Displaying 20 results from an estimated 21 matches for "credcaches".
Did you mean:
credcache
2017 Feb 10
5
cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'
On Fri, 2017-02-10 at 11:15 -0600, Chad William Seys wrote:
> Hi Jeff,
>
> > So we have a default credcache for the user for whom we are operating
> > as, but we can't get the default principal name from it. My guess is
> > that it's not finding the
>
> This mount is run by root UID=0 and seems to be find that credential
> cache without problem (earlier
2017 Feb 10
2
cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'
On Thu, 2017-02-09 at 14:45 -0600, Chad William Seys wrote:
> Hi Jeff,
> Could you look at the following mailing list posting?
>
> https://lists.samba.org/archive/samba/2017-February/206468.html
>
> It looks like cifs.upcall has changed its behavior. As described in
> that post, I can mount with root / kerberos, but then cannot access with
> another user who has
2017 Feb 10
0
cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'
...ogout if you do that. Caveat emptor.
> >
> > I'm not sure what the right solution is there. For Simo and Nalin:
> >
> > The upshot here is that we did a big clean up of the cifs-utils code
> > recently, to get it out of the business of scanning /tmp for
> > credcaches.
> > That allows us to have better compatibility with other credcache
> > types
> > (keyring or whatever), and it was always rather nasty anyway.
> >
> > pam_krb5 wants to make session-specific credcaches however, and
> > cifs.upcall can't easily guess them....
2017 Feb 09
2
cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'
Hi Aurélien,
Thanks for the idea!
For Debian packages:
6.4-1 works
6.5-1 works
6.5-2 works
6.6-1 fails
6.6-5 fails
So looks like something changed from 6.5 to 6.6...
When I have time I'll figure out how to compile the upcall binary.
2017 Feb 10
0
cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'
...the right solution is there. For Simo and
> > > > Nalin:
> > > >
> > > > The upshot here is that we did a big clean up of the cifs-utils
> > > > code
> > > > recently, to get it out of the business of scanning /tmp for
> > > > credcaches.
> > > > That allows us to have better compatibility with other credcache
> > > > types
> > > > (keyring or whatever), and it was always rather nasty anyway.
> > > >
> > > > pam_krb5 wants to make session-specific credcaches however, and...
2017 Feb 11
2
[RFC][cifs-utils PATCH] cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file
Chad reported that he was seeing a regression in cifs-utils-6.6. Prior
to that, cifs.upcall was able to find credcaches in non-default FILE:
locations, but with the rework of that code, that ability was lost.
Unfortunately, the krb5 library design doesn't really take into account
the fact that we might need to find a credcache in a process that isn't
descended from the session.
When the kernel does an upca...
2016 Sep 04
0
ANNOUNCE: cifs-utils release 6.6 ready for download
Time for a new cifs-utils release!
The main change in this release is a set of cleanups to cifs.upcall to
make it more efficient and work better with alternate style credcaches.
No longer does it blithely stumble around in /tmp looking for
credcaches. We now just use the default credcache that to which the
krb5.conf points.
Go forth and download!
webpage: https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git: ...
2017 Mar 02
0
cifs-utils release 6.7 ready for download
The main change in this release is to address some regressions that
crept in when we switched to a scheme that does not rely on walking /tmp
to look for credcaches.
We now will use the information from the kernel about the initiating
pid, reach into that task's environment and scrape out the $KRB5CCNAME
variable. This can be problematic in setuid situations, so we avoid
doing that for the root user. It's not a perfect scheme but it's
certainly be...
2013 Oct 04
0
ANNOUNCE: cifs-utils release 6.2 ready for download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Again, nothing earth-shattering in this release. Mostly some minor
bugfixes and cleanups. Some highlights:
- - setcifsacl can now work without a plugin
- - systemd-ask-password is found using $PATH now
- - cifs.upcall now works with KEYRING: credcaches
Go forth and download!
webpage: https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git: git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary
Detailed list of changes since 6.2:
commit...
2017 Feb 15
5
[cifs-utils PATCH v3 0/4] cifs.upcall: allow cifs.upcall to scrape cache location initiating task's environment
Third respin of this series. Reordered for better safety for bisecting.
The environment scraping is now on by default, but can be disabled with
"-E" in environments where it's not needed.
Also, I've added a patch to make cifs.upcall drop capabilities before
doing most of its work. This may help reduce the attack surface of the
program.
Jeff Layton (4):
cifs.upcall: convert
2017 Feb 13
0
[RFC][cifs-utils PATCH] cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file
...500, Simo Sorce wrote:
> On Sat, 2017-02-11 at 10:16 -0500, Jeff Layton wrote:
> > On Sat, 2017-02-11 at 08:41 -0500, Jeff Layton wrote:
> > > Chad reported that he was seeing a regression in cifs-utils-6.6.
> > > Prior
> > > to that, cifs.upcall was able to find credcaches in non-default
> > > FILE:
> > > locations, but with the rework of that code, that ability was lost.
> > >
> > > Unfortunately, the krb5 library design doesn't really take into
> > > account
> > > the fact that we might need to find a credc...
