cifs does not support kerberos authentication

Bug #236830 reported by Nick Barcet on 2008-06-02
32
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Hardy
Medium
Tim Gardner
samba (Debian)
Fix Released
Unknown
samba (Ubuntu)
Undecided
Unassigned
Hardy
Medium
Steve Langasek

Bug Description

Binary package hint: samba

cifs module does not implement yet kerberos authentication.
since smbfs is not supported in hardy anymore, there is currently no method to mount a cifs volume using kerberos anymore.

Wesley J. Landaker (wjl) wrote :

This is a MASSIVE showstopper for many people. cifs doesn't mount things that smbfs used to, and smbfs is now just a pointer to cifs. So now there is no way to mount network shares if they are kerberos-auth only.

This, in effect, renders previously perfectly-working Linux machines on a corporate network *completely* *useless*. It's very frustrating.

Changed in samba:
status: New → Confirmed
Chuck Short (zulcss) wrote :

Nick,

Can yout try using sec=krb5?

Thanks
chuck

Steve Langasek (vorlon) wrote :

I'm afraid you'll find that sec=krb5 consistently gives the following results:

$ mount.cifs //borges/pub /tmp/testmount -osec=krb5
Password:
mount error 38 = Function not implemented
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)
$

Of course, mount.cifs(8) doesn't give any information about the implementation status of krb5 authentication.

And unfortunately, krb5 authentication support in mount.cifs was never tested prior to migrating the packages away from smbfs; since there were no indications to the contrary in any of the documentation, I assumed that it was implemented and never thought to double-check this since none of my normal test servers are joined to AD. This is frustrating for me as well, as this is consequently the single biggest problem with the kernel cifs implementation -- far more relevant than incompatibilites with OS/2 or old Windows 9x servers -- but there had been virtually no discussion of this on the relevant lists when laying out the plans for dropping smbfs support (which has now been done completely in the upstream kernel).

It appears, according to fs/cifs/README in the kernel tree, that kerberos authentication is possible if the kernel is built with CONFIG_CIFS_EXPERIMENTAL. It's probably too late to enable this for 8.04.1 now, but we could talk to the kernel team about getting this enabled for .2. But even with that, it appears that the Kerberos userspace upcall helper needed for this is only available as part of samba 3.2, which is not yet released and certainly not shipped in 8.04.

Steve Langasek (vorlon) on 2008-06-09
Changed in linux:
status: New → Confirmed
Steve Langasek (vorlon) wrote :

Sorry, I'm afraid this bug is going to become something of a dumping ground for my investigations; this is getting complicated enough that I need somewhere to keep track of all the bits and pieces needed to get this working (...almost).

Software needed:
 - 2.6.24 kernel with the CONFIG_CIFS_EXPERIMENTAL and CONFIG_CIFS_UPCALL options set
 - backported cifs.spnego upcall helper from samba 3.2
 - keyutils package (from universe)

Install the cifs.spnego helper as /usr/sbin/cifs.spnego, and add the following line to /etc/request-key.conf (a conffile provided by the keyutils package):

   create cifs.spnego * * /usr/sbin/cifs.spnego %k %d

Make sure that the default_realm value in /etc/krb5.conf points to your AD realm; without this, I found that the kerberos upcall would fail because it would try to retrieve the ticket via the default realm, even if you already have a TGT in the necessary realm. (This seems like a regression in MIT KRB5, I don't remember this being a problem in the past when I had correct domain_realm mappings... but chances are, anyone who was already using smbmount w/ Kerberos has already dealt with this problem, I guess?)

Run kinit without KRB5CCNAME set (because the kernel upcall can't set a different ccache using an environmental variable) to request credentials for your AD realm:

$ kinit ubuntu
Password for <email address hidden>:
$

Then run the mount.cifs command, specifying username=, sec=, and 'guest' options (the misnamed 'guest' option being the way to tell mount.cifs not to prompt for a password):

$ mount.cifs //win2003.canonical.local/ubuntu /tmp/testmount -ousername=ubuntu,sec=krb5i,guest
$

Following these steps, I'm able to successfully mount a share using kerberos authentication in the cifs driver.

