cifs.upcall does not use the kerberos default credential cache file, so many features fail

Bug #2012143 reported by Karl O. Pinc
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cifs-utils (Ubuntu)
New
Undecided
Unassigned

Bug Description

cifs.upcall does not use the default kerberos credential cache file name. Attempting to make smb3 mounts in /etc/fstab with username=...,cruid=...,domain=...,sec=krb5,multiuser,_netdev,x-systemd.automount fail, with messages in the journalctl logs like:

...krb5_child[4725]: No credentials cache found (filename: /tmp/krb5cc_127408622_wH2NwY

This can be worked-around by adding:

[libdefaults]
# Use the same cache path as cifs.upcall
# Supposedly the value we set is the default, but there seems to be
# an additional underscore and then a 4 character hash unless
# this is set. The result, unless we set this param, is that
# cifs.upcall cannot get the kerberos ticket-granting-ticket.
# This is only visible in the journalctrl logs.
 default_ccache_name = FILE:/tmp/krb5cc_%{euid}

to /etc/krb5.conf. I believe a reboot is required.

This is with user accounts authenticated against MS Active Directory. (Which
uses kerberos).

Without the workaround the user accounts do not authenticate, so per-user mounts are not possible.

See also Ubuntu bug #2012140
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2012140

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: cifs-utils 2:6.14-1ubuntu0.1
ProcVersionSignature: Ubuntu 5.15.0-67.74-generic 5.15.85
Uname: Linux 5.15.0-67-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.3
Architecture: amd64
CasperMD5CheckResult: pass
Date: Sat Mar 18 17:43:19 2023
InstallationDate: Installed on 2023-03-09 (9 days ago)
InstallationMedia: Ubuntu-Server 22.04.2 LTS "Jammy Jellyfish" - Release amd64 (20230217.1)
ProcEnviron:
 SHELL=/bin/bash
 LANG=en_US.UTF-8
 TERM=xterm-256color
 PATH=(custom, no user)
SourcePackage: cifs-utils
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Karl O. Pinc (kop) wrote :
Revision history for this message
Karl O. Pinc (kop) wrote :
Revision history for this message
Karl O. Pinc (kop) wrote :

This bug, and the "see also" bugs mentioned above, have existed since at least Ubuntu 18.

Revision history for this message
Karl O. Pinc (kop) wrote : The source of the extra randomness in the krb5 credential cache name, explained

Hi,

FYI. Looks like the "extra stuff" added to the credential
cache name comes from sssd, via pam_sss, or perhaps pam_sss_gss.

Further information here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033164

Supposedly, $KRB5CCNAME is set. So the problem seems to be
that cifs.upcall is not looking at this value. Perhaps this
is because systemd.automount is doing things as root?

In any case, cifs.upcall is not getting the information it needs
to work properly. If the cause is that the automounting is
happening as root, I don't see that there's a mechanism in place
whereby it could. At least not by adding fstab entries. Perhaps
there's some systemd-fu that would make it work.

Regards,

Karl <email address hidden>
Free Software: "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.