2017 Feb 14
3
[PATCH v2 0/2] cifs.upcall: allow cifs.upcall to grab $KRB5CCNAME from initiating process
Small respin of the patches that I posted a few days ago. The main
difference is the reordering of the series to make it do the group
and grouplist manipulation first, and then the patch that makes
it grab the KRB5CCNAME from the initiating process.
I think the code is sound, my main question is whether we really
need the command-line switch for this. Should this just be the
default mode of
2017 Feb 09
0
cifs-utils: regression in (mulituser?) mounting 'CIFS VFS: Send error in SessSetup = -126'
Hi Jeff,
Could you look at the following mailing list posting?
https://lists.samba.org/archive/samba/2017-February/206468.html
It looks like cifs.upcall has changed its behavior. As described in
that post, I can mount with root / kerberos, but then cannot access with
another user who has credentials.
The logs indicate that cifs.upcall cannot find the kerberos ticket for
the non-root user.
2017 Feb 15
5
[cifs-utils PATCH v3 0/4] cifs.upcall: allow cifs.upcall to scrape cache location initiating task's environment
Apologies for v3 series, I had some extra patches in there. This is
the one that should have been sent. Relabeled as v4 for clarity.
Third respin of this series. Reordered for better safety for bisecting.
The environment scraping is now on by default, but can be disabled with
"-E" in environments where it's not needed.
Also, I've added a patch to make cifs.upcall drop
2012 Oct 10
1
ANNOUNCE: cifs-utils release 5.6 is ready for download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Time for another cifs-utils release!
Nothing terribly earth shattering here. Some distros (like Fedora) are
moving krb5 credcaches out of /tmp by default. Users of these distros
will definitely want to upgrade.
Highlights:
* Fixes for mounting with '/' in usernames with sec=krb5
* Support for DIR: type krb5 ccaches
* support for "nofail" option in mount.cifs
webpage: https://wiki.samba.org/index.php/...
2009 Sep 19
1
cifs.upcall not respecting krb5ccname env var?
Hello,
I've been doing some extensive troubleshooting with respect to some issues
mounting CIFS shares on a Windows box via Kerberos. We're using the command:
/sbin/mount.cifs //whatever/whatever /whatever -o sec=krb5i
This should mount the share using Kerberos & Packet-signing by using the
cached credentials of the user executing the command. With judicious use of
strace, it
2010 Jan 14
1
Samba 3.3.10 Available for Download
...x build with recent Heimdal.
* Fix the build of the winbind krb5 locator plugin.
* Fix compile of winbind_krb5_locator with recent Heimdal versions.
* Fix the build on Mac OS X 10.6.2.
o Jeff Layton <jlayton at redhat.com>
* BUG 6810: Backport support for finding alternate credcaches.
* Use pid value from kernel to determine KRB5CCNAME to use in cifs.upcall.
o Volker Lendecke <vl at samba.org>
* BUG 6338: 'net rpc trustdom list' always displays "none".
* BUG 6793: Fix segfault in winbindd_pam_auth.
* BUG 6850: Fix shadow copy display...
2010 Jan 14
1
Samba 3.3.10 Available for Download
...x build with recent Heimdal.
* Fix the build of the winbind krb5 locator plugin.
* Fix compile of winbind_krb5_locator with recent Heimdal versions.
* Fix the build on Mac OS X 10.6.2.
o Jeff Layton <jlayton at redhat.com>
* BUG 6810: Backport support for finding alternate credcaches.
* Use pid value from kernel to determine KRB5CCNAME to use in cifs.upcall.
o Volker Lendecke <vl at samba.org>
* BUG 6338: 'net rpc trustdom list' always displays "none".
* BUG 6793: Fix segfault in winbindd_pam_auth.
* BUG 6850: Fix shadow copy display...
2009 Oct 29
0
[Announce] Samba 3.4.3 Available for Download
...mba_bugzilla at gmail.com>
* BUG 6690: Fix wrong error check in profile.
o Marc Aurele La France <tsi at ualberta.ca>
* BUG 6707: Fix an occasional segfault in config file parsing.
o Jeff Layton <jlayton at redhat.com>
* BUG 6810: Add support for finding alternate credcaches to cifs.upcall.
o Volker Lendecke <vl at samba.org>
* BUG 6606: Fix file corruption using smbclient with NT4 server.
* BUG 6703: Allow smbstatus as non-root.
* BUG 6731: Fix reading beyond the end of a named stream in xattr_streams.
* BUG 6765: Add a "hidden" par...
2009 Oct 29
0
[Announce] Samba 3.4.3 Available for Download
...mba_bugzilla at gmail.com>
* BUG 6690: Fix wrong error check in profile.
o Marc Aurele La France <tsi at ualberta.ca>
* BUG 6707: Fix an occasional segfault in config file parsing.
o Jeff Layton <jlayton at redhat.com>
* BUG 6810: Add support for finding alternate credcaches to cifs.upcall.
o Volker Lendecke <vl at samba.org>
* BUG 6606: Fix file corruption using smbclient with NT4 server.
* BUG 6703: Allow smbstatus as non-root.
* BUG 6731: Fix reading beyond the end of a named stream in xattr_streams.
* BUG 6765: Add a "hidden" par...