Steve Langasek (vorlon) wrote :

Here is the patch used for the kernel; tested on amd64

Changed in samba:
status: Unknown → New
Martin Pitt (pitti) wrote :

 * Kernel change is isolated, that looks reasonably ok. I take it CONFIG_CIFS_EXPERIMENTAL does not change any behaviour, just enables CONFIG_CIFS_UPCALL config option? Does CONFIG_CIFS_UPCALL only enables the userspace callback for authorization (cifs.spnego) or any other behaviour?
 * I wouldn't like to promote keyutils to main in hardy (it sounds fine for MIR for intrepid, though). Since we have to touch the samba package anyway and backport cifs.spnego, can this be modified to point out "Please install the keyutils package" in the error message if it is missing?

Steve Langasek (vorlon) wrote :

The CONFIG_CIFS_EXPERIMENTAL enables a number of unrelated features, all of which should be no-ops by default:

- CIFS ACL mapping
- dnotify support
- "export ops" (stub support for re-exporting via NFS)

and it allows the CIFS_UPCALL option to be enabled.

CIFS_UPCALL only turns on support for kerberos/SPNEGO authentication.

Steve Langasek (vorlon) on 2008-06-10
Changed in samba:
assignee: nobody → vorlon
importance: Undecided → Medium
status: New → Confirmed
Changed in linux:
importance: Undecided → Medium
status: New → Confirmed
Changed in samba:
status: New → Confirmed
Changed in samba:
status: Confirmed → Fix Released
Martin Pitt (pitti) on 2008-06-16
Changed in linux:
assignee: nobody → timg-tpi
status: Confirmed → In Progress
Joachim Breitner (nomeata) wrote :

Hi,

just to be able to plan: Will this be fixed in Hardy eventuall, or only in newer releases?

Thanks,
Joachim

Tim Gardner (timg-tpi) wrote :

SRU Justification:

Impact: CIFS cannot authenticate against Kerberos

Patch Description: Enable CONFIG_CIFS_UPCALL in the kernel.

Patch: http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-hardy.git;a=commit;h=5ecd2c7ef329ed53d583a10c16cf0d35d83edd7b

Test Case: See bug description

Tim Gardner (timg-tpi) wrote :
Changed in linux:
milestone: none → ubuntu-8.04.2
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (11.5 KiB)

This bug was fixed in the package linux - 2.6.26-3.7

---------------
linux (2.6.26-3.7) intrepid; urgency=low

  [Amit Kucheria]

  * SAUCE: make fc transport removal of target configurable
     - LP: #163075
  * SAUCE: pm: Config option to disable handling of console during
    suspend/resume

  [Ben Collins]

