debcrafters-packages team mailing list archive

[Matthew Ruffell <2112614@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

[Impact]

Unfortunately, the release of CVE-2025-2312 caused a minor regression for some
users of cifs-utils, particularly those with AD users mounting shares from
non-standard UID numbers that aren't the default 0 or 1000.

Trying to mount a share with credentials in environment variables like
$KRB5CCNAME gets messages like:

$ echo $KRB5CCNAME
/tmp/krb5cc_11200
$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

Affected packages:

questing: 2:7.3-1
plucky: 2:7.2-2
oracular: 2:7.0-2.1ubuntu0.1
noble: 2:7.0-2ubuntu0.1
jammy: 2:6.14-1ubuntu0.2
focal: 2:6.9-1ubuntu0.3

We changed debian/patches/CVE-2025-2312-1.patch:
@@ -1384,7 +1423,7 @@
         * look at the environ file.
         */
        env_cachename =
- get_cachename_from_process_env(env_probe ? arg->pid : 0);
+ get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);

        rc = setuid(uid);
        if (rc == -1) {

Unfortunately, we missed the UPTARGET_UNSPECIFIED option.

The fix should have been:
+		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED)) ? arg->pid : 0);

This affects users who use the non-patched kernels.

I'm broken, please get me a fix / Workarounds:
1) You can install the test packages in the [Testcase] section.
or
2) You can enable -proposed and install any of the 5.4.0-218-generic, 5.15.0-142-generic, 6.8.0-62-generic or 6.11.0-28-generic kernels.
or
3) You can edit the following files:
/etc/krb5.conf - Add this to [libdefaults]:
    default_ccache_name = /tmp/krb5cc_%{uid}
/etc/sssd/sssd.conf - Add this to [domain]
    krb5_ccachedir = /tmp
    krb5_ccname_template = FILE:%d/krb5cc_%{uid}
Ideally restart sssd so sssd-pam can find the kerberos crediental cache again.
    sudo systemctl restart sssd

[Testcase]

Follow the entire testcase of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
first.

$ kinit administrator
Password for administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 36 days on Sat Jul 12 01:54:39 2025
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
06/05/25 21:44:07  06/06/25 07:44:07  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
 renew until 06/06/25 21:44:04

$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
$ klist /tmp/krb5cc_11200
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx

Valid starting     Expires            Service principal
06/05/25 21:44:07  06/06/25 07:44:07  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
 renew until 06/06/25 21:44:04

$ export KRB5CCNAME=/tmp/krb5cc_11200
$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[5177]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.248;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x142c
cifs.upcall[5178]: ver=2
cifs.upcall[5178]: host=samba-dc.example.com
cifs.upcall[5178]: ip=192.168.122.248
cifs.upcall[5178]: sec=1
cifs.upcall[5178]: uid=0
cifs.upcall[5178]: creduid=1000
cifs.upcall[5178]: user=root
cifs.upcall[5178]: pid=5164
cifs.upcall[5177]: upcall_target=app, switching namespaces to application thread
cifs.upcall[5177]: get_cachename_from_process_env: pid == 0
cifs.upcall[5177]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
cifs.upcall[5177]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000)
cifs.upcall[5177]: get_tgt_time: unable to get principal
cifs.upcall[5177]: main: valid TGT is not present in credential cache
cifs.upcall[5177]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[5177]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[5177]: handle_krb5_mech: using GSS-API
cifs.upcall[5177]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[5177]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
cifs.upcall[5177]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[5177]: Unable to obtain service ticket
cifs.upcall[5177]: Exit status 458752
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS: VFS: cifs_mount failed w/return code = -126

If you install the test packages in the following ppa:

https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression-test

Please note this package is NOT SUPPORTED by Canonical, and is for TESTING
PURPOSES ONLY. ONLY Install in a dedicated test environment.

Instructions to Install (On a focal, jammy, noble, oracular, plucky system):
1) sudo add-apt-repository ppa:mruffell/sf407276-regression-test
2) sudo apt update
3) sudo apt install cifs-utils
4) sudo apt-cache policy cifs-utils | grep Installed
Check for +sf407276v20250531b1

The share mounts normally as expected.

[Where problems can occur]

This is a part of the fix of CVE-2025-2312, and we need to make sure that we
again, test the following scenarios:

* patched kernel, patched cifs-utils
* patched kernel, existing cifs-utils
* existing kernel, patched cifs-utils

This time, we really need to spend a bit more time on the unpatched kernel
scenario, because clearly I wasn't thorough enough.

If a regression were to occur, it could affect mounting of cifs / smb shares and
users would not be able to access their data.

