[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian

Tue Sep 15 18:14:29 UTC 2020

Hello all.

I'm encountering an issue where smbclient seemingly ignores the kerberos
ccache as configured in krb5.conf when using "krb5-user" as the kerberos
package and will instead always default to using "FILE:/tmp/krb5cc_uid".
I tested each valid default ccache name type but smbclient completely
ignores whatever is set as the "default_ccache_name" in the conf file. I
went on to test "heimdal-clients" as the kerberos package and smbclient
appears to be using the ccache that is configured in the conf file. This
behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5.

Swapping krb5-user for heimdal-clients is not a desirable nor functional
solution for me because I want to utilize either the
"KEYRING:persistent:%{uid}" or "KCM:" ccaches; both of which I'm unable to
get working with heimdal-clients. On the same system SSSD, pam_mount and
mount, all work with krb5-user and honor the configured ccache. I'd like to
point out that the smbclient on CentOS 7 and 8 doesn't have this issue and
works with "krb5-workstation" and both the "KEYRING" and "KCM" ccaches.

So... is smbclient on debian/ubuntu only compatible with heimdal and not MIT
kerberos? What am I missing? Any help or clarity would be greatly
appreciated.

Thank you!

Additional details below...
I'm currently testing on Ubuntu 20.04, kernel 5.4.0-47-generic, smbclient
4.11.6-Ubuntu, and krb5-user 1.17
Steps I took: I run a kinit and obtain a valid ticket, klist confirms this
and that it's stored in the configured ccache. I then run this command:
smbclient //server.this.domain.com/share -k -d5
Here's a snippet of the debug output, pay particular attention to the
"smb_gss_krb5_import_cred" line:

-----
session request ok
negotiated dialect[SMB3_11] against server[server.this.domain.com]
cli_session_setup_spnego_send: Connect to server.this.domain.com as
user at THIS.DOMAIN.COM using SPNEGO
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_11111] failed with [
Miscellaneous failure (see text): unknown mech-code 2 for mech 1 2 840
113554 1 2 2] -the caller may retry after a kinit.
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype
in NEG_TOKEN_INIT
gensec_update_done: spnego[0x55857f9be090]: NT_STATUS_INVALID_PARAMETER
SPNEGO login failed: An invalid parameter was passed to a service or
function.
-----

Here are the contents of the krb5.conf and smb.conf files:

#----krb5.conf----
[libdefaults]
default_realm = THIS.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
kdc_timesync = 1
forwardable = true
proxiable = true
canonicalize = true
rdns = false
spake_preauth_groups = edwards25519
default_ccache_name = KEYRING:persistent:%{uid}
#----krb5 end----

#----smb.conf----
[global]
workgroup = DOMAIN
netbios name = MACHINENAME
logging = file
log file = /var/log/samba/log.%m
max log size = 1000
log level = 3
realm = THIS.DOMAIN.COM
kerberos method = secrets and keytab
client signing = mandatory
client min protocol = SMB2
client max protocol = default
client ipc signing = mandatory
client ipc min protocol = SMB2
client ipc max protocol = default
client ldap sasl wrapping = seal
client NTLMv2 auth = yes
client use spnego = yes
ntlm auth = ntlmv2-only
raw NTLMv2 auth = no
restrict anonymous = 2
#----smb end----

--
Jonathan Davis
Systems Administrator
Leepfrog Technologies, Inc.
www.leepfrog.com