[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian

Jonathan Davis jdavis at leepfrog.com
Thu Sep 17 17:38:46 UTC 2020

On 17/09/2020 02:44, L.P.H. van Belle via samba wrote:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941493
> https://bugzilla.samba.org/show_bug.cgi?id=14344

These appear they could be related to the issue I'm encountering.

So I did some additional testing and discovered something interesting, but
first some background:
I previously mentioned that part of my initial troubleshooting of this issue
involved using heimdal-clients
instead of krb5-user and that when using heimdal-clients for kerberos the
smbclient would use whatever ccache
was configured as the default ccache name in krb5.conf with the exception of
"KEYRING" and "KCM" because 
heimdal would consistently error out that both of those are "unknown
credential cache types".
Effectively, only "FILE" and "DIR" ccache types would work with heimdal.
Continuing on...

The heimdal variant of kerberos uses a different parameter name for the
default ccache name property
than what is used by krb5-user. In heimdal the parameter name is
"default_cc_name" and in krb5-user 
the parameter name is "default_ccache_name". I was throwing the kitchen sink
at the problem this morning and so,
with krb5-user installed, I decided to try substituting the parameter name
spelling to the heimdal parameter name.
So in the krb5.conf I used "default_cc_name = KEYRING:persistent:%{uid}"
instead of
"default_ccache_name = KEYRING:persistent:%{uid}". As expected, after making
this change the krb5 default ccache
name of "FILE:/tmp/krb5cc_%{uid}" is used since "default_cc_name" is not

I ran the smbclient command and guess what happened?
Remember, the original error in the debug output with the valid parameter
name was this:
    smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the caller may
retry after a kinit

After I made the parameter name change to the heimdal version, the error
turned into this:
    Failed to resolve credential cache 'KEYRING:persistent:1000'! (Unknown
credential cache type)
    free(): double free detected in tcache 2
    Aborted (core dumped)

Based off of this behavior change, to me it appears that the
"smb_gss_krb5_import_cred" step/function
in smbclient (perhaps other steps/functions too) is specifically looking for
or expecting "default_cc_name" and
likely other properties or files or etc that heimdal-clients does
differently than krb5-user.

Which lead me to this:

So I guess I'm SOL unless Debian maintainers build smbclient against krb5??
This is depressing.

Jonathan Davis

More information about the samba mailing list