  * SAUCE: input/mouse/alps: Do not call psmouse_reset() for alps
  * SAUCE: irda: Default to dongle type 9 on IBM hardware
  * SAUCE: tulip: Let dmfe handle davicom on non-sparc
  * SAUCE: tulip: Define ULI PCI ID's
  * SAUCE: version: Implement version_signature proc file.
  * build: Cleanup arches
  * build: Remove remnants of unused binary-custom infrastructure
  * build: Remove disable_d_i (not needed) and cleanup ppa build stuff
  * ubuntu: New modules, acer-acpi
  * build: Remove -virtual, and rebuild configs
  * ubuntu: Add drbd module
  * acer-acpi: Fix makefile
  * x86/Kconfig: Fix missing quote for ubuntu Kconfig source
  * ubuntu: Add iscsitarget module
  * ubuntu: Added Amiga FS driver
  * ubuntu: Add squashfs driver
  * ubuntu: Remove asfs (Amiga FS). Need to be in linux-ports instead
  * squashfs: Move headers to real include directory
  * build/configs: The Great Config Consistency Check of 2008
  * ubuntu: Move third-party includes to ubuntu/include
  * ubuntu: Add aufs module
  * ubuntu: Added atl2 driver
  * ubuntu: Add dm-radi4-5 driver
  * build: Add CONFIG_DEBUG_SECTION_MISMATCH=y to get old style warnings
    from build
  * ubuntu/Makefile: Fixup dm-raid4-5 and add kludge for kbuild
  * squashfs: Fixes for VFS changes
  * ubuntu/dm-raid4-5: Fixups for moved/renamed headers/functions in core
    md
  * ubuntu: Add ndiswrapper driver
  * d-i: Update module listings
  * build: Disable xd block device (ancient)
  * ndiswrapper: Fixup makefile
  * d-i: Remove efi-modules. The only module, efivars, is built-in
  * build: Remove install-source, obsolete and caused build failure
  * Ubuntu-2.6.26-1.3
  * build: linux-doc rules got broken when disabling html side. Fixed now.
  * Ubuntu-2.6.26-1.4
  * x86: Update to -rc6 allows CONFIG_PCI_OLPC to work with PCI_GOANY
  * d-i: Make virtio-ring optional (it's built-in on i386)
  * Ubuntu-2.6.26-1.4
  * Ubuntu-2.6.26-1.5
  * config: Enable DVB devices
  * ubuntu/aufs: Make aufs a bool config, since it needs to be built-in
  * config: Build aufs into the kernels
  * build: Fix arguments passed to link-headers script
  * config: Disable early printk
  * d-i: Move isofs to storage-core and kill st (scsi tape) from list
  * config: Enable non-promiscuous access to /dev/mem
  * x86: Add option to disable decompression info messages
  * config: Enable no-bz-chatter config options
  * build: Re-add linux-source package
  * d-i: Re-add socket-modules. Accidentally removed
    - LP: #241295
  * Ubuntu-2.6.26-2.6
  * Use makedumpfile to generate a vmcoreinfo file.
  * build: Build-Depend on makedumpfile for vmcoreinfo generation
  * build: Remove debug print from git-ubuntu-log
  * Updated configs for -rc7
  * build: postinst, do not call depmod with -F
  * config: Enable rtc-cmos as a built-in driver.
  * control: Provide ndiswrapper-modules-1.9
  * build: Generate vmcoreinfo in image...

Changed in linux:
status: Confirmed → Fix Released
wzzrd (maxim) wrote :

Steve, can you please tell whether the backport of the cifs.spnego upcall helper will be in Hardy? I see the patch to the kernel config has been committed, but I'm not sure about the status of the rest of the solution.

Steve Langasek (vorlon) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in samba:
status: Confirmed → Fix Committed
Steve Langasek (vorlon) on 2008-07-17
Changed in samba:
status: Fix Committed → Triaged
wzzrd (maxim) wrote :

I'ld really like to help test this, but I am a bit crippled by our firewall: not apt for me. Can you provide me with the packages you used to install cifs.spnego? I downloaded the new kernel at home yesterday, but I am unable to find Samba packages containing the new backported helper.

Can you provide me with (a link to) the Samba packages you used for this, Steve?

Launchpad Janitor (janitor) wrote :
Download full text (5.6 KiB)

This bug was fixed in the package samba - 2:3.2.0-3ubuntu1

---------------
samba (2:3.2.0-3ubuntu1) intrepid; urgency=low

  * Merge from debian unstable, remaining changes:
    * debian/patches/VERSION.patch:
      - set SAMBA_VERSION_VENDOR_SUFFIX to Ubuntu.
    * debian/smb.conf
      - add "(Samba, Ubuntu)" to server string.
      - comment out the default [homes] shares, and add a comment about
        "valid user = %s" to show users how to restrict access to \\server\username
         to only username.
      - add map to guest = Bad user, maps bad username to guest access. (LP: #32067)
    * debian/samba-common.postinst:
      - Fix upgrade from a first installation done with feisty, edgy, or dapper.
        (LP: #201059)
      - When population the new sambashare group, it's not an error if the user
        simply doesn't exist; test for this case and the install continue instead
        of aborting. (LP: #206036)
    * debian/samba-common.config:
      - do not change priority to HIGH if dhclient3 is installed
      - used priority medium instaed of high for the workgroup question
    * debian/winbind.files:
      - include additional files
    * debian/mksambapasswd.awk:
      - Don't add user with UID less than 1000 to smbpasswd.
    * Dropped changes:
      - Dropped debian/patches/upstream_bug5517.patch. Already applied upstream.
      - Dropped debian/patches/disable-weak-auth.patch. Already applied upstream.
      - Dropped debian/patches/fix-server-signature.patch. Already appled upstream.
      - Dropped debian/patches/fix-documentation.patch. Already applied upstream.

samba (2:3.2.0-3) unstable; urgency=low

  * Upload to unstable.
  * debian/patches/proper-static-lib-linking.patch: fix SMB_LIBRARY macro
    and Makefile.in to properly avoid linking .a libraries into other .a
    libraries, since this bloats the libraries without providing any useful
    functionality.
  * Version the build-dependency on libtalloc-dev, to ensure we're building
    against a package with the right symbols.
  * Add debian/libsmbclient.symbols and debian/libwbclient0.symbols, to get
    more fine-grained versioned library dependencies
  * Bump the shlibs version for libsmbclient to 2:3.2.0, as new symbols
    have been added.
  * Re-add docs/registry to samba-doc, restored upstream
  * Move schannel_store.tdb out of /etc/samba to /var/lib/samba, where it
    belongs according to the FHS. Closes: #454770.

samba (2:3.2.0-2) experimental; urgency=low

  * Fix up the copyright file to correctly document that we're now under
    GPLv3, not GPLv2.

samba (2:3.2.0-1) experimental; urgency=low

  [ Christian Perrier ]
  * New samba-tools package to provide all "torture" tools:
    smbtorture msgtest masktest locktest locktest2 nsstest vfstest
    pdbtest talloctort replacetort tdbtorture smbconftort
  * Upgrade Standard to 3.8.0 (checked)
  * Merged from unstable:
    * Drop "invalid users = root" from the default smb.conf file
      as it differs from upstream's behaviour and upstream is fairly
      noisy about this choice of ours. Closes: #462046
    * Drop commented "guest account = nobody". This is already upstream's
      default
    * Remove ...

Read more...

Changed in samba:
status: Confirmed → Fix Released

Hi wzzrd,

On Thu, Jul 17, 2008 at 08:05:43AM -0000, wzzrd wrote:
> Steve, can you please tell whether the backport of the cifs.spnego
> upcall helper will be in Hardy? I see the patch to the kernel config has
> been committed, but I'm not sure about the status of the rest of the
> solution.

I believe that we should backport cifs.spnego to hardy, but it looks like
this needs to settle a bit upstream first - upstream is currently in the
process of renaming the binary from cifs.spnego to cifs.upcall, and I want
to see whether that name change takes hold before backporting so that we
don't cause ourselves additional upgrade issues.

On Mon, Jul 21, 2008 at 08:55:55AM -0000, wzzrd wrote:
> I'ld really like to help test this, but I am a bit crippled by our
> firewall: not apt for me. Can you provide me with the packages you used
> to install cifs.spnego? I downloaded the new kernel at home yesterday,
> but I am unable to find Samba packages containing the new backported
> helper.

> Can you provide me with (a link to) the Samba packages you used for
> this, Steve?

I've only done quick'n'dirty testing so far, pulling the cifs.spnego binary
from the Debian experimental package for testing. At this point, the best
way to test would be to grab the samba source package from intrepid and
rebuild it for hardy. Test packages from me are going to be a couple of
weeks out yet. It would be nice if someone could confirm in the meantime
that the kernel side works, though, both for previously-working cases and
for the upcall-specific stuff.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

wzzrd (maxim) wrote :

Hi Steve,

I had downloaded the source tarball from Samba.org at home and I'm not able to download the source deb from Intrepid at work, so I built Samba 3.2.0 from source and created a deb with checkinstall. Quick & dirty.

After pulling in the correct -dev packages, I configured with:

./configure --enable-cups --with-ads --with-cifsmount --with-ldap --enable-fam --with-cifsspnego --with-dnsupdate --with-automount --with-winbind --with-krb5

I installed the new version of samba in /usr/local/samba and installed the kernel from -proposed.

I followed your instructions above (the request-key.conf stuff) and I am now able to mount a cifs share on my machine. So the kernel patch works, that's for sure; at least for a Kerberos cache generated during Likewise login (I use Likewise Open).

What does surprise me a bit is the fact that if I klist, I can see my TGT and, directly after mount, the host ticket from the fileserver. After a while though, the latter disappears, even though I still have the cifs share mounted and accessible. Maybe that has something to do with Likewise; I'm more used to using pam_krb5, which does not purge tickets this soon.

Apart from that, I can only mount the cifs share with sec=krb, not with sec=krb5i. During debugging this, I found that cifs.spnego segfaults horribly when started on it's own. As said, mounting seems to work though. I'll try downloading the Intrepid samba source deb at home tonight, maybe you guys have applied some patches on it?

Jocelyn Delalande (jocelyn) wrote :

I did some quick'n dirty samba backport from intrepid to hardy for my own needs. With the hardy-propposed kernel, it works like a charm (both krb5 and krb5i).

I needed to backport libtalloc1 too.

You can find those packages in : http://www.crapouillou.net/~jocelyn/debian/samba-hardy-backport/

wzzrd (maxim) wrote :

Jocelyn,

could you check whether you are able to mount with sec=krb5i? I can't
do that with the Samba I built from source right now.

Thanks!

Maxim Burgerhout
<email address hidden>
----------------
GPG Fingerprint
1CC2 A9B2 FE2E 799D 01DB 8A89 0AE8 B60A ACA3 4452

On Mon, Jul 28, 2008 at 12:48, Jocelyn Delalande
<email address hidden> wrote:
> I did some quick'n dirty samba backport from intrepid to hardy for my
> own needs. With the hardy-propposed kernel, it works like a charm (both
> krb5 and krb5i).
>
> I needed to backport libtalloc1 too.
>
> You can find those packages in :
> http://www.crapouillou.net/~jocelyn/debian/samba-hardy-backport/
>
> --
> cifs does not support kerberos authentication
> https://bugs.launchpad.net/bugs/236830
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Jocelyn Delalande (jocelyn) wrote :

I can use krb5i

Steve Langasek (vorlon) wrote :

On Thu, Jul 24, 2008 at 08:59:56AM -0000, wzzrd wrote:
> I followed your instructions above (the request-key.conf stuff) and I am
> now able to mount a cifs share on my machine. So the kernel patch works,
> that's for sure; at least for a Kerberos cache generated during Likewise
> login (I use Likewise Open).

Great! So we can consider the kernel part successfully verified.

> What does surprise me a bit is the fact that if I klist, I can see my
> TGT and, directly after mount, the host ticket from the fileserver.
> After a while though, the latter disappears, even though I still have
> the cifs share mounted and accessible. Maybe that has something to do
> with Likewise; I'm more used to using pam_krb5, which does not purge
> tickets this soon.

I suspect that you're seeing a periodic TGT refresh from Likewise; pam_krb5
doesn't provide infrastructure to refresh tickets automatically for you, but
winbind/likewise do.

> Apart from that, I can only mount the cifs share with sec=krb, not with
> sec=krb5i. During debugging this, I found that cifs.spnego segfaults
> horribly when started on it's own. As said, mounting seems to work
> though. I'll try downloading the Intrepid samba source deb at home
> tonight, maybe you guys have applied some patches on it?

I haven't gotten krb5i working yet here either.

Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

wzzrd (maxim) wrote :

> I suspect that you're seeing a periodic TGT refresh from Likewise; pam_krb5
> doesn't provide infrastructure to refresh tickets automatically for you, but
> winbind/likewise do.

I figured as much. I knew Heimdal provided a similar feature, but I
had too little to do with recent versions of Winbind and Likewise in
general to have noticed this before. Nice though.

> I haven't gotten krb5i working yet here either.
I see Jocelyn *is* able to use krb5i. I haven't been able to
downloaded the rebuilt packages from Intrepid Jocelyn provided. Maybe
I have time to try it today, else it will be after my vacation.

Steve Langasek (vorlon) wrote :

A package that includes a preliminary cifs.spnego backport is now available in my ppa; please try adding

deb http://ppa.launchpad.net/vorlon/ubuntu hardy main

to your apt sources.list and test the smbfs package there.

I still get the (rather unhelpful) error:

    mount error 38 = Function not implemented

I am not sure if the problem is with mount.cifs, or if it is something about the way I am set up. If someone who report success with backported 3.2.0 could try with the 3.0.28a package in Steve's PPA, that would be great. Right now, I am a bit puzzled.

Adam Sommer (asommer) wrote :

Not sure if this helps, but when I try to mounting a share, on Intrepid, with:

  mount.cifs //172.18.100.35/open open/ -ousername=lager,sec=krb5i,guest --verbose

It prints the command with the uid and gid then "Segmentation fault". Attached is I think the relevant dmesg output. Packages:

  samba-2:3.2.0-4ubuntu3
  smbfs-2:3.2.0-4ubuntu3
  likewise-open-4.1.0.2956-0ubuntu1~ppa2
  linux-image-2.6.26-5-server-2.6.26-5.15

I'm using the likewise-open package from Thierry's PPA: https://launchpad.net/~tcarrez/+archive

Everything worked fine when joining the domain, and leaving the domain... just fyi. If there's any more information I can provide, please let me know.

Thanks

Steve Langasek (vorlon) wrote :

Etienne,

What kernel version are you running? That output appears to be consistent with what I see on a kernel that doesn't have CIFS upcall support enabled.

Steve Langasek (vorlon) wrote :

I've just checked, and when using sec=krb5 against a server with no kerberos support, and a client with CIFS upcall support enabled (and keyutils installed) but without cifs.spnego configured, I get a different error:

mount error 126 = Required key not available
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

So the 'function not implemented' probably points to a kernel that's not built with CIFS_UPCALL support. Etienne, please confirm which kernel version this test was done with.

I am running 2.6.24-20.38 from hardy-proposed. /boot/config-`uname -r` show that CONFIG_CIFS_UPCALL=y is set. If it work for you, that mean the problem is somewhere else on my side.

Steve Langasek (vorlon) wrote :

Ok; I've tested against the same server that Etienne was testing against, and found the particular error reproducible; also from my own client, where I was getting the 'Required key not available' message instead of the 'Function not implemented' error. I think the 'not implemented' is associated with this output in dmesg:

[771815.562213] CIFS VFS: secType 5 not supported!
[771815.562368] CIFS VFS: Send error in SessSetup = -38
[771815.701453] CIFS VFS: cifs_mount failed w/return code = -38

So that's a server configuration problem, not an issue on the client side; the server in this case is actually not joined to an AD realm at all, TTBOMK.

If I instead point at a win2k8 server that's part of an AD realm, I get the following in dmesg if I use sec=krb5:

[ 5818.652927] CIFS VFS: Server requires packet signing to be enabled in /proc/fs/cifs/SecurityFlags.
[ 5818.782901] CIFS VFS: cifs_mount failed w/return code = -95

And if I use sec=krb5i, I'm able to mount successfully.

So it looks to me like the packages in PPA work as intended, provided that the server you're connecting to can accept kerberos connections.

Steve Langasek (vorlon) wrote :

Adam, the kernel oops you're experiencing appears to be specific to that kernel version, and unrelated to the general question of whether cifs upcall support is enabled in the Ubuntu kernel. Please file a separate bug report for this issue.

Adam Sommer (asommer) wrote :

Tested the "mount.cifs //172.18.100.35/open open/ -ousername=lager,sec=krb5i,guest --verbose" command again and it worked fine. Used the new kernel version:

  linux-image-2.6.26-5-server-2.6.26-5.17

Thanks Steve.

To follow-up regarding the comment from Steve on 2008-08-15, it does work now indeed. Basically, it is entirely my fault for not configuring the Samba server for Kerberos authentication. For the record, you need to set the "use kerberos keytab" and "realm" options of smb.conf. Duh.

Steve: I see that the latest smbfs package in hardy-proposed does not have the backported cifs.spnego that you have in your PPA. What are your plan in the short/medium term? For hardy, do you plan to wait for upstream to stabilize the name of the executable before you push an update, or do you plan to have the backported cifs.spnego executable in the interim anyway?

Steve Langasek (vorlon) wrote :

upstream has stabilized the name of the executable now, so providing an update that includes the cifs.upcall helper instead of cifs.spnego just waits on me having the cycles available to do it.

wzzrd (maxim) wrote :

Steve,

will you be able to provide this update for Hardy or will this only be
in Intrepid? Including this in Hardy would releave us of serious
issues with developing a Linux desktop alternative :-)

Maxim Burgerhout
<email address hidden>
----------------
GPG Fingerprint
1CC2 A9B2 FE2E 799D 01DB 8A89 0AE8 B60A ACA3 4452

On Thu, Sep 18, 2008 at 00:49, Steve Langasek
<email address hidden> wrote:
> upstream has stabilized the name of the executable now, so providing an
> update that includes the cifs.upcall helper instead of cifs.spnego just
> waits on me having the cycles available to do it.
>
> --
> cifs does not support kerberos authentication
> https://bugs.launchpad.net/bugs/236830
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Steve Langasek (vorlon) wrote :

On Thu, Sep 18, 2008 at 07:29:39AM -0000, wzzrd wrote:

> will you be able to provide this update for Hardy or will this only be
> in Intrepid? Including this in Hardy would releave us of serious
> issues with developing a Linux desktop alternative :-)

The fix is already present in intrepid; this bug is open for tracking the
issue for hardy specifically.

wzzrd (maxim) wrote :

Ah, yes, I see, sorry
thanks for fixing this

Maxim

Steve Langasek (vorlon) wrote :

samba 3.0.28a-1ubuntu4.7 uploaded with the backported cifs.upcall implementation. Martin, could you please review?

Martin Pitt (pitti) wrote :

Looks ok to me. I pinged bug 259110 for testers, if it can be tested soon and we can move the current samba SRU to -updates first, I'd prefer waiting a bit instead of stacking SRUs on top of each other.

Martin Pitt (pitti) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in samba:
status: Triaged → Fix Committed
Martin Pitt (pitti) wrote :

linux 2.6.24-21 copied to hardy-updates.

Changed in linux:
status: Fix Committed → Fix Released
Download full text (3.3 KiB)

I can't make this work for me:

atm26@bigwig:~/hardy$ sudo mount.cifs //127.0.0.1/bigdisc /tmp/foo -ousername=atm26,sec=krb5,guest --verbose
parsing options: username=atm26,sec=krb5,guest

mount.cifs kernel mount options unc=//127.0.0.1\bigdisc,ip=127.0.0.1,ver=1,username=atm26,sec=krb5,guest
mount error 5 = Input/output error
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

with variations of hostnames/IP addresses to no effect (also used -o ip=127.0.0.1 and the real NetBIOS name of the server in the UNC path). Tried both krb5 and krb5i. I'm doing this over an SSH tunnel: ports 139 and 445 forwarded to the same ports on the CIFS server (a NetApp F840) and port 88 to the Windows AD Kerberos server. The ports are open:

atm26@bigwig:~/hardy$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:netbios-ssn *:* LISTEN
tcp 0 0 localhost:kerberos *:* LISTEN
tcp 0 0 localhost:microsoft-ds *:* LISTEN
(tried IPv4-only as well). If I close these connections I get
mount error 111 = Connection refused
so it's not just a network connectivity thing.
I've also tried forwarding port 137 to the AD Kerberos server too with no change.

atm26@bigwig:~/hardy$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <email address hidden>
Valid starting Expires Service principal
10/19/08 13:49:34 10/19/08 23:49:39 <email address hidden>
        renew until 10/20/08 13:49:34
10/19/08 13:52:56 10/19/08 23:49:39 elmer$@AD.CL.CAM.AC.UK
        renew until 10/20/08 13:49:34
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

atm26@bigwig:~/hardy$ uname -a
Linux bigwig 2.6.24-21-generic #1 SMP Mon Aug 25 17:32:09 UTC 2008 i686 GNU/Linux

