search for: upcall

...ot;kernel: [223018.425633] CIFS VFS: Send error in SessSetup = -126". I'll paste the working and non-working logs below. The "different user" mentioned above has UID 1494 which appears in the logs. Thanks for your time! C. WORKING: cifs-utils v 6.4-1 Feb 8 09:51:46 trog cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=smb.physics.wisc.edu;ip4=128.104.160.17;sec=krb5;uid= 0x0;creduid=0x0;user=smbadmin at PHYSICS.WISC.EDU;pid=0x6bd0 Feb 8 09:51:46 trog cifs.upcall: ver=2 Feb 8 09:51:46 trog cifs.upcall: host=smb.physics.wisc.edu Feb 8 09:51:46 trog cifs.up...

...he share: sudo mount -t cifs //doloresdc/users /mnt -osec=krb5,multiuser he can't write to the mounted share at /mnt/users/steve2 He gets 'Permission denied'. His id is the same, all that's changed is that now it's mounted via cifs. The mount: Apr 11 18:18:16 doloresdc cifs.upcall: key description: cifs.spnego;0;0;3f000000;ver=0x2;host=doloresdc;ip4=192.168.1.100;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x116b Apr 11 18:18:16 doloresdc cifs.upcall: ver=2 Apr 11 18:18:16 doloresdc cifs.upcall: host=doloresdc Apr 11 18:18:16 doloresdc cifs.upcall: ip=192.168.1.100 Apr 11 18...

...t should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert two flags from int to bool cifs.upcall: switch group IDs when handling an upcall cifs.upcall: drop capabilities early in program cifs.upcall: allow...

...gt; renew until 01/14/2019 17:01:12 > 01/07/2019 17:01:12 01/08/2019 03:01:12 MEMBERSERVER-45$@SAMBA.COMPANY.COM > domainuser at memberserver-45:~$ sudo mount -t cifs //sambaserver/domainuser /mnt -osec=krb5,cruid=2028,uid=2028,gid=513 > > Jan 7 17:11:36 memberserver-45 cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=sambaserver;ip4=10.20.30.16;sec=krb5;uid=0x3f6;creduid=0x3f6;user=root;pid=0x872 > Jan 7 17:11:36 memberserver-45 cifs.upcall: ver=2 > Jan 7 17:11:36 memberserver-45 cifs.upcall: host=sambaserver > Jan 7 17:11:36 memberserver-45 ci...

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert two flags from int to bool cifs.upcall: switch group IDs when handling an upcall cifs.upcall: drop capabilities early in program cifs.upcall: allow...

...error "Required key not available". Mounting using password works. The user ticket exists and is valid. DNS A record exists, but the AD does not contain a reverse zone (and I can't create one). Here is the daemon.log (sorry for the poor formatting): Mar 9 15:06:23 testlinux cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10.73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=0x121c Mar 9 15:06:23 testlinux cifs.upcall: ver=2 Mar 9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL Mar 9 15:06:23 testlinux cifs.upcall: ip=1...

...up and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of operation? Jeff Layton (2): cifs.upcall: switch group IDs when handling an upcall cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file cifs.upcall.8.in | 10 +++ cifs.upcall.c | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 189 insertions(+), 6 d...

Chad reported that he was seeing a regression in cifs-utils-6.6. Prior to that, cifs.upcall was able to find credcaches in non-default FILE: locations, but with the rework of that code, that ability was lost. Unfortunately, the krb5 library design doesn't really take into account the fact that we might need to find a credcache in a process that isn't descended from the session....

...ver 2019 (as domain controller and fileserver) + Ubuntu 22.04 as client. The login with my configuration works all the time reliably, but sometimes the shares are not getting mounted. I have read a ton of documentation, but can not figure out where the problem really is. For me, it looks like cifs.upcall is sometimes using a wrong file name for the cache internally. I have also tried with the kernel cache, but that seems to even increase the problem. Steps to reproduce (client side): - Microsoft Server 2019 as Domain Controller - Install Ubuntu 22.04 - configure domain name in /etc/krb5.conf - joi...

...kinit-ed yet? And yet that case worked in the past...) > I'm more interested in what the trailing info in your credcache name is. In your log output for the working case, there are: /tmp/krb5cc_0 /tmp/krb5cc_1494_sM11PG So first one doesn't have that _XXXXXX trailing bit. Maybe cifs.upcall is not guessing that piece of the filename correctly? In any case, this patch should tell us more about what it thinks the credcache location is when it's doing this. Do you have the ability to apply this and test with the debugging turned up? ----------------------------------8<---------...

...ms.sh': > Provides: samba-doc = 3.2.15-1 > Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(VersionedDependencies) <= 3.0.3-1 > > > RPM build errors: > File not found: /var/tmp/samba-3.2.15-root/usr/sbin/cifs.upcall > File not found by glob: /var/tmp/samba-3.2.15-root/usr/share/man/man8/cifs.upcall.8.* > makerpms.sh: Done. Not really anything present either: > # find /var/tmp/samba-3.2.15-root -name 'cifs*' > /var/tmp/samba-3.2.15-root/usr/share/swat/help/manpages/cifs.upcall.8.html &...

...D alone, but now that we're looking at KRB5CCNAME, we need to be a little more careful with credentials. After we get the uid, do a getpwuid and grab the default gid for the user. Then use setgid to set it before calling setuid. Signed-off-by: Jeff Layton <jlayton at samba.org> --- cifs.upcall.c | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/cifs.upcall.c b/cifs.upcall.c index ee3449d4555d..3328bbdd34ca 100644 --- a/cifs.upcall.c +++ b/cifs.upcall.c @@ -47,6 +47,8 @@ #include <netdb.h> #include <arpa/inet.h> #include <ctype.h&...

On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba <samba at lists.samba.org> wrote: > I am getting a permission denied when trying to ls as a domain user a > samba mount with windows ACLs (sigh I thought I had this figured > out). I tried to include self descriptive server names and include > them in the info below (fs1: file server, nc: addc, u2gui: ubuntu >

...19 17:01:12 > > 01/07/2019 17:01:12 01/08/2019 03:01:12 > MEMBERSERVER-45$@SAMBA.COMPANY.COM > > domainuser at memberserver-45:~$ sudo mount -t cifs > //sambaserver/domainuser /mnt -osec=krb5,cruid=2028,uid=2028,gid=513 > > > > Jan 7 17:11:36 memberserver-45 cifs.upcall: key > description: > cifs.spnego;0;0;39010000;ver=0x2;host=sambaserver;ip4=10.20.30 > .16;sec=krb5;uid=0x3f6;creduid=0x3f6;user=root;pid=0x872 > > Jan 7 17:11:36 memberserver-45 cifs.upcall: ver=2 > > Jan 7 17:11:36 memberserver-45 cifs.upcall: host=sambaserver > > J...

...> >> valid. DNS > >> A record exists, but the AD does not contain a reverse zone > >> (and I can't > >> create one). > >> > >> Here is the daemon.log (sorry for the poor formatting): > >> > >> Mar 9 15:06:23 testlinux cifs.upcall: key description: > >> cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10. > > > 73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c > >> Mar 9 15:06:23 testlinux cifs.upcall: ver=2 > >> Mar 9 15:06:23 testlinux cifs.upcall: ho...

..., 2017-02-13 at 05:02 -0500, Simo Sorce wrote: > On Sat, 2017-02-11 at 10:16 -0500, Jeff Layton wrote: > > On Sat, 2017-02-11 at 08:41 -0500, Jeff Layton wrote: > > > Chad reported that he was seeing a regression in cifs-utils-6.6. > > > Prior > > > to that, cifs.upcall was able to find credcaches in non-default > > > FILE: > > > locations, but with the rework of that code, that ability was lost. > > > > > > Unfortunately, the krb5 library design doesn't really take into > > > account > > > the fact that w...

...ts, some say it works with a computer service account others say you need a user account added to the keytab.? is there a reliable guide that helps a starter like me? LOG: Jan 26 09:24:56 u2gui kernel: [1214460.606344] CIFS: Attempting to mount \\fs.carlson.lab\test Jan 26 09:24:56 u2gui cifs.upcall: key description: cifs.spnego;0;0;39010000;ver=0x2;host=fs.carlson.lab;ip4=192.168.1.52;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x24e63 Jan 26 09:24:56 u2gui cifs.upcall: ver=2 Jan 26 09:24:56 u2gui cifs.upcall: host=fs.carlson.lab Jan 26 09:24:56 u2gui cifs.upcall: ip=192.168.1.52 Jan 26 09:24...

...> Mounting using password works. The user ticket exists and is > valid. DNS > A record exists, but the AD does not contain a reverse zone > (and I can't > create one). > > Here is the daemon.log (sorry for the poor formatting): > > Mar 9 15:06:23 testlinux cifs.upcall: key description: > cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10. 73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c > Mar 9 15:06:23 testlinux cifs.upcall: ver=2 > Mar 9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL > Mar 9 15:06:23 t...

On Thu, 2017-02-09 at 14:45 -0600, Chad William Seys wrote: > Hi Jeff, > Could you look at the following mailing list posting? > > https://lists.samba.org/archive/samba/2017-February/206468.html > > It looks like cifs.upcall has changed its behavior. As described in > that post, I can mount with root / kerberos, but then cannot access with > another user who has credentials. > > The logs indicate that cifs.upcall cannot find the kerberos ticket for > the non-root user. > > This problem does n...

...rd works. The user ticket exists and is >> valid. DNS >> A record exists, but the AD does not contain a reverse zone >> (and I can't >> create one). >> >> Here is the daemon.log (sorry for the poor formatting): >> >> Mar 9 15:06:23 testlinux cifs.upcall: key description: >> cifs.spnego;0;0;39010000;ver=0x2;host=ad.FOO.BAR.LOCAL;ip4=10. > 73.23.27;sec=krb5;uid=0x0;creduid=0x2c0b;user=yvan.masson;pid=> 0x121c >> Mar 9 15:06:23 testlinux cifs.upcall: ver=2 >> Mar 9 15:06:23 testlinux cifs.upcall: host=ad.FOO.BAR.LOCAL >&g...