debcrafters-packages team mailing list archive

Thread
Date
[Bug 2099917] Re: cifs.upcall: If kerberos credential cache already contains a valid service ticket, use that even if TGT is expired

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Matthew Ruffell <2099917@xxxxxxxxxxxxxxxxxx>
Date: Fri, 23 May 2025 04:15:42 -0000
Reply-to: Bug 2099917 <2099917@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Performing verification for noble.

I set up a fresh noble VM with the same reproducer as documented in 
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914

The kernel is the latest 6.8.0-60-generic from -updates.

$ uname -rv
6.8.0-60-generic #63-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 15 19:04:15 UTC 2025

cifs-utils is 2:7.0-2build1 from -release.

$ apt-cache policy cifs-utils | grep Installed
cifs-utils:
  Installed: 2:7.0-2build1

We kinit and get a tgt:

root@samba-dc:/home/ubuntu# kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx: 
Warning: Your password will expire in 41 days on Fri Jul  4 02:00:18 2025
root@samba-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
05/23/25 03:58:13  05/23/25 13:58:13  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
	renew until 05/24/25 03:58:10

Mount the cifs share:

root@samba-dc:/home/ubuntu# mount -t cifs -o
cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-
dc.example.com/demo /mnt/testshare1

We now have a service ticket:

root@samba-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
05/23/25 03:58:13  05/23/25 13:58:13  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
	renew until 05/24/25 03:58:10
05/23/25 03:59:05  05/23/25 13:58:13  cifs/samba-dc.example.com@
	renew until 05/24/25 03:58:10
	Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx

Unmount the share:

root@samba-dc:/home/ubuntu# umount /mnt/testshare1

Perform some kerberos credential case surgery to remove the TGT:

root@samba-dc:/home/ubuntu# cd python-krb5ccparse/
root@samba-dc:/home/ubuntu/python-krb5ccparse# ./kremovetkt -c /tmp/krb5cc_0 -o /tmp/removed -p krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
Keeping ticket for krb5_ccache_conf_data/fast_avail/krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx@X-CACHECONF:
Keeping ticket for krb5_ccache_conf_data/pa_type/krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx@X-CACHECONF:
Skipping ticket for krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
Keeping ticket for cifs/samba-dc.example.com@

Lets see if it is successful:

root@samba-dc:/home/ubuntu/python-krb5ccparse# kdestroy
root@samba-dc:/home/ubuntu/python-krb5ccparse# mv /tmp/removed /tmp/krb5cc_0
root@samba-dc:/home/ubuntu/python-krb5ccparse# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
05/23/25 03:59:05  05/23/25 13:58:13  cifs/samba-dc.example.com@
	renew until 05/24/25 03:58:10
	Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx

We only have service ticket now, so try mount the share:

root@samba-dc:/home/ubuntu/python-krb5ccparse# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

# journalctl -b0
May 23 04:00:49 samba-dc kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
May 23 04:00:49 samba-dc kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
May 23 04:00:49 samba-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
May 23 04:00:49 samba-dc cifs.upcall[2192]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0>
May 23 04:00:49 samba-dc cifs.upcall[2193]: ver=2
May 23 04:00:49 samba-dc cifs.upcall[2193]: host=samba-dc.example.com
May 23 04:00:49 samba-dc cifs.upcall[2193]: ip=192.168.122.124
May 23 04:00:49 samba-dc cifs.upcall[2193]: sec=1
May 23 04:00:49 samba-dc cifs.upcall[2193]: uid=0
May 23 04:00:49 samba-dc cifs.upcall[2193]: creduid=0
May 23 04:00:49 samba-dc cifs.upcall[2193]: user=root
May 23 04:00:49 samba-dc cifs.upcall[2193]: pid=2186
May 23 04:00:49 samba-dc cifs.upcall[2192]: get_cachename_from_process_env: pid == 0
May 23 04:00:49 samba-dc cifs.upcall[2192]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
May 23 04:00:49 samba-dc cifs.upcall[2192]: krb5_get_init_creds_keytab: -1765328378
May 23 04:00:49 samba-dc cifs.upcall[2192]: handle_krb5_mech: getting service ticket for samba-dc.example.com
May 23 04:00:49 samba-dc cifs.upcall[2192]: handle_krb5_mech: using GSS-API
May 23 04:00:49 samba-dc cifs.upcall[2192]: GSS-API error init_sec_context: Unspecified GSS failure.  Minor code may provide more information
May 23 04:00:49 samba-dc cifs.upcall[2192]: GSS-API error init_sec_context: Matching credential not found (filename: /tmp/krb5cc_0)
May 23 04:00:49 samba-dc cifs.upcall[2192]: handle_krb5_mech: failed to obtain service ticket via GSS (851968)
May 23 04:00:49 samba-dc cifs.upcall[2192]: Unable to obtain service ticket
May 23 04:00:49 samba-dc cifs.upcall[2192]: Exit status 851968
May 23 04:00:49 samba-dc kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
May 23 04:00:49 samba-dc kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
May 23 04:00:49 samba-dc kernel: CIFS: VFS: cifs_mount failed w/return code = -126

We fail, due to cifs-utils in -release not seeing a TGT, and backing out, even
though we have a valid cifs service ticket.

