[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
L.P.H. van Belle
belle at bazuin.nl
Wed Sep 16 07:38:11 UTC 2020
I believe you are hitting multiple things.
1. a bug in smblcient involving that kerberos cache. I seen something passing by on this.
2. krb5.conf has to much in it, just not needed.
3. faulty smb.conf. Its incomplete.
But more comment below.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland penny via samba
> Verzonden: dinsdag 15 september 2020 21:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] smbclient ignores configured kerberos
> ccache when using krb5-user on ubuntu/debian
>
> On 15/09/2020 19:14, Jonathan Davis via samba wrote:
> > Hello all.
> >
> > I'm encountering an issue where smbclient seemingly ignores
> the kerberos
> > ccache as configured in krb5.conf when using "krb5-user" as
> the kerberos
> > package and will instead always default to using
> "FILE:/tmp/krb5cc_uid".
> > I tested each valid default ccache name type but smbclient
> completely
> > ignores whatever is set as the "default_ccache_name" in the
> conf file. I
> > went on to test "heimdal-clients" as the kerberos package
> and smbclient
> > appears to be using the ccache that is configured in the
> conf file. This
> > behavior occurs on Ubuntu 20.04 and 19.10 as well as Debian 10.5.
> >
> > Swapping krb5-user for heimdal-clients is not a desirable
> nor functional
> > solution for me because I want to utilize either the
> > "KEYRING:persistent:%{uid}" or "KCM:" ccaches; both of
> which I'm unable to
> > get working with heimdal-clients. On the same system SSSD,
> pam_mount and
> > mount, all work with krb5-user and honor the configured
> ccache. I'd like to
> > point out that the smbclient on CentOS 7 and 8 doesn't have
> this issue and
> > works with "krb5-workstation" and both the "KEYRING" and
> "KCM" ccaches.
> >
> > So... is smbclient on debian/ubuntu only compatible with
> heimdal and not MIT
> > kerberos? What am I missing? Any help or clarity would be greatly
> > appreciated.
> >
> > Thank you!
> >
> > Additional details below...
> > I'm currently testing on Ubuntu 20.04, kernel
> 5.4.0-47-generic, smbclient
> > 4.11.6-Ubuntu, and krb5-user 1.17
> > Steps I took: I run a kinit and obtain a valid ticket,
> klist confirms this
> > and that it's stored in the configured ccache. I then run
> this command:
> > smbclient //server.this.domain.com/share -k -d5
> > Here's a snippet of the debug output, pay particular
> attention to the
> > "smb_gss_krb5_import_cred" line:
> >
> > -----
> > session request ok
> > negotiated dialect[SMB3_11] against server[server.this.domain.com]
> > cli_session_setup_spnego_send: Connect to server.this.domain.com as
> > user at THIS.DOMAIN.COM using SPNEGO
> > Starting GENSEC mechanism spnego
> > Starting GENSEC submechanism gse_krb5
> > smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_11111]
> failed with [
> > Miscellaneous failure (see text): unknown mech-code 2 for
> mech 1 2 840
> > 113554 1 2 2] -the caller may retry after a kinit.
> > Failed to start GENSEC client mech gse_krb5:
> NT_STATUS_INTERNAL_ERROR
> > gensec_spnego_client_negTokenInit_step: Could not find a
> suitable mechtype
> > in NEG_TOKEN_INIT
> > gensec_update_done: spnego[0x55857f9be090]:
> NT_STATUS_INVALID_PARAMETER
> > SPNEGO login failed: An invalid parameter was passed to a service or
> > function.
> > -----
> >
> > Here are the contents of the krb5.conf and smb.conf files:
Krb5.conf remove the last 3 lines.
> >
> > #----krb5.conf----
> > [libdefaults]
> > default_realm = THIS.DOMAIN.COM
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > kdc_timesync = 1
> > forwardable = true
> > proxiable = true
> > canonicalize = true
> > rdns = false
> > spake_preauth_groups = edwards25519
> > default_ccache_name = KEYRING:persistent:%{uid}
> > #----krb5 end----
This is just a "faulty" smb.conf file.
Where is the "backend" definition
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > #----smb.conf----
> > [global]
> > workgroup = DOMAIN
> > netbios name = MACHINENAME
> > logging = file
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > log level = 3
> > realm = THIS.DOMAIN.COM
> > kerberos method = secrets and keytab
> > client signing = mandatory
> > client min protocol = SMB2
> > client max protocol = default
> > client ipc signing = mandatory
> > client ipc min protocol = SMB2
> > client ipc max protocol = default
> > client ldap sasl wrapping = seal
> > client NTLMv2 auth = yes
> > client use spnego = yes
> > ntlm auth = ntlmv2-only
> > raw NTLMv2 auth = no
> > restrict anonymous = 2
> > #----smb end----
>
> It works for me, either direction between an rpi running 4.9.5 and
> debian buster running 4.12.6
>
> The only difference would seem to be that program I will not mention,
> but has a lot of letter 's' in its name, I do not use it. I
> also turned
> Samba off on the client end.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list