[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian

Jonathan Davis jdavis at leepfrog.com
Wed Sep 16 16:39:22 UTC 2020 

On 16/09/2020 03:16, L.P.H. van Belle via samba wrote:
> I know, and i have him the "samba" solution, because ...
> I dont know sssd also.
> And i dont get the fuss on samba+winbind or samba+sssd
> I have 3 services running minimal : samba winbind user-homes.automount
Everything works as it should.
>
> > On 16/09/2020 03:07, Rowland via samba wrote:
> > The OP is using sssd
> >
> > Rowland
> >

To add clarity and more detail: these are workstations - smbd is not
installed and I am not utilizing samba for the machine to be a domain member
of AD.
We simply need the smbclient to browse samba shares on domain member
servers; where there is only samba btw - sssd is not installed on those
servers but sssd is used on the workstations.

On 16/09/2020 02:38, L.P.H. van Belle via samba wrote:
> I believe you are hitting multiple things.
> 1. a bug in smblcient involving that kerberos cache. I seen something
passing by on this.
> 2. krb5.conf has to much in it, just not needed.
> 3. faulty smb.conf. Its incomplete.
> 
> Krb5.conf remove the last 3 lines.
> "rdns = false, spake_preauth_groups = edwards25519, default_ccache_name =
KEYRING:persistent:%{uid}"
>
> This is just a "faulty" smb.conf file. Where is the "backend" definition
>

I'd be interested in any additional information or sources you have
concerning the suspected bug.

The three parameters you noted are present in my krb5.conf for
documentation, to facilitate changing the values when testing,
as well as to specifically set the ccache location to either "KEYRING" or
"KCM" - not the default of "FILE".

I'm fairly certain I do not have a "faulty" smb.conf. The file is a trimmed
copy of what we use on our samba servers.
So there are a few unnecessary parameters declared in there for my usage
case but they are harmless.
Running "testparm" reports back that everything is OK - server role is
standalone and the idmap config backend is set to "tdb"...
Which is the standard default and wouldn't need to be specified in the conf
file.

I don't believe any parameter present (or missing) in my smb.conf would be
involved with the issue I'm encountering, but I very well could be wrong.
Which brings me to this mail list. :)

To reiterate the issue at hand: smbclient does not use the configured
kerberos ccache as specified in the krb5.conf file.

I can reproduce this behavior on a "clean" Ubuntu 20.04 system; steps:
 - perform a new OS install (minimal and download updates selected)
 - open terminal, run "sudo apt install -y krb5-user", overwrite the
krb5.conf with the custom one
 - run "kinit domainuser" then "klist" to confirm a valid ticket has been
obtained and that it's in the correct ccache (for this test it's the
KEYRING)
 - run "sudo apt install -y smbclient", overwrite the smb.conf with the
custom one
 - run "smbclient //server.this.domain.com/share -U domainuser -k -d5"
 - smbclient tries to import the incorrect, non-existent kerberos ccache and
fails to authenticate
 - key debug output snippet: "smb_gss_krb5_import_cred
ccache[FILE:/tmp/krb5cc_1000] failed ... the caller may retry after a kinit"
 - the versions of the components are: smbclient 4.11.6-Ubuntu and krb5 1.17

If I follow a similar process as above on CentOS the smbclient imports from
the correct ccache and successfully authenticates - CentOS release 8.2.2004,
smbclient 4.11.2, and krb5 1.17

Any other thoughts or suggestions will be much appreciated.

--
Jonathan Davis

More information about the samba mailing list