Due to the nature of this bug, there is no secret leakage from
CVE-2025-2312.

[Other info]

This regression was caused in:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917

I have asked cifs-utils maintainers to land the following change in upstream 
cifs-utils as soon as possible:

diff --git a/cifs.upcall.c b/cifs.upcall.c
index 678b140..e23a887 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -1573,7 +1573,7 @@ int main(const int argc, char *const argv[])
   * look at the environ file.
   */
  env_cachename =
-		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
+		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED)) ? arg->pid : 0);

  rc = setuid(uid);
  if (rc == -1) {

Once this lands and we have providence for the fix, I will make new packages
and get the Security Team to sponsor immediately.

** Affects: cifs-utils (Ubuntu)
     Importance: High
     Assignee: Matthew Ruffell (mruffell)
         Status: In Progress

** Affects: cifs-utils (Ubuntu Focal)
     Importance: High
     Assignee: Matthew Ruffell (mruffell)
         Status: In Progress

** Affects: cifs-utils (Ubuntu Jammy)
     Importance: High
     Assignee: Matthew Ruffell (mruffell)
         Status: In Progress

** Affects: cifs-utils (Ubuntu Noble)
     Importance: High
     Assignee: Matthew Ruffell (mruffell)
         Status: In Progress

** Affects: cifs-utils (Ubuntu Oracular)
     Importance: High
     Assignee: Matthew Ruffell (mruffell)
         Status: In Progress

** Affects: cifs-utils (Ubuntu Plucky)
     Importance: High
     Assignee: Matthew Ruffell (mruffell)
         Status: In Progress

** Affects: cifs-utils (Ubuntu Questing)
     Importance: High
     Assignee: Matthew Ruffell (mruffell)
         Status: In Progress


** Tags: regression-update sts

** Also affects: cifs-utils (Ubuntu Noble)
   Importance: Undecided
       Status: New

** Also affects: cifs-utils (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: cifs-utils (Ubuntu Plucky)
   Importance: Undecided
       Status: New

** Also affects: cifs-utils (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: cifs-utils (Ubuntu Questing)
   Importance: Undecided
       Status: New

** Also affects: cifs-utils (Ubuntu Oracular)
   Importance: Undecided
       Status: New

** Changed in: cifs-utils (Ubuntu Focal)
       Status: New => In Progress

** Changed in: cifs-utils (Ubuntu Jammy)
       Status: New => In Progress

** Changed in: cifs-utils (Ubuntu Noble)
       Status: New => In Progress

** Changed in: cifs-utils (Ubuntu Oracular)
       Status: New => In Progress

** Changed in: cifs-utils (Ubuntu Plucky)
       Status: New => In Progress

** Changed in: cifs-utils (Ubuntu Questing)
       Status: New => In Progress

** Changed in: cifs-utils (Ubuntu Focal)
   Importance: Undecided => High

** Changed in: cifs-utils (Ubuntu Jammy)
   Importance: Undecided => High

** Changed in: cifs-utils (Ubuntu Noble)
   Importance: Undecided => High

** Changed in: cifs-utils (Ubuntu Oracular)
   Importance: Undecided => High

** Changed in: cifs-utils (Ubuntu Plucky)
   Importance: Undecided => High

** Changed in: cifs-utils (Ubuntu Questing)
   Importance: Undecided => High

** Changed in: cifs-utils (Ubuntu Focal)
     Assignee: (unassigned) => Matthew Ruffell (mruffell)

** Changed in: cifs-utils (Ubuntu Jammy)
     Assignee: (unassigned) => Matthew Ruffell (mruffell)

** Changed in: cifs-utils (Ubuntu Noble)
     Assignee: (unassigned) => Matthew Ruffell (mruffell)

** Changed in: cifs-utils (Ubuntu Oracular)
     Assignee: (unassigned) => Matthew Ruffell (mruffell)

** Changed in: cifs-utils (Ubuntu Plucky)
     Assignee: (unassigned) => Matthew Ruffell (mruffell)

** Changed in: cifs-utils (Ubuntu Questing)
     Assignee: (unassigned) => Matthew Ruffell (mruffell)

** Description changed:

  [Impact]
  
  Unfortunately, the release of CVE-2025-2312 caused a minor regression for some
  users of cifs-utils, particularly those with AD users mounting shares from
  non-standard UID numbers that aren't the default 0 or 1000.
  
