[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian
L.P.H. van Belle
belle at bazuin.nl
Thu Sep 17 07:43:36 UTC 2020
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Jonathan Davis via samba
> Verzonden: woensdag 16 september 2020 18:39
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] smbclient ignores configured kerberos
> ccache when using krb5-user on ubuntu/debian
>
> On 16/09/2020 03:16, L.P.H. van Belle via samba wrote:
> > I know, and i have him the "samba" solution, because ...
> > I dont know sssd also.
> > And i dont get the fuss on samba+winbind or samba+sssd
> > I have 3 services running minimal : samba winbind
> user-homes.automount
> Everything works as it should.
Well, great, thats what we want in the end.
> >
> > > On 16/09/2020 03:07, Rowland via samba wrote:
> > > The OP is using sssd
> > >
> > > Rowland
> > >
>
> To add clarity and more detail: these are workstations - smbd is not
> installed and I am not utilizing samba for the machine to be
> a domain member
> of AD.
> We simply need the smbclient to browse samba shares on domain member
> servers; where there is only samba btw - sssd is not
> installed on those
> servers but sssd is used on the workstations.
>
> On 16/09/2020 02:38, L.P.H. van Belle via samba wrote:
> > I believe you are hitting multiple things.
> > 1. a bug in smblcient involving that kerberos cache. I seen
> something
> passing by on this.
> > 2. krb5.conf has to much in it, just not needed.
> > 3. faulty smb.conf. Its incomplete.
> >
> > Krb5.conf remove the last 3 lines.
> > "rdns = false, spake_preauth_groups = edwards25519,
> default_ccache_name =
> KEYRING:persistent:%{uid}"
> >
> > This is just a "faulty" smb.conf file. Where is the
> "backend" definition
> >
>
> I'd be interested in any additional information or sources you have
> concerning the suspected bug.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941493
https://bugzilla.samba.org/show_bug.cgi?id=14344
>
> The three parameters you noted are present in my krb5.conf for
> documentation, to facilitate changing the values when testing,
> as well as to specifically set the ccache location to either
> "KEYRING" or "KCM" - not the default of "FILE".
> I'm fairly certain I do not have a "faulty" smb.conf. The
> file is a trimmed copy of what we use on our samba servers.
> So there are a few unnecessary parameters declared in there
> for my usage case but they are harmless.
> Running "testparm" reports back that everything is OK - server role is
> standalone and the idmap config backend is set to "tdb"...
> Which is the standard default and wouldn't need to be
> specified in the conf file.
Ok stand-alone, yes, then it looks fine, im was thinking this was a member server
>
> I don't believe any parameter present (or missing) in my
> smb.conf would be involved with the issue I'm encountering, but I very well
> could be wrong. Which brings me to this mail list. :)
>
> To reiterate the issue at hand: smbclient does not use the configured
> kerberos ccache as specified in the krb5.conf file.
>
> I can reproduce this behavior on a "clean" Ubuntu 20.04 system; steps:
> - perform a new OS install (minimal and download updates selected)
> - open terminal, run "sudo apt install -y krb5-user", overwrite the
> krb5.conf with the custom one
> - run "kinit domainuser" then "klist" to confirm a valid
> ticket has been
> obtained and that it's in the correct ccache (for this test it's the
> KEYRING)
> - run "sudo apt install -y smbclient", overwrite the
> smb.conf with the
> custom one
> - run "smbclient //server.this.domain.com/share -U domainuser -k -d5"
> - smbclient tries to import the incorrect, non-existent
> kerberos ccache and
> fails to authenticate
> - key debug output snippet: "smb_gss_krb5_import_cred
> ccache[FILE:/tmp/krb5cc_1000] failed ... the caller may retry
> after a kinit"
> - the versions of the components are: smbclient
> 4.11.6-Ubuntu and krb5 1.17
>
> If I follow a similar process as above on CentOS the
> smbclient imports from
> the correct ccache and successfully authenticates - CentOS
> release 8.2.2004,
> smbclient 4.11.2, and krb5 1.17
>
> Any other thoughts or suggestions will be much appreciated.
>
> --
> Jonathan Davis
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list