[SRU] smbclient cannot connect anonymously in Kerberos context (freeipa)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba |
Unknown
|
Unknown
|
|||
samba (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Paride Legovini | ||
Groovy |
Won't Fix
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This is a Focal-only SRU.
[Impact (from https:/
If there is a problem reading credential cache then smbclient can core with double free.
e.g. something like
smbclient -L //foo.bar.com
can result in
Enter TUX-NET\tux's password:
Failed to resolve credential cache 'DIR:/run/
*** Error in `smbclient': double free or corruption (fasttop): 0x0000560cd2ea8890 ***
Aborted (core dumped)
[Test Plan]
Setting up a reproducer is not easy as the crash is not 100% reproducible, however the samba package ships with autopkgtests which can be used for regression testing of the "base" samba functionalities, but they do not cover integration with Kerberos. Proper testing requires setting up a krb5 and making samba authenticate against with when the krb5 credential cache is unresolved.
Test PPA (amd64, ppc64el, s390x):
https:/
[Regression Potential]
The patch is a cherry-pick from upstream and has a little and well defined scope: it removes a free() in a given situation. The patch is a cherry-pick from upstream and has already been released in stable upstream branches and as such it's already shipped in a stable release of Ubuntu (Hirsute), in the current devel release (Impish) and in Debian Bullseye (currently testing). Therefore it can be considered field tested. The patch doesn't modify the behavior of any interface or user-facing component.
The regression potential can be considered low.
[Development Fix]
The patch is included in the following upstream and Ubuntu releases:
* >= 4.11.9
* >= 4.12.3
* >= 4.13.0 (>= Hirsute)
[Original Description]
It is not possible anymore to connect anonymously to a Samba server, if there is a Kerberos environment. It does not matter if there is a valid Kerberos ticket or not. I'm using FreeIPA.
This is with smbclient 2:4.11.
For example,
$ smbclient -L '//dist.
Failed to resolve credential cache 'KEYRING:
free(): double free detected in tcache 2
Aborted (core dumped)
On Ubuntu 18.04, with smbclient 2:4.7.6+
The combination Samba + FreeIPA + Ubuntu has never worked since I started using FreeIPA a few years ago. But anonymous access to a Samba server did work, until I switched to Ubuntu 20.04.
Related branches
- Christian Ehrhardt (community): Approve
- Utkarsh Gupta (community): Needs Fixing
- Canonical Server: Pending requested
-
Diff: 113 lines (+91/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/fix-double-free-with-unresolved-credentia-cache.patch (+83/-0)
debian/patches/series (+1/-0)
Changed in samba (Ubuntu Bionic): | |
status: | New → Fix Released |
Changed in samba (Ubuntu Groovy): | |
status: | Incomplete → Triaged |
Changed in samba (Ubuntu Focal): | |
status: | New → Confirmed |
no longer affects: | samba (Ubuntu Groovy) |
Changed in samba (Ubuntu Focal): | |
assignee: | nobody → Paride Legovini (paride) |
Changed in samba (Ubuntu Groovy): | |
assignee: | nobody → Paride Legovini (paride) |
Changed in samba (Ubuntu Groovy): | |
assignee: | Paride Legovini (paride) → nobody |
summary: |
- smbclient cannot connect anonymously in Kerberos context (freeipa) + [SRU] smbclient cannot connect anonymously in Kerberos context (freeipa) |
Changed in samba (Ubuntu Hirsute): | |
status: | New → Fix Released |
no longer affects: | samba (Ubuntu Bionic) |
Changed in samba (Ubuntu Focal): | |
status: | Confirmed → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
There is an option -k, to enable Kerberos. But there is no option to disable it. Smbclient decides on its own to use Kerberos, and it crashes (core dumped) while doing so.