  Trying to mount a share with credentials in environment variables like
  $KRB5CCNAME gets messages like:
  
  $ echo $KRB5CCNAME
  /tmp/krb5cc_11200
  $ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
  mount error(126): Required key not available
  Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
  
  Affected packages:
  
- questing: 2:7.3-1 
- plucky: 2:7.2-2 
+ questing: 2:7.3-1
+ plucky: 2:7.2-2
  oracular: 2:7.0-2.1ubuntu0.1
  noble: 2:7.0-2ubuntu0.1
  jammy: 2:6.14-1ubuntu0.2
  focal: 2:6.9-1ubuntu0.3
  
  We changed debian/patches/CVE-2025-2312-1.patch:
  @@ -1384,7 +1423,7 @@
-          * look at the environ file.
-          */
-         env_cachename =
+          * look at the environ file.
+          */
+         env_cachename =
  - get_cachename_from_process_env(env_probe ? arg->pid : 0);
  + get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
  
-         rc = setuid(uid);
-         if (rc == -1) {
+         rc = setuid(uid);
+         if (rc == -1) {
  
  Unfortunately, we missed the UPTARGET_UNSPECIFIED option.
  
  The fix should have been:
  +		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED)) ? arg->pid : 0);
  
  This affects users who use the non-patched kernels.
  
  I'm broken, please get me a fix / Workarounds:
  1) You can install the test packages in the [Testcase] section.
  or
  2) You can enable -proposed and install any of the 5.4.0-218-generic, 5.15.0-142-generic, 6.8.0-62-generic or 6.11.0-28-generic kernels.
  or
  3) You can edit the following files:
  /etc/krb5.conf - Add this to [libdefaults]:
-     default_ccache_name = /tmp/krb5cc_%{uid}
+     default_ccache_name = /tmp/krb5cc_%{uid}
  /etc/sssd/sssd.conf - Add this to [domain]
-     krb5_ccachedir = /tmp
-     krb5_ccname_template = FILE:%d/krb5cc_%{uid}
+     krb5_ccachedir = /tmp
+     krb5_ccname_template = FILE:%d/krb5cc_%{uid}
  Ideally restart sssd so sssd-pam can find the kerberos crediental cache again.
-     sudo systemctl restart sssd
+     sudo systemctl restart sssd
  
  [Testcase]
  
  Follow the entire testcase of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
  first.
  
  $ kinit administrator
- Password for administrator@xxxxxxxxxxxxxxxxxxxx: 
+ Password for administrator@xxxxxxxxxxxxxxxxxxxx:
  Warning: Your password will expire in 36 days on Sat Jul 12 01:54:39 2025
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
  
  Valid starting     Expires            Service principal
  06/05/25 21:44:07  06/06/25 07:44:07  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
- 	renew until 06/06/25 21:44:04
- 	
+  renew until 06/06/25 21:44:04
+ 
  $ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
- $ klist /tmp/krb5cc_11200 
+ $ klist /tmp/krb5cc_11200
  Ticket cache: FILE:/tmp/krb5cc_11200
  Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
  
  Valid starting     Expires            Service principal
  06/05/25 21:44:07  06/06/25 07:44:07  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
- 	renew until 06/06/25 21:44:04
- 	
+  renew until 06/06/25 21:44:04
+ 
  $ export KRB5CCNAME=/tmp/krb5cc_11200
  $ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
  mount error(126): Required key not available
  Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
  
  $ journalctl -b0
  kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
  cifs.upcall[5177]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.248;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x142c
  cifs.upcall[5178]: ver=2
  cifs.upcall[5178]: host=samba-dc.example.com
  cifs.upcall[5178]: ip=192.168.122.248
  cifs.upcall[5178]: sec=1
  cifs.upcall[5178]: uid=0
  cifs.upcall[5178]: creduid=1000
  cifs.upcall[5178]: user=root
  cifs.upcall[5178]: pid=5164
  cifs.upcall[5177]: upcall_target=app, switching namespaces to application thread
  cifs.upcall[5177]: get_cachename_from_process_env: pid == 0
  cifs.upcall[5177]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
  cifs.upcall[5177]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000)
  cifs.upcall[5177]: get_tgt_time: unable to get principal
  cifs.upcall[5177]: main: valid TGT is not present in credential cache
  cifs.upcall[5177]: krb5_get_init_creds_keytab: -1765328378
  cifs.upcall[5177]: handle_krb5_mech: getting service ticket for samba-dc.example.com
  cifs.upcall[5177]: handle_krb5_mech: using GSS-API
  cifs.upcall[5177]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
  cifs.upcall[5177]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
  cifs.upcall[5177]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
  cifs.upcall[5177]: Unable to obtain service ticket
  cifs.upcall[5177]: Exit status 458752
  kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
  kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
  kernel: CIFS: VFS: cifs_mount failed w/return code = -126
  
  If you install the test packages in the following ppa:
  
  https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression-test
  
  Please note this package is NOT SUPPORTED by Canonical, and is for TESTING
  PURPOSES ONLY. ONLY Install in a dedicated test environment.
  
