Failed to resolve credential cache 'KEYRING:persistent:1000'! (Unknown credential cache type) free(): double free detected in tcache 2 Aborted (core dumped) Based off of this behavior change, to me it appears that the "smb_gss_krb5_import_cred" step/function in smbclient (perhaps other steps/functions too) is specifically looking for or expecting "default_cc_name" and likely other properties or files or etc that heimdal-clients does differently than krb5-user. Which lead me to this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963899 So I guess I'm SOL unless Debian maintainers build smbclient against krb5?? This is depressing. -- Jonathan Davis
Rowland penny
2020-Sep-17 18:50 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
On 17/09/2020 18:38, Jonathan Davis via samba wrote:> On 17/09/2020 02:44, L.P.H. van Belle via samba wrote: >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941493 >> https://bugzilla.samba.org/show_bug.cgi?id=14344 >> > These appear they could be related to the issue I'm encountering. > > So I did some additional testing and discovered something interesting, but > first some background: > I previously mentioned that part of my initial troubleshooting of this issue > involved using heimdal-clients > instead of krb5-user and that when using heimdal-clients for kerberos the > smbclient would use whatever ccache > was configured as the default ccache name in krb5.conf with the exception of > "KEYRING" and "KCM" because > heimdal would consistently error out that both of those are "unknown > credential cache types". > Effectively, only "FILE" and "DIR" ccache types would work with heimdal. > Continuing on... > > The heimdal variant of kerberos uses a different parameter name for the > default ccache name property > than what is used by krb5-user. In heimdal the parameter name is > "default_cc_name" and in krb5-user > the parameter name is "default_ccache_name". I was throwing the kitchen sink > at the problem this morning and so, > with krb5-user installed, I decided to try substituting the parameter name > spelling to the heimdal parameter name. > So in the krb5.conf I used "default_cc_name = KEYRING:persistent:%{uid}" > instead of > "default_ccache_name = KEYRING:persistent:%{uid}". As expected, after making > this change the krb5 default ccache > name of "FILE:/tmp/krb5cc_%{uid}" is used since "default_cc_name" is not > valid. > > I ran the smbclient command and guess what happened? > Remember, the original error in the debug output with the valid parameter > name was this: > smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the caller may > retry after a kinit > > After I made the parameter name change to the heimdal version, the error > turned into this: > Failed to resolve credential cache 'KEYRING:persistent:1000'! (Unknown > credential cache type) > free(): double free detected in tcache 2 > Aborted (core dumped) > > Based off of this behavior change, to me it appears that the > "smb_gss_krb5_import_cred" step/function > in smbclient (perhaps other steps/functions too) is specifically looking for > or expecting "default_cc_name" and > likely other properties or files or etc that heimdal-clients does > differently than krb5-user. > > Which lead me to this: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963899 > > So I guess I'm SOL unless Debian maintainers build smbclient against krb5?? > This is depressing. > > -- > Jonathan Davis > >Not sure that is the problem, winbind knows all about the different caches, so I wonder if things will work if you install winbind, don't run it, just install it. Rowland
Jonathan Davis
2020-Sep-18 15:31 UTC
[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
On 09/17/2020 13:51, Rowland via samba wrote:> Not sure that is the problem, winbind knows all about the different > caches, so I wonder if things will work if you install winbind, don't run > it, just install it. > > Rowland > > > On 09/17/2020 12:39, Jonathan Davis via samba wrote: > > I ran the smbclient command and guess what happened? > > Remember, the original error in the debug output with the valid > > parameter name was this: > > smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the > > caller may retry after a kinit > > > > After I made the parameter name change to the heimdal version, the > > error turned into this: > > Failed to resolve credential cache 'KEYRING:persistent:1000'! > > (Unknown credential cache type) > > free(): double free detected in tcache 2 > > Aborted (core dumped) > > > > Based off of this behavior change, to me it appears that the > > "smb_gss_krb5_import_cred" step/function in smbclient (perhaps other > > steps/functions too) is specifically looking for or expecting > > "default_cc_name" and likely other properties or files or etc that > > heimdal-clients does differently than krb5-user. > > > > Which lead me to this: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963899 > > > > So I guess I'm SOL unless Debian maintainers build smbclient against > > krb5?? > > This is depressing. > > -- > > Jonathan Davis > >I gave your suggestion to install winbind a shot but it was unsuccessful. With the normal krb5 setup the same issue and behavior occurs - with and without winbind running - post reboot, as well as from a clean install. I appreciate the ideas and assistance with this Rowland. I'm stumped. -- Jonathan Davis
Apparently Analagous Threads
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
- smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian