similar to: [cifs-utils PATCH] cifs.upcall: switch group IDs when handling an upcall

Chad reported that he was seeing a regression in cifs-utils-6.6. Prior to that, cifs.upcall was able to find credcaches in non-default FILE: locations, but with the rework of that code, that ability was lost. Unfortunately, the krb5 library design doesn't really take into account the fact that we might need to find a credcache in a process that isn't descended from the session. When the

Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop capabilities before doing most of its work. This may help reduce the attack surface of the program. Jeff Layton (4): cifs.upcall: convert

Apologies for v3 series, I had some extra patches in there. This is the one that should have been sent. Relabeled as v4 for clarity. Third respin of this series. Reordered for better safety for bisecting. The environment scraping is now on by default, but can be disabled with "-E" in environments where it's not needed. Also, I've added a patch to make cifs.upcall drop

Small respin of the patches that I posted a few days ago. The main difference is the reordering of the series to make it do the group and grouplist manipulation first, and then the patch that makes it grab the KRB5CCNAME from the initiating process. I think the code is sound, my main question is whether we really need the command-line switch for this. Should this just be the default mode of

On Fri, 2017-02-10 at 15:14 -0500, Simo Sorce wrote: > On Fri, 2017-02-10 at 14:29 -0500, Jeff Layton wrote: > > On Fri, 2017-02-10 at 14:14 -0500, Simo Sorce wrote: > > > On Fri, 2017-02-10 at 13:30 -0500, Jeff Layton wrote: > > > > On Fri, 2017-02-10 at 12:39 -0500, Jeff Layton wrote: > > > > > On Fri, 2017-02-10 at 11:15 -0600, Chad William Seys

On Mon, 2017-02-13 at 05:02 -0500, Simo Sorce wrote: > On Sat, 2017-02-11 at 10:16 -0500, Jeff Layton wrote: > > On Sat, 2017-02-11 at 08:41 -0500, Jeff Layton wrote: > > > Chad reported that he was seeing a regression in cifs-utils-6.6. > > > Prior > > > to that, cifs.upcall was able to find credcaches in non-default > > > FILE: > > >

Hello, Trying to compile Samba 3.2.15 on a RHEL AS 4u2 (i686) and I'm getting the following result from 'sh makerpms.sh': > Provides: samba-doc = 3.2.15-1 > Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(VersionedDependencies) <= 3.0.3-1 > > > RPM build errors: > File not found:

Hello, I've been doing some extensive troubleshooting with respect to some issues mounting CIFS shares on a Windows box via Kerberos. We're using the command: /sbin/mount.cifs //whatever/whatever /whatever -o sec=krb5i This should mount the share using Kerberos & Packet-signing by using the cached credentials of the user executing the command. With judicious use of strace, it

On Fri, 2017-02-10 at 11:15 -0600, Chad William Seys wrote: > Hi Jeff, > > > So we have a default credcache for the user for whom we are operating > > as, but we can't get the default principal name from it. My guess is > > that it's not finding the > > This mount is run by root UID=0 and seems to be find that credential > cache without problem (earlier

:/usr/src/samba/samba/source3 # grep -i ldap config.log $ ./configure --with-cifsupcall --with-ads --with-ldap --with-krb5 configure:59539: checking for LDAP support configure:59585: checking ldap.h usability configure:59627: checking ldap.h presence configure:59696: checking for ldap.h | #define HAVE_LDAP_H 1 | #define HAVE_LDAP_H 1 | #define HAVE_LDAP_H 1 configure:60066: checking for

This approach is more complex than I'd like, but it works even on Solaris, which has neither credential passing nor permissions on the socket itself. --- src/control.c | 82 +++++++++++++++++++++++++++++++++++++++----------- src/control_common.h | 1 + src/tincctl.c | 67 +++++++++++++++++++++++++++++++++-------- src/tincd.c | 2 +- 4 files changed, 120

Hello, On Debian 9 (stretch prerelease) I am able to mount with the following command with root using the following command: mount -t cifs //smb.physics.wisc.edu/smb /smb -osec=krb5,multiuser,username=smbadmin at PHYSICS.WISC.EDU --verbose root can also access files as expected However, when cifs-utils 6.6-5 is installed, a different user cannot access as expected: ls /smb ls: cannot

We have been fighting with intermittent connections here and have noticed that tinc seems to use up its supply of file descriptors. After a whole bunch of Nov 8 03:51:23 tserver tinc.calgary[23909]: Could not set up a meta connection. Nov 8 03:51:23 tserver tinc.calgary[23909]: Still failed to connect to other. Will retry Nov 8 03:51:33 tserver tinc.calgary[23909]: 10.38.9.1:8193: Connection

Hi samba --version Version 4.0.6-GIT-4bebda4 smb.conf: [users] path = /home/users read only = No Working on the DC which is also the fileserver user steve2 can write to his folder at /home/users/steve2 But if we now mount the share: sudo mount -t cifs //doloresdc/users /mnt -osec=krb5,multiuser he can't write to the mounted share at /mnt/users/steve2 He gets 'Permission denied'.

Hi @all, I have some problems when using pam_mount.conf.xml to mount shares via kerberos (and also for ntlm) regarding reliability of the mount. I have tested the issue with 2 different environments. My environments are: 2 Microsoft Domain Controllers + a separate fileserver and Ubuntu 18.04 or 22.04 as clients. My other tested environment is one Microsoft Server 2019 (as domain controller and

Hai Mourik-Jan, Beste wensen he ;-) Lets start here.. A and PTR record exists for both servers? Does CIFS/spn and root/spn exist in the AD? In krb5.conf, set these : ; not used for nfs4 but cifs might need it. ; for Windows 2003 ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 ; permitted_enctypes = rc4-hmac

Hi, I am trying to mount fileserver (samba, 10.20.30.16) shares on a linux domain member server, where I logged on via ssh using AD my credentials. I am unable to get past the "mount error(126): Required key not available" error message. I have read and googled a lot, and could use some help. See this: > domainuser at memberserver-45:~$ sudo tail -f /var/log/debug & >

On 1/26/24 02:35, Rowland Penny via samba wrote: > On Thu, 25 Jan 2024 18:45:52 -0800 Peter Carlson via samba > <samba at lists.samba.org> wrote: >> The share mounts and I am a member of the correct groups >> CARLSON\peter at u2gui:~$ cat /etc/fstab //fs.carlson.lab/test /mnt/test >> cifs credentials=/root/smbcreds,multiuser,sec=ntlmssp,_netdev 0 0 > I think

Did you "deleated the computer object" to allow kerberos services. And did you add the CIFS/spn to the computer and keytab ? https://wiki.samba.org/index.php/Generating_Keytabs If its a member, which i assume. kinit Administrator net ads keytab add cifs/$(hostname -f) -k net ads keytab add_update_ads -k Add these and it should work. You might need to restart or reboot., sometimes

I wrote this little program to deal with the situation where there are a number of workgroups on a number of subnets with no WINS server [actually I couldn't get this configuration to run with a WINS server - but that's another story] You run this program on machines bridging your subnets and it listens for netbios nameserver packets and forwards them. [Broadcast packets are sent on to