  Instructions to Install (On a focal, jammy, noble, oracular, plucky system):
  1) sudo add-apt-repository ppa:mruffell/sf407276-regression-test
  2) sudo apt update
  3) sudo apt install cifs-utils
  4) sudo apt-cache policy cifs-utils | grep Installed
  Check for +sf407276v20250531b1
  
  The share mounts normally as expected.
  
  [Where problems can occur]
  
  This is a part of the fix of CVE-2025-2312, and we need to make sure that we
  again, test the following scenarios:
  
  * patched kernel, patched cifs-utils
  * patched kernel, existing cifs-utils
  * existing kernel, patched cifs-utils
  
  This time, we really need to spend a bit more time on the unpatched kernel
  scenario, because clearly I wasn't thorough enough.
  
  If a regression were to occur, it could affect mounting of cifs / smb shares and
  users would not be able to access their data.
  
  Due to the nature of this bug, there is no secret leakage from
  CVE-2025-2312.
  
  [Other info]
  
  This regression was caused in:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
  https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917
  
- I have asked Microsoft to land the following change in upstream cifs-utils as
- soon as possible:
+ I have asked cifs-utils maintainers to land the following change in upstream 
+ cifs-utils as soon as possible:
  
  diff --git a/cifs.upcall.c b/cifs.upcall.c
  index 678b140..e23a887 100644
  --- a/cifs.upcall.c
  +++ b/cifs.upcall.c
  @@ -1573,7 +1573,7 @@ int main(const int argc, char *const argv[])
-  	 * look at the environ file.
-  	 */
-  	env_cachename =
+    * look at the environ file.
+    */
+   env_cachename =
  -		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
  +		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED)) ? arg->pid : 0);
-  
-  	rc = setuid(uid);
-  	if (rc == -1) {
+ 
+   rc = setuid(uid);
+   if (rc == -1) {
  
  Once this lands and we have providence for the fix, I will make new packages
  and get the Security Team to sponsor immediately.

** Tags added: regression-update sts

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2112614

Title:
  Regression: After CVE-2025-2312 cifs.upcall can't find credential
  caches from user env

Status in cifs-utils package in Ubuntu:
  In Progress
Status in cifs-utils source package in Focal:
  In Progress
Status in cifs-utils source package in Jammy:
  In Progress
Status in cifs-utils source package in Noble:
  In Progress
Status in cifs-utils source package in Oracular:
  In Progress
Status in cifs-utils source package in Plucky:
  In Progress
Status in cifs-utils source package in Questing:
  In Progress

Bug description:
  [Impact]

  Unfortunately, the release of CVE-2025-2312 caused a minor regression for some
  users of cifs-utils, particularly those with AD users mounting shares from
  non-standard UID numbers that aren't the default 0 or 1000.

  Trying to mount a share with credentials in environment variables like
  $KRB5CCNAME gets messages like:

  $ echo $KRB5CCNAME
  /tmp/krb5cc_11200
  $ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
  mount error(126): Required key not available
  Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

  Affected packages:

  questing: 2:7.3-1
  plucky: 2:7.2-2
  oracular: 2:7.0-2.1ubuntu0.1
  noble: 2:7.0-2ubuntu0.1
  jammy: 2:6.14-1ubuntu0.2
  focal: 2:6.9-1ubuntu0.3

  We changed debian/patches/CVE-2025-2312-1.patch:
  @@ -1384,7 +1423,7 @@
           * look at the environ file.
           */
          env_cachename =
  - get_cachename_from_process_env(env_probe ? arg->pid : 0);
  + get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);

          rc = setuid(uid);
          if (rc == -1) {

  Unfortunately, we missed the UPTARGET_UNSPECIFIED option.

  The fix should have been:
  +		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED)) ? arg->pid : 0);

  This affects users who use the non-patched kernels.

  I'm broken, please get me a fix / Workarounds:
  1) You can install the test packages in the [Testcase] section.
  or
  2) You can enable -proposed and install any of the 5.4.0-218-generic, 5.15.0-142-generic, 6.8.0-62-generic or 6.11.0-28-generic kernels.
  or
  3) You can edit the following files:
  /etc/krb5.conf - Add this to [libdefaults]:
      default_ccache_name = /tmp/krb5cc_%{uid}
  /etc/sssd/sssd.conf - Add this to [domain]
      krb5_ccachedir = /tmp
      krb5_ccname_template = FILE:%d/krb5cc_%{uid}
  Ideally restart sssd so sssd-pam can find the kerberos crediental cache again.
      sudo systemctl restart sssd

  [Testcase]

  Follow the entire testcase of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
  first.

