[Samba] smbclient ignores configured kerberos ccache when using krb5-user on ubuntu/debian

Rowland penny rpenny at samba.org
Thu Sep 17 18:50:50 UTC 2020 

On 17/09/2020 18:38, Jonathan Davis via samba wrote:
> On 17/09/2020 02:44, L.P.H. van Belle via samba wrote:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941493
>> https://bugzilla.samba.org/show_bug.cgi?id=14344
>>
> These appear they could be related to the issue I'm encountering.
>
> So I did some additional testing and discovered something interesting, but
> first some background:
> I previously mentioned that part of my initial troubleshooting of this issue
> involved using heimdal-clients
> instead of krb5-user and that when using heimdal-clients for kerberos the
> smbclient would use whatever ccache
> was configured as the default ccache name in krb5.conf with the exception of
> "KEYRING" and "KCM" because
> heimdal would consistently error out that both of those are "unknown
> credential cache types".
> Effectively, only "FILE" and "DIR" ccache types would work with heimdal.
> Continuing on...
>
> The heimdal variant of kerberos uses a different parameter name for the
> default ccache name property
> than what is used by krb5-user. In heimdal the parameter name is
> "default_cc_name" and in krb5-user
> the parameter name is "default_ccache_name". I was throwing the kitchen sink
> at the problem this morning and so,
> with krb5-user installed, I decided to try substituting the parameter name
> spelling to the heimdal parameter name.
> So in the krb5.conf I used "default_cc_name = KEYRING:persistent:%{uid}"
> instead of
> "default_ccache_name = KEYRING:persistent:%{uid}". As expected, after making
> this change the krb5 default ccache
> name of "FILE:/tmp/krb5cc_%{uid}" is used since "default_cc_name" is not
> valid.
>
> I ran the smbclient command and guess what happened?
> Remember, the original error in the debug output with the valid parameter
> name was this:
>      smb_gss_krb5_import_cred ccache[FILE:/tmp/krb5cc_1000] -the caller may
> retry after a kinit
>
> After I made the parameter name change to the heimdal version, the error
> turned into this:
>      Failed to resolve credential cache 'KEYRING:persistent:1000'! (Unknown
> credential cache type)
>      free(): double free detected in tcache 2
>      Aborted (core dumped)
>
> Based off of this behavior change, to me it appears that the
> "smb_gss_krb5_import_cred" step/function
> in smbclient (perhaps other steps/functions too) is specifically looking for
> or expecting "default_cc_name" and
> likely other properties or files or etc that heimdal-clients does
> differently than krb5-user.
>
> Which lead me to this:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963899
>
> So I guess I'm SOL unless Debian maintainers build smbclient against krb5??
> This is depressing.
>
> --
> Jonathan Davis
>
>
Not sure that is the problem, winbind knows all about the different 
caches, so I wonder if things will work if you install winbind, don't 
run it, just install it.

Rowland

More information about the samba mailing list