I then enabled -security-proposed:

sudo add-apt-repository ppa:ubuntu-security-proposed/ppa

and installed cifs-utils 2:7.0-2ubuntu0.1

I then attempted the mount:

root@samba-dc:/home/ubuntu/python-krb5ccparse# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
05/23/25 03:59:05  05/23/25 13:58:13  cifs/samba-dc.example.com@
	renew until 05/24/25 03:58:10
	Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
root@samba-dc:/home/ubuntu/python-krb5ccparse# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@samba-dc:/home/ubuntu/python-krb5ccparse# mount -l
...
//samba-dc.example.com/demo on /mnt/testshare1 type cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.124,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1)

# stat /mnt/testshare1/
  File: /mnt/testshare1/
  Size: 0         	Blocks: 0          IO Block: 1048576 directory
Device: 0,38	Inode: 297860      Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-04-09 04:29:15.755959600 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
 Birth: 2025-04-09 02:54:45.264000000 +0000
 
# journalctl -b0
May 23 04:02:32 samba-dc kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
May 23 04:02:32 samba-dc kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
May 23 04:02:32 samba-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
May 23 04:02:32 samba-dc cifs.upcall[2718]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0>
May 23 04:02:32 samba-dc cifs.upcall[2719]: ver=2
May 23 04:02:32 samba-dc cifs.upcall[2719]: host=samba-dc.example.com
May 23 04:02:32 samba-dc cifs.upcall[2719]: ip=192.168.122.124
May 23 04:02:32 samba-dc cifs.upcall[2719]: sec=1
May 23 04:02:32 samba-dc cifs.upcall[2719]: uid=0
May 23 04:02:32 samba-dc cifs.upcall[2719]: creduid=0
May 23 04:02:32 samba-dc cifs.upcall[2719]: user=root
May 23 04:02:32 samba-dc cifs.upcall[2719]: pid=2712
May 23 04:02:32 samba-dc cifs.upcall[2718]: upcall_target=app, switching namespaces to application thread
May 23 04:02:32 samba-dc cifs.upcall[2718]: get_cachename_from_process_env: pid == 0
May 23 04:02:32 samba-dc cifs.upcall[2718]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
May 23 04:02:32 samba-dc cifs.upcall[2718]: main: valid service ticket exists in credential cache
May 23 04:02:32 samba-dc cifs.upcall[2718]: handle_krb5_mech: getting service ticket for samba-dc.example.com
May 23 04:02:32 samba-dc cifs.upcall[2718]: handle_krb5_mech: using native krb5
May 23 04:02:32 samba-dc cifs.upcall[2718]: handle_krb5_mech: obtained service ticket
May 23 04:02:32 samba-dc cifs.upcall[2718]: Exit status 0
 
The filesystem is mounted correctly.

I also did a mount with both TGT and service ticket:

root@samba-dc:/home/ubuntu/python-krb5ccparse# umount /mnt/testshare1
root@samba-dc:/home/ubuntu/python-krb5ccparse# kdestroy
root@samba-dc:/home/ubuntu/python-krb5ccparse# kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx: 
Warning: Your password will expire in 41 days on Fri Jul  4 02:00:18 2025
root@samba-dc:/home/ubuntu/python-krb5ccparse# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
05/23/25 04:04:03  05/23/25 14:04:03  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
	renew until 05/24/25 04:03:59
root@samba-dc:/home/ubuntu/python-krb5ccparse# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@samba-dc:/home/ubuntu/python-krb5ccparse# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
05/23/25 04:04:03  05/23/25 14:04:03  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
	renew until 05/24/25 04:03:59
05/23/25 04:04:22  05/23/25 14:04:03  cifs/samba-dc.example.com@
	renew until 05/24/25 04:03:59
	Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx

The filesystem is again mounted correctly, so no regressions with both TGT and
service ticket either.

The package in -proposed fixes the issue. Happy to mark noble as
verified.

** Tags added: verification-done-noble

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2099917

Title:
  cifs.upcall: If kerberos credential cache already contains a valid
  service ticket, use that even if TGT is expired

Status in cifs-utils package in Ubuntu:
  Fix Released
Status in cifs-utils source package in Focal:
  Fix Committed
Status in cifs-utils source package in Jammy:
  Fix Committed
Status in cifs-utils source package in Noble:
  Fix Committed
Status in cifs-utils source package in Oracular:
  Fix Committed
Status in cifs-utils source package in Plucky:
  Fix Released

Bug description:
  [Impact]

  When mounting an SMB file share using the kernel client with Kerberos
  authentication, cifs.ko module makes an upcall to user space during the session
  setup phase to retrieve the Kerberos service ticket from the credential cache.

  cifs.upcall first checks if the TGT is valid, and only if it is, checks if a
  service ticket exists, and if it does if it is valid.