  $ kinit administrator
  Password for administrator@xxxxxxxxxxxxxxxxxxxx:
  Warning: Your password will expire in 36 days on Sat Jul 12 01:54:39 2025
  $ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: administrator@xxxxxxxxxxxxxxxxxxxx

  Valid starting     Expires            Service principal
  06/05/25 21:44:07  06/06/25 07:44:07  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
   renew until 06/06/25 21:44:04

  $ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
  $ klist /tmp/krb5cc_11200
  Ticket cache: FILE:/tmp/krb5cc_11200
  Default principal: administrator@xxxxxxxxxxxxxxxxxxxx

  Valid starting     Expires            Service principal
  06/05/25 21:44:07  06/06/25 07:44:07  krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
   renew until 06/06/25 21:44:04

  $ export KRB5CCNAME=/tmp/krb5cc_11200
  $ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
  mount error(126): Required key not available
  Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

  $ journalctl -b0
  kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
  cifs.upcall[5177]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.248;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x142c
  cifs.upcall[5178]: ver=2
  cifs.upcall[5178]: host=samba-dc.example.com
  cifs.upcall[5178]: ip=192.168.122.248
  cifs.upcall[5178]: sec=1
  cifs.upcall[5178]: uid=0
  cifs.upcall[5178]: creduid=1000
  cifs.upcall[5178]: user=root
  cifs.upcall[5178]: pid=5164
  cifs.upcall[5177]: upcall_target=app, switching namespaces to application thread
  cifs.upcall[5177]: get_cachename_from_process_env: pid == 0
  cifs.upcall[5177]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
  cifs.upcall[5177]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000)
  cifs.upcall[5177]: get_tgt_time: unable to get principal
  cifs.upcall[5177]: main: valid TGT is not present in credential cache
  cifs.upcall[5177]: krb5_get_init_creds_keytab: -1765328378
  cifs.upcall[5177]: handle_krb5_mech: getting service ticket for samba-dc.example.com
  cifs.upcall[5177]: handle_krb5_mech: using GSS-API
  cifs.upcall[5177]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
  cifs.upcall[5177]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
  cifs.upcall[5177]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
  cifs.upcall[5177]: Unable to obtain service ticket
  cifs.upcall[5177]: Exit status 458752
  kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
  kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
  kernel: CIFS: VFS: cifs_mount failed w/return code = -126

  If you install the test packages in the following ppa:

  https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression-
  test

  Please note this package is NOT SUPPORTED by Canonical, and is for TESTING
  PURPOSES ONLY. ONLY Install in a dedicated test environment.

  Instructions to Install (On a focal, jammy, noble, oracular, plucky system):
  1) sudo add-apt-repository ppa:mruffell/sf407276-regression-test
  2) sudo apt update
  3) sudo apt install cifs-utils
  4) sudo apt-cache policy cifs-utils | grep Installed
  Check for +sf407276v20250531b1

  The share mounts normally as expected.

  [Where problems can occur]

  This is a part of the fix of CVE-2025-2312, and we need to make sure that we
  again, test the following scenarios:

  * patched kernel, patched cifs-utils
  * patched kernel, existing cifs-utils
  * existing kernel, patched cifs-utils

  This time, we really need to spend a bit more time on the unpatched kernel
  scenario, because clearly I wasn't thorough enough.

  If a regression were to occur, it could affect mounting of cifs / smb shares and
  users would not be able to access their data.

  Due to the nature of this bug, there is no secret leakage from
  CVE-2025-2312.

  [Other info]

  This regression was caused in:
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
  https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917

  I have asked cifs-utils maintainers to land the following change in upstream 
  cifs-utils as soon as possible:

  diff --git a/cifs.upcall.c b/cifs.upcall.c
  index 678b140..e23a887 100644
  --- a/cifs.upcall.c
  +++ b/cifs.upcall.c
  @@ -1573,7 +1573,7 @@ int main(const int argc, char *const argv[])
     * look at the environ file.
     */
    env_cachename =
  -		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
  +		get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED)) ? arg->pid : 0);

    rc = setuid(uid);
    if (rc == -1) {

  Once this lands and we have providence for the fix, I will make new packages
  and get the Security Team to sponsor immediately.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614/+subscriptions