search for: credcaches

On Fri, 2017-02-10 at 11:15 -0600, Chad William Seys wrote: > Hi Jeff, > > > So we have a default credcache for the user for whom we are operating > > as, but we can't get the default principal name from it. My guess is > > that it's not finding the > > This mount is run by root UID=0 and seems to be find that credential > cache without problem (earlier

On Thu, 2017-02-09 at 14:45 -0600, Chad William Seys wrote: > Hi Jeff, > Could you look at the following mailing list posting? > > https://lists.samba.org/archive/samba/2017-February/206468.html > > It looks like cifs.upcall has changed its behavior. As described in > that post, I can mount with root / kerberos, but then cannot access with > another user who has

...ogout if you do that. Caveat emptor. > > > > I'm not sure what the right solution is there. For Simo and Nalin: > > > > The upshot here is that we did a big clean up of the cifs-utils code > > recently, to get it out of the business of scanning /tmp for > > credcaches. > > That allows us to have better compatibility with other credcache > > types > > (keyring or whatever), and it was always rather nasty anyway. > > > > pam_krb5 wants to make session-specific credcaches however, and > > cifs.upcall can't easily guess them....

Hi Aurélien, Thanks for the idea! For Debian packages: 6.4-1 works 6.5-1 works 6.5-2 works 6.6-1 fails 6.6-5 fails So looks like something changed from 6.5 to 6.6... When I have time I'll figure out how to compile the upcall binary.

...the right solution is there. For Simo and > > > > Nalin: > > > > > > > > The upshot here is that we did a big clean up of the cifs-utils > > > > code > > > > recently, to get it out of the business of scanning /tmp for > > > > credcaches. > > > > That allows us to have better compatibility with other credcache > > > > types > > > > (keyring or whatever), and it was always rather nasty anyway. > > > > > > > > pam_krb5 wants to make session-specific credcaches however, and...

Chad reported that he was seeing a regression in cifs-utils-6.6. Prior to that, cifs.upcall was able to find credcaches in non-default FILE: locations, but with the rework of that code, that ability was lost. Unfortunately, the krb5 library design doesn't really take into account the fact that we might need to find a credcache in a process that isn't descended from the session. When the kernel does an upca...

Time for a new cifs-utils release! The main change in this release is a set of cleanups to cifs.upcall to make it more efficient and work better with alternate style credcaches. No longer does it blithely stumble around in /tmp looking for credcaches. We now just use the default credcache that to which the krb5.conf points. Go forth and download! webpage:    https://wiki.samba.org/index.php/LinuxCIFS_utils tarball:    ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/ git: ...

The main change in this release is to address some regressions that crept in when we switched to a scheme that does not rely on walking /tmp to look for credcaches. We now will use the information from the kernel about the initiating pid, reach into that task's environment and scrape out the $KRB5CCNAME variable. This can be problematic in setuid situations, so we avoid doing that for the root user. It's not a perfect scheme but it's certainly be...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Again, nothing earth-shattering in this release. Mostly some minor bugfixes and cleanups. Some highlights: - - setcifsacl can now work without a plugin - - systemd-ask-password is found using $PATH now - - cifs.upcall now works with KEYRING: credcaches Go forth and download! webpage: https://wiki.samba.org/index.php/LinuxCIFS_utils tarball: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/ git: git://git.samba.org/cifs-utils.git gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary Detailed list of changes since 6.2: commit...

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert

...500, Simo Sorce wrote: > On Sat, 2017-02-11 at 10:16 -0500, Jeff Layton wrote: > > On Sat, 2017-02-11 at 08:41 -0500, Jeff Layton wrote: > > > Chad reported that he was seeing a regression in cifs-utils-6.6. > > > Prior > > > to that, cifs.upcall was able to find credcaches in non-default > > > FILE: > > > locations, but with the rework of that code, that ability was lost. > > > > > > Unfortunately, the krb5 library design doesn't really take into > > > account > > > the fact that we might need to find a credc...

Small respin of the patches that I posted a few days ago. The main difference is the reordering of the series to make it do the group and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of

Hi Jeff, Could you look at the following mailing list posting? https://lists.samba.org/archive/samba/2017-February/206468.html It looks like cifs.upcall has changed its behavior. As described in that post, I can mount with root / kerberos, but then cannot access with another user who has credentials. The logs indicate that cifs.upcall cannot find the kerberos ticket for the non-root user.

Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Time for another cifs-utils release! Nothing terribly earth shattering here. Some distros (like Fedora) are moving krb5 credcaches out of /tmp by default. Users of these distros will definitely want to upgrade. Highlights: * Fixes for mounting with '/' in usernames with sec=krb5 * Support for DIR: type krb5 ccaches * support for "nofail" option in mount.cifs webpage: https://wiki.samba.org/index.php/...

Hello, I've been doing some extensive troubleshooting with respect to some issues mounting CIFS shares on a Windows box via Kerberos. We're using the command: /sbin/mount.cifs //whatever/whatever /whatever -o sec=krb5i This should mount the share using Kerberos & Packet-signing by using the cached credentials of the user executing the command. With judicious use of strace, it

...x build with recent Heimdal. * Fix the build of the winbind krb5 locator plugin. * Fix compile of winbind_krb5_locator with recent Heimdal versions. * Fix the build on Mac OS X 10.6.2. o Jeff Layton <jlayton at redhat.com> * BUG 6810: Backport support for finding alternate credcaches. * Use pid value from kernel to determine KRB5CCNAME to use in cifs.upcall. o Volker Lendecke <vl at samba.org> * BUG 6338: 'net rpc trustdom list' always displays "none". * BUG 6793: Fix segfault in winbindd_pam_auth. * BUG 6850: Fix shadow copy display...

...x build with recent Heimdal. * Fix the build of the winbind krb5 locator plugin. * Fix compile of winbind_krb5_locator with recent Heimdal versions. * Fix the build on Mac OS X 10.6.2. o Jeff Layton <jlayton at redhat.com> * BUG 6810: Backport support for finding alternate credcaches. * Use pid value from kernel to determine KRB5CCNAME to use in cifs.upcall. o Volker Lendecke <vl at samba.org> * BUG 6338: 'net rpc trustdom list' always displays "none". * BUG 6793: Fix segfault in winbindd_pam_auth. * BUG 6850: Fix shadow copy display...

...mba_bugzilla at gmail.com> * BUG 6690: Fix wrong error check in profile. o Marc Aurele La France <tsi at ualberta.ca> * BUG 6707: Fix an occasional segfault in config file parsing. o Jeff Layton <jlayton at redhat.com> * BUG 6810: Add support for finding alternate credcaches to cifs.upcall. o Volker Lendecke <vl at samba.org> * BUG 6606: Fix file corruption using smbclient with NT4 server. * BUG 6703: Allow smbstatus as non-root. * BUG 6731: Fix reading beyond the end of a named stream in xattr_streams. * BUG 6765: Add a "hidden" par...

...mba_bugzilla at gmail.com> * BUG 6690: Fix wrong error check in profile. o Marc Aurele La France <tsi at ualberta.ca> * BUG 6707: Fix an occasional segfault in config file parsing. o Jeff Layton <jlayton at redhat.com> * BUG 6810: Add support for finding alternate credcaches to cifs.upcall. o Volker Lendecke <vl at samba.org> * BUG 6606: Fix file corruption using smbclient with NT4 server. * BUG 6703: Allow smbstatus as non-root. * BUG 6731: Fix reading beyond the end of a named stream in xattr_streams. * BUG 6765: Add a "hidden" par...