Accessing shared folders in trusted domains

Ivan Korytov korytovip at basealt.ru
Thu Mar 6 09:14:29 UTC 2025 

Hi!

There was a change in libmsmbclient that enabled default Kerberos
ccache in cli_session_creds_init when no password is supplied.

https://gitlab.com/samba-team/samba/-/commit/fb7e19826afab4fce33769eb7aef16a1c650b23a

Why we need a check that there is no fallback set? Why can't
libsmbclient always set ccache?

I'm mentioning this because there is a problem when accessing shared
folders in trusted domains with Kerberos.

It affects clients that use libsmbclient, like GIO/GVFS and KIO.

In GIO fallback is enabled when username is not empty (almost always)
and in KIO fallback is always enabled. If the fallback is set then
there is no way that libsmbclient will get the correct Kerberos
credentials.

Here is what I've found (when the fallback is set, so that ccache is
not configured):

When SMBC_server (SMBC_server_internal) is called following
authentication functions in order are used:

- SMBC_auth_credentials
    - cli_session_creds_init
- cli_session_setup_creds
    - cli_session_setup_gensec_send
        - auth_generic_client_prepare
            - cli_credentials_guess
            - auth_generic_set_creds

cli_session_setup_creds uses the same credentials variable as
SMBC_auth_credentials does.

Function auth_generic_client_prepare obtains correct credentials with
cli_credentials_guess (it is also used in libcli that used in all Samba
utilities, like smbclient).

But aferwards auth_generic_set_creds is called and it copies
credentials passed as an argument to auth_generic_client_prepare and
discards previously acquired credentials by cli_credentials_guess.

So, correct credentials are lost and credentials from
cli_session_creds_init are used, which can't be used to authenticate
with Kerberos.

Example of a correct request (not using libsmbclient):
$ KRB5_TRACE=/dev/stdout smbclient -k //dc1.trust.alt/sysvol
WARNING: The option -k|--kerberos is deprecated!
[5695] 1733747978.787075: Getting credentials Administrator at TRUST.ALT -
> cifs/dc1.trust.alt at TRUST.ALT using ccache
KEYRING:persistent:10002:10002

Example of a incorrect request:
$ KRB5_TRACE=/dev/stdout dolphin smb://dc1.trust.alt/sysvol
[5724] 1733748053.579586: Getting credentials Administrator at TRUST.ALT -
> cifs/dc1.trust.alt at TEST.ALT using ccache
KEYRING:persistent:10002:10002

Trust is a two-way, so everyone can access everything everywhere.
Computer is joined to TEST.ALT domain.

When I discovered this change in newer versions of Samba, I've disabled
the fallback check and creds returned from cli_session_creds_init are
correct and can be used to try Kerberos authentication, even when
fallback is set.

-- 
Ivan Korytov

korytovip at basealt.ru

More information about the samba-technical mailing list