CIFS accesses DFS referral with wrong Kerberos ticket
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
kubuntu 19.10 with kernel 5.3.0-29-generic and64.
This looks like a regression in the kernel CIFS module after the 4.15 & 5.0 kernels.
These earlier kernels follow the DFS referrals without error.
The problem:
- Use mount.cifs with kerberos authentication to mount a samba server hosting a DFS root.
You will get a KRB ticket for the "dfs_root" machine.
- Attempt to access a host a host via a DFS referral (call this "target_host")
- Access will fail with "Permission Denied".
- Use Wireshark to monitor CIFS and KRB traffic.
- The kernel attempts to authenticate to "target_host" using the KRB ticket for "dfs_root".
Note:
- A DFS target running Win2008R2 will reply with STATUS_
kernel will get a KRB ticket for "target_host" and use it.
The connection is then successful.
- A DFS target running Samba 4.7.6 will reply with STATUS_
The connection fails.
Expected Result:
- Successful connection.
- The kernel should get a KRB ticket for "target_host" and use it.
(This is what kernels 4.15 and 5.0 do [and a Windows client])
---
ProblemType: Bug
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/
/dev/snd/
/dev/snd/
/dev/snd/
CurrentDesktop: KDE
DistroRelease: Ubuntu 19.10
HibernationDevice: RESUME=
InstallationDate: Installed on 2018-11-09 (459 days ago)
InstallationMedia: Kubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.2)
MachineType: Gigabyte Technology Co., Ltd. GA-MA790X-UD4P
NonfreeKernelMo
Package: linux (not installed)
ProcFB: 0 VESA VGA
ProcKernelCmdLine: BOOT_IMAGE=
ProcVersionSign
RelatedPackageV
linux-
linux-
linux-firmware 1.183.3
RfKill:
Tags: eoan
Uname: Linux 5.3.0-29-generic x86_64
UpgradeStatus: Upgraded to eoan on 2019-10-20 (114 days ago)
UserGroups: adm bacula cdrom kvm libvirt lpadmin plugdev sambashare sudo wireshark
_MarkForUpload: True
dmi.bios.date: 09/08/2010
dmi.bios.vendor: Award Software International, Inc.
dmi.bios.version: F10c
dmi.board.name: GA-MA790X-UD4P
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.board.version: x.x
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.modalias: dmi:bvnAwardSof
dmi.product.name: GA-MA790X-UD4P
dmi.sys.vendor: Gigabyte Technology Co., Ltd.
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1862858
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.