[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian

Tue Sep 15 19:33:01 UTC 2020

On 15/09/2020 19:14, Jonathan Davis via samba wrote:
> Hello all.
>
> I'm encountering an issue where smbclient seemingly ignores the kerberos
> ccache as configured in krb5.conf when using "krb5-user" as the kerberos
> package and will instead always default to using "FILE:/tmp/krb5cc_uid".
> I tested each valid default ccache name type but smbclient completely
> ignores whatever is set as the "default_ccache_name" in the conf file. I
> went on to test "heimdal-clients" as the kerberos package and smbclient
> appears to be using the ccache that is configured in the conf file. This
> behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5.
>
> Swapping krb5-user for heimdal-clients is not a desirable nor functional
> solution for me because I want to utilize either the
> "KEYRING:persistent:%{uid}" or "KCM:" ccaches; both of which I'm unable to
> get working with heimdal-clients. On the same system SSSD, pam_mount and
> mount, all work with krb5-user and honor the configured ccache. I'd like to
> point out that the smbclient on CentOS 7 and 8 doesn't have this issue and
> works with "krb5-workstation" and both the "KEYRING" and "KCM" ccaches.
>
> So... is smbclient on debian/ubuntu only compatible with heimdal and not MIT
> kerberos? What am I missing? Any help or clarity would be greatly
> appreciated.
>
> Thank you!
>
> Additional details below...
> I'm currently testing on Ubuntu 20.04, kernel 5.4.0-47-generic, smbclient
> 4.11.6-Ubuntu, and krb5-user 1.17
> Steps I took: I run a kinit and obtain a valid ticket, klist confirms this
> and that it's stored in the configured ccache. I then run this command:
> smbclient //server.this.domain.com/share -k -d5
> Here's a snippet of the debug output, pay particular attention to the
> "smb_gss_krb5_import_cred" line:
>
> -----
> session request ok
> negotiated dialect[SMB3_11] against server[server.this.domain.com]
> cli_session_setup_spnego_send: Connect to server.this.domain.com as
> user at THIS.DOMAIN.COM using SPNEGO
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_11111] failed with [
> Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840
> 113554 1 2 2] -the caller may retry after a kinit.
> Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
> gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype
> in NEG_TOKEN_INIT
> gensec_update_done: spnego[0x55857f9be090]: NT_STATUS_INVALID_PARAMETER
> SPNEGO login failed: An invalid parameter was passed to a service or
> function.
> -----
>
> Here are the contents of the krb5.conf and smb.conf files:
>
> #----krb5.conf----
> [libdefaults]
> default_realm = THIS.DOMAIN.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> kdc_timesync = 1
> forwardable = true
> proxiable = true
> canonicalize = true
> rdns = false
> spake_preauth_groups = edwards25519
> default_ccache_name = KEYRING:persistent:%{uid}
> #----krb5 end----
>
> #----smb.conf----
> [global]
> workgroup = DOMAIN
> netbios name = MACHINENAME
> logging = file
> log file = /var/log/samba/log.%m
> max log size = 1000
> log level = 3
> realm = THIS.DOMAIN.COM
> kerberos method = secrets and keytab
> client signing = mandatory
> client min protocol = SMB2
> client max protocol = default
> client ipc signing = mandatory
> client ipc min protocol = SMB2
> client ipc max protocol = default
> client ldap sasl wrapping = seal
> client NTLMv2 auth = yes
> client use spnego = yes
> ntlm auth = ntlmv2-only
> raw NTLMv2 auth = no
> restrict anonymous = 2
> #----smb end----

It works for me, either direction between an rpi running 4.9.5 and 
debian buster running 4.12.6

The only difference would seem to be that program I will not mention, 
but has a lot of letter 's' in its name, I do not use it. I also turned 
Samba off on the client end.

Rowland