[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian

L.P.H. van Belle belle at bazuin.nl
Thu Sep 17 07:43:36 UTC 2020 

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jonathan Davis via samba
> Verzonden: woensdag 16 september 2020 18:39
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] smbclient ignores configured kerberos 
> ccache when using krb5-user on ubuntu/debian
> 
> On 16/09/2020 03:16, L.P.H. van Belle via samba wrote:
> > I know, and i have him the "samba" solution, because ...
> > I dont know sssd also.
> > And i dont get the fuss on samba+winbind or samba+sssd
> > I have 3 services running minimal : samba winbind 
> user-homes.automount
> Everything works as it should.

Well, great, thats what we want in the end. 

> >
> > > On 16/09/2020 03:07, Rowland via samba wrote:
> > > The OP is using sssd
> > >
> > > Rowland
> > >
> 
> To add clarity and more detail: these are workstations - smbd is not
> installed and I am not utilizing samba for the machine to be 
> a domain member
> of AD.
> We simply need the smbclient to browse samba shares on domain member
> servers; where there is only samba btw - sssd is not 
> installed on those
> servers but sssd is used on the workstations.
> 
> On 16/09/2020 02:38, L.P.H. van Belle via samba wrote:
> > I believe you are hitting multiple things.
> > 1. a bug in smblcient involving that kerberos cache. I seen 
> something
> passing by on this.
> > 2. krb5.conf has to much in it, just not needed.
> > 3. faulty smb.conf. Its incomplete.
> > 
> > Krb5.conf remove the last 3 lines.
> > "rdns = false, spake_preauth_groups = edwards25519, 
> default_ccache_name =
> KEYRING:persistent:%{uid}"
> >
> > This is just a "faulty" smb.conf file. Where is the 
> "backend" definition
> >
> 
> I'd be interested in any additional information or sources you have
> concerning the suspected bug.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941493
https://bugzilla.samba.org/show_bug.cgi?id=14344


> 
> The three parameters you noted are present in my krb5.conf for
> documentation, to facilitate changing the values when testing,
> as well as to specifically set the ccache location to either 
> "KEYRING" or "KCM" - not the default of "FILE".
> I'm fairly certain I do not have a "faulty" smb.conf. The 
> file is a trimmed copy of what we use on our samba servers.
> So there are a few unnecessary parameters declared in there 
> for my usage  case but they are harmless.

> Running "testparm" reports back that everything is OK - server role is
> standalone and the idmap config backend is set to "tdb"...
> Which is the standard default and wouldn't need to be 
> specified in the conf file. 
Ok stand-alone, yes, then it looks fine, im was thinking this was a member server


> 
> I don't believe any parameter present (or missing) in my 
> smb.conf would be involved with the issue I'm encountering, but I very well 
> could be wrong. Which brings me to this mail list. :)
> 
> To reiterate the issue at hand: smbclient does not use the configured
> kerberos ccache as specified in the krb5.conf file.
> 
> I can reproduce this behavior on a "clean" Ubuntu 20.04 system; steps:
>  - perform a new OS install (minimal and download updates selected)
>  - open terminal, run "sudo apt install -y krb5-user", overwrite the
> krb5.conf with the custom one
>  - run "kinit domainuser" then "klist" to confirm a valid 
> ticket has been
> obtained and that it's in the correct ccache (for this test it's the
> KEYRING)
>  - run "sudo apt install -y smbclient", overwrite the 
> smb.conf with the
> custom one
>  - run "smbclient //server.this.domain.com/share -U domainuser -k -d5"
>  - smbclient tries to import the incorrect, non-existent 
> kerberos ccache and
> fails to authenticate
>  - key debug output snippet: "smb_gss_krb5_import_cred
> ccache[FILE:/tmp/krb5cc_1000] failed ... the caller may retry 
> after a kinit"
>  - the versions of the components are: smbclient 
> 4.11.6-Ubuntu and krb5 1.17
> 
> If I follow a similar process as above on CentOS the 
> smbclient imports from
> the correct ccache and successfully authenticates - CentOS 
> release 8.2.2004,
> smbclient 4.11.2, and krb5 1.17
> 
> Any other thoughts or suggestions will be much appreciated.
> 
> --
> Jonathan Davis
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list