I've just upgraded from edgy to hardy via feisty and gutsy. I've installed smbfs/smbclient/samba-common/samba 3.0.28a-1ubuntu4.7 from hardy-proposed and added a line into /etc/request-key.conf as above (keyutils 1.2-4):
create cifs.upcall * * /usr/sbin/cifs.upcall %k %d

smbclient seems to work:
atm26@bigwig:~/hardy$ sudo smbclient -k -L 127.0.0.1
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

        Sharename Type Comment
        --------- ---- -------
        atm26 Disk Home Directory
        IPC$ IPC Remote IPC
        ETC$ Disk Remote Administration
        homes-1 Disk Home directories
        homes-2 Disk Home directories
        homes-3 Disk Home directories
[snip list of shares available on the server]
        grp-rb5 Disk
        grp-rb6 Disk
Receiving SMB: Server stopped responding
session request to 127.0.0.1 failed (Call returned zero bytes (EOF))
Receiving SMB: Server stopped responding
session request to 127 failed (Call returned zero bytes (EOF))
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

(the Server stopped responding bits are strange, but I can ...

Read more...

> create cifs.upcall * * /usr/sbin/cifs.upcall %k %d

The line in /etc/request-key.conf should look like the following instead:

        create cifs.spnego * * /usr/sbin/cifs.upcall %k %d

The key name is indeed cifs.spnego, only the executable name change.

Martin Pitt (pitti) wrote :

Copied to hardy-updates. The package was successfully tested in bug 259110. If this bug is not fixed for you in the hardy update, please report back here, then we'll reopen this. Thank you!

Changed in samba:
status: Fix Committed → Fix Released
Daniel Richard G. (skunk) wrote :

Unfortunately, CIFS with Kerberos auth is broken in Intrepid, due to bug 298208. Has anyone here gotten the upcall business to work in 8.10?

I'm still experiencing this issue. Ubuntu hardy, patched up to date as of this writing.

pjs11@patslinux01 ~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 8.04.3 LTS
Release: 8.04
Codename: hardy

pjs11@patslinux01 ~ $ uname -a
Linux patslinux01.mayo.edu 2.6.24-23-generic #1 SMP Wed Apr 1 21:43:24 UTC 2009 x86_64 GNU/Linux

pjs11@patslinux01 ~ $ klist
Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: <email address hidden>

  Issued Expires Principal
Sep 3 14:48:04 Sep 4 00:48:04 <email address hidden>
Sep 3 14:48:09 Sep 4 00:48:04 rchnas06n2$@MFAD.MFROOT.ORG

# SMB Client connects using kerberos credentials

pjs11@patslinux01 ~ $ smbclient -k //rchnas06n2/Users500M
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \>
pjs11@patslinux01 ~ $

# mount.cifs does not, and prompts for a password:

pjs11@patslinux01 ~ $ mount.cifs //rchnas06n2/Users500M/PJS11 mnt/pjs11 -o sec=krb5 --verbose
parsing options: sec=krb5
Password: (simply pressed return, here)

mount.cifs kernel mount options unc=//rchnas06n2\Users500M,ip=129.176.156.20,user=pjs11,pass=,ver=1,sec=krb5,uid=1000,gid=1000,prefixpath=PJS11
mount error 5 = Input/output error
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

pjs11@patslinux01 ~ $ more /etc/request-key.conf
(...snip copious comments)
#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== =============== ===============================
create user debug:* negate /bin/keyctl negate %k 30 %S
create user debug:loop:* * |/bin/cat
create user debug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S
#create cifs.spnego * * /usr/sbin/cifs.upcall -c %k %d
create cifs.spnego * * /usr/sbin/cifs.upcall %k %d
negate * * * /bin/keyctl negate %k 30 %S

Do the 64 bit packages have the necessary patches in them?
-- Pat

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.