  If we already have a valid service ticket, it should not matter if the TGT is
  valid or not, so we should just directly use the service ticket instead of
  trying to get a new TGT / force the user to kinit again.

  [Testcase]

  Follow the entire testcase of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
  first.

  Get a new TGT and krb5 credential cache.

  # kinit Administrator@xxxxxxxxxxxxxxxxxxxx
  Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
  Warning: Your password will expire in 29 days on Wed Jun 11 05:01:22 2025

  # klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx

  Valid starting     Expires            Service principal
  05/12/25 11:56:59  05/12/25 21:56:59  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
   renew until 05/13/25 11:56:55

  # mount -t cifs -o
  cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-
  dc.example.com/demo /mnt/testshare1

  # klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx

  Valid starting     Expires            Service principal
  05/12/25 11:56:59  05/12/25 21:56:59  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
   renew until 05/13/25 11:56:55
  05/12/25 11:58:21  05/12/25 21:56:59  cifs/samba-dc.example.com@
   renew until 05/13/25 11:56:55
   Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx

  # umount /mnt/testshare1

  Next, we need to perform some surgery to remove the TGT, using this
  neat tool:

  # git clone https://git.nullroute.lt/hacks/python-krb5ccparse.git
  # cd python-krb5ccparse
  # ./kremovetkt -c /tmp/krb5cc_0 -o /tmp/removed -p krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
  Keeping ticket for krb5_ccache_conf_data/fast_avail/krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx@X-CACHECONF:
  Keeping ticket for krb5_ccache_conf_data/pa_type/krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx@X-CACHECONF:
  Skipping ticket for krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
  Keeping ticket for cifs/samba-dc.example.com@

  # kdestroy
  # mv /tmp/removed /tmp/krb5cc_0
  # klist
  Ticket cache: FILE:/tmp/removed
  Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx

  Valid starting     Expires            Service principal
  05/12/25 11:58:21  05/12/25 21:56:59  cifs/samba-dc.example.com@
   renew until 05/13/25 11:56:55
   Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx

  Now we have a kerberos credential cache with a service ticket only, and no
  TGT.

  If we try and mount now:

  # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
  mount error(126): Required key not available
  Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

  kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
  kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
  kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
  cifs.upcall[2206]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.191;sec=krb5;uid=0x0;creduid=>
  cifs.upcall[2207]: ver=2
  cifs.upcall[2207]: host=samba-dc.example.com
  cifs.upcall[2207]: ip=192.168.122.191
  cifs.upcall[2207]: sec=1
  cifs.upcall[2207]: uid=0
  cifs.upcall[2207]: creduid=0
  cifs.upcall[2207]: user=root
  cifs.upcall[2207]: pid=2202
  cifs.upcall[2206]: get_cachename_from_process_env: pid == 0
  cifs.upcall[2206]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
  cifs.upcall[2206]: krb5_get_init_creds_keytab: -1765328378
  cifs.upcall[2206]: handle_krb5_mech: getting service ticket for samba-dc.example.com
  cifs.upcall[2206]: handle_krb5_mech: using GSS-API
  cifs.upcall[2206]: GSS-API error init_sec_context: Unspecified GSS failure.  Minor code may provide more information
  cifs.upcall[2206]: GSS-API error init_sec_context: Matching credential not found (filename: /tmp/krb5cc_0)
  cifs.upcall[2206]: handle_krb5_mech: failed to obtain service ticket via GSS (851968)
  cifs.upcall[2206]: Unable to obtain service ticket
  cifs.upcall[2206]: Exit status 851968
  kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
  kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
  kernel: CIFS: VFS: cifs_mount failed w/return code = -126

  If you install the test packages available in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test

  The mount completes as expected.

  [Where problems could occur]

  We are removing the check to see if there is a valid TGT before checking if
  there is a valid service ticket. If the TGT is expired, then previously it would
  have forced the user to intervene to get a new TGT before being able to
  mount or connect to SMB shares with the service ticket.

  Now, we just need a service ticket only. For the most part, this won't make
  much of a difference, as usually the service ticket is set to expire at the
  same time as a TGT, so we would have to get a TGT anyway. But if they happen to
  have different expiration schedules, or if we have a custom credential cache
  with no TGT, we can now just go straight to using the service ticket.

  If a regression were to occur, it would affect the mounting of cifs / SMB
  shares, and ticket renegotiation if a ticket were to expire.

  [Other info]

  Fixed in upstream in cifs-utils 7.2 by:

  commit af76bf2a11a060afdfd97104617a701d19d5890d
  From: Bharath SM <bharathsm@xxxxxxxxxxxxx>
  Date: Tue, 26 Nov 2024 22:57:44 +0530
  Subject: cifs-utils: Skip TGT check if valid service ticket is already available
  Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=af76bf2a11a060afdfd97104617a701d19d5890d

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917/+subscriptions