[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian

L.P.H. van Belle belle at bazuin.nl
Wed Sep 16 07:38:11 UTC 2020 

I believe you are hitting multiple things. 

1. a bug in smblcient involving that kerberos cache. I seen something passing by on this. 
2. krb5.conf has to much in it, just not needed.
3. faulty smb.conf. Its incomplete. 

But more comment below. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 15 september 2020 21:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] smbclient ignores configured kerberos 
> ccache when using krb5-user on ubuntu/debian
> 
> On 15/09/2020 19:14, Jonathan Davis via samba wrote:
> > Hello all.
> >
> > I'm encountering an issue where smbclient seemingly ignores 
> the kerberos
> > ccache as configured in krb5.conf when using "krb5-user" as 
> the kerberos
> > package and will instead always default to using 
> "FILE:/tmp/krb5cc_uid".
> > I tested each valid default ccache name type but smbclient 
> completely
> > ignores whatever is set as the "default_ccache_name" in the 
> conf file. I
> > went on to test "heimdal-clients" as the kerberos package 
> and smbclient
> > appears to be using the ccache that is configured in the 
> conf file. This
> > behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5.
> >
> > Swapping krb5-user for heimdal-clients is not a desirable 
> nor functional
> > solution for me because I want to utilize either the
> > "KEYRING:persistent:%{uid}" or "KCM:" ccaches; both of 
> which I'm unable to
> > get working with heimdal-clients. On the same system SSSD, 
> pam_mount and
> > mount, all work with krb5-user and honor the configured 
> ccache. I'd like to
> > point out that the smbclient on CentOS 7 and 8 doesn't have 
> this issue and
> > works with "krb5-workstation" and both the "KEYRING" and 
> "KCM" ccaches.
> >
> > So... is smbclient on debian/ubuntu only compatible with 
> heimdal and not MIT
> > kerberos? What am I missing? Any help or clarity would be greatly
> > appreciated.
> >
> > Thank you!
> >
> > Additional details below...
> > I'm currently testing on Ubuntu 20.04, kernel 
> 5.4.0-47-generic, smbclient
> > 4.11.6-Ubuntu, and krb5-user 1.17
> > Steps I took: I run a kinit and obtain a valid ticket, 
> klist confirms this
> > and that it's stored in the configured ccache. I then run 
> this command:
> > smbclient //server.this.domain.com/share -k -d5
> > Here's a snippet of the debug output, pay particular 
> attention to the
> > "smb_gss_krb5_import_cred" line:
> >
> > -----
> > session request ok
> > negotiated dialect[SMB3_11] against server[server.this.domain.com]
> > cli_session_setup_spnego_send: Connect to server.this.domain.com as
> > user at THIS.DOMAIN.COM using SPNEGO
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gse_krb5
> > smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_11111] 
> failed with [
> > Miscellaneous failure (see text): unknown mech-code 2 for 
> mech 1 2 840
> > 113554 1 2 2] -the caller may retry after a kinit.
> > Failed to start GENSEC client mech gse_krb5: 
> NT_STATUS_INTERNAL_ERROR
> > gensec_spnego_client_negTokenInit_step: Could not find a 
> suitable mechtype
> > in NEG_TOKEN_INIT
> > gensec_update_done: spnego[0x55857f9be090]: 
> NT_STATUS_INVALID_PARAMETER
> > SPNEGO login failed: An invalid parameter was passed to a service or
> > function.
> > -----
> >
> > Here are the contents of the krb5.conf and smb.conf files:

Krb5.conf remove the last 3 lines. 

> >
> > #----krb5.conf----
> > [libdefaults]
> > default_realm = THIS.DOMAIN.COM
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > kdc_timesync = 1
> > forwardable = true
> > proxiable = true
> > canonicalize = true
> > rdns = false
> > spake_preauth_groups = edwards25519
> > default_ccache_name = KEYRING:persistent:%{uid}
> > #----krb5 end----

This is just a "faulty" smb.conf file. 
Where is the "backend" definition 

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

> > #----smb.conf----
> > [global]
> > workgroup = DOMAIN
> > netbios name = MACHINENAME
> > logging = file
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > log level = 3
> > realm = THIS.DOMAIN.COM
> > kerberos method = secrets and keytab
> > client signing = mandatory
> > client min protocol = SMB2
> > client max protocol = default
> > client ipc signing = mandatory
> > client ipc min protocol = SMB2
> > client ipc max protocol = default
> > client ldap sasl wrapping = seal
> > client NTLMv2 auth = yes
> > client use spnego = yes
> > ntlm auth = ntlmv2-only
> > raw NTLMv2 auth = no
> > restrict anonymous = 2
> > #----smb end----
> 
> It works for me, either direction between an rpi running 4.9.5 and 
> debian buster running 4.12.6
> 
> The only difference would seem to be that program I will not mention, 
> but has a lot of letter 's' in its name, I do not use it. I 
> also turned 
> Samba off on the client end.
> 
> Rowland
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list