search for: get_tgt_tim

...s version. Not counting any distro-specific patches it seems cifs.upcall only had 5 commits affecting it between these 2 releases: $ git log --pretty=oneline cifs-utils-6.6...cifs-utils-6.4 cifs.upcall.c 7852bec cifs.upcall: stop passing around ccache name strings 39dbb7b cifs.upcall: make get_tgt_time take a ccache arg 3db6b3a cifs.upcall: remove KRB5_TC_OPENCLOSE a3743af cifs.upcall: make the krb5_context a static global variable 9be6e88 cifs.upcall: use krb5 routines to get default ccname It seems the way cached credentials are searched changed, which your logs show if you diff them:...

...ifs.upcall: ip=128.104.160.17 Feb 8 09:48:14 trog cifs.upcall: sec=1 Feb 8 09:48:14 trog cifs.upcall: uid=0 Feb 8 09:48:14 trog cifs.upcall: creduid=0 Feb 8 09:48:14 trog cifs.upcall: user=smbadmin at PHYSICS.WISC.EDU Feb 8 09:48:14 trog cifs.upcall: pid=26578 Feb 8 09:48:14 trog cifs.upcall: get_tgt_time: unable to get principal Feb 8 09:48:14 trog cifs.upcall: handle_krb5_mech: getting service ticket for smb.physics.wisc.edu Feb 8 09:48:14 trog cifs.upcall: handle_krb5_mech: obtained service ticket Feb 8 09:48:14 trog cifs.upcall: Exit status 0 Feb 8 09:48:14 trog cifs.upcall: key description...

...stead, just get the default ccname for the > user, and then see if it has a valid tgt. If it doesn't then we try to > use the keytab to init the credcache before proceeding. Thanks... let's see... The logs have this in the non-working case: Feb  8 09:48:14 trog cifs.upcall: get_tgt_time: unable to get principal That corresponds to this bit of code in cifs.upcall:         if (krb5_cc_get_principal(context, ccache, &principal)) {                 syslog(LOG_DEBUG, "%s: unable to get principal", __func__);                 goto err_cache;         } So we have a defaul...

...b5_cc_get_full_name(context, cc, &cachename); + if (ret) { + syslog(LOG_DEBUG, "%s: krb5_cc_get_full_name failed: %d\n", __func__, ret); + } else { + syslog(LOG_DEBUG, "%s: default ccache is %s\n", __func__, cachename); + krb5_free_string(context, cachename); + } + if (!get_tgt_time(cc)) { krb5_cc_close(context, cc); cc = NULL; -- 2.9.3

Hi Aurélien, Thanks for the idea! For Debian packages: 6.4-1 works 6.5-1 works 6.5-2 works 6.6-1 fails 6.6-5 fails So looks like something changed from 6.5 to 6.6... When I have time I'll figure out how to compile the upcall binary.

...mp from Igor, so I     think we're safe to just drop it at this point.          Signed-off-by: Jeff Layton <jlayton at samba.org> commit 39dbb7b47bea9d6d7cf93ddd53cda501c3898bd6 Author: Jeff Layton <jlayton at samba.org> Date:   Wed Aug 24 11:41:53 2016 -0400     cifs.upcall: make get_tgt_time take a ccache arg          ...instead of dealing with the ccname. Push resolution of the cache     into the caller.          Signed-off-by: Jeff Layton <jlayton at samba.org> commit 7852becab01989634aacc1fb8ff9581a11a7cdcf Author: Jeff Layton <jlayton at samba.org> Date:   Wed Aug 24...

...b5_cc_get_full_name(context, cc, &cachename); + if (ret) { + syslog(LOG_DEBUG, "%s: krb5_cc_get_full_name failed: %d\n", __func__, ret); + } else { + syslog(LOG_DEBUG, "%s: default ccache is %s\n", __func__, cachename); + krb5_free_string(context, cachename); + } + if (!get_tgt_time(cc)) { krb5_cc_close(context, cc); cc = NULL; @@ -173,7 +297,6 @@ get_default_cc(void) return cc; } - static krb5_ccache init_cc_from_keytab(const char *keytab_name, const char *user) { @@ -664,10 +787,11 @@ lowercase_string(char *c) static void usage(void) { - fprintf(stderr, &q...

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert

On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba <samba at lists.samba.org> wrote: > I am getting a permission denied when trying to ls as a domain user a > samba mount with windows ACLs (sigh I thought I had this figured > out). I tried to include self descriptive server names and include > them in the info below (fs1: file server, nc: addc, u2gui: ubuntu >

Small respin of the patches that I posted a few days ago. The main difference is the reordering of the series to make it do the group and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of

...i cifs.upcall: user=root Jan 26 09:24:56 u2gui cifs.upcall: pid=151139 Jan 26 09:24:56 u2gui cifs.upcall: get_cachename_from_process_env: pathname=/proc/151139/environ Jan 26 09:24:56 u2gui cifs.upcall: get_existing_cc: default ccache is FILE:/tmp/krb5cc_2001107 Jan 26 09:24:56 u2gui cifs.upcall: get_tgt_time: unable to get principal Jan 26 09:24:56 u2gui cifs.upcall: krb5_get_init_creds_keytab: -1765328378 Jan 26 09:24:56 u2gui cifs.upcall: Exit status 1 Jan 26 09:24:56 u2gui kernel: [1214461.218431] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed Jan 26 09:24:56 u2gui kernel: [121...

Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop

...1.3x;sec=krb5;uid=0x277d;creduid=0x0;user=test;pid=0x4ba cifs.upcall: ver=2 cifs.upcall: host=1x.1xx.1.3x cifs.upcall: ip=1x.1xx.1.3x cifs.upcall: sec=1 uid=10109 creduid=0 user=test pid=1210 get_cachename_from_process_env: pid == 0 get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall: get_tgt_time: unable to get principal cifs.upcall: krb5_get_init_creds_keytab: -1765328203 cifs.upcall: Exit status 1 lightdm[830]: (mount.c:72): Messages from underlying mount program: lightdm[830]: (mount.c:76): mount error(126): Required key not available Do you have a good wiki for setting up sec=krb5 for...

....1.3x;sec=krb5;uid=0x277d;creduid=0x0;user=test;pid=0x4ba cifs.upcall: ver=2 cifs.upcall: host=1x.1xx.1.3x cifs.upcall: ip=1x.1xx.1.3x cifs.upcall: sec=1 uid=10109 creduid=0 user=test pid=1210 get_cachename_from_process_env: pid == 0 get_existing_cc: default ccache isFILE:/tmp/krb5cc_0 cifs.upcall: get_tgt_time: unable to get principal cifs.upcall: krb5_get_init_creds_keytab: -1765328203 cifs.upcall: Exit status 1 lightdm[830]: (mount.c:72): Messages from underlying mount program: lightdm[830]: (mount.c:76): mount error(126): Required key not available Do you have a good wiki for setting up sec=krb5 for...

Rowland, How would I find this info? Check if 'Rachel Jones' has a 'gecos' attribute in AD. You seem to be being denied access to '.Xauthority', was it created on another machine ? No However, I am sure '-13' usually means incorrect password. I am sure the password is correct, the /mnt/home/rachel folder is created but the user files are not created because