debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #02227
[Bug 2112614] Re: Regression: After CVE-2025-2312 cifs.upcall can't find credential caches from user env
Performing verification for oracular:
We are going to perform a series of mounts and check if they work with a
patched vs unpatched kernel, and make sure all mounts work.
We will start with an unpatched kernel:
$ uname -rv
6.11.0-26-generic #26-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 12 11:25:41 UTC 2025
I installed cifs-utils 2:7.0-2.1ubuntu0.1 from -updates.
Let's try and standard uid 1000 user:
ubuntu@oracular-dc:~$ kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025
ubuntu@oracular-dc:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 04:01:56 06/16/25 14:01:56 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 04:01:53
ubuntu@oracular-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1
ubuntu@oracular-dc:~$ mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1)
$ journalctl -b0
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1702]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x688
cifs.upcall[1703]: ver=2
cifs.upcall[1703]: host=samba-dc.example.com
cifs.upcall[1703]: ip=192.168.122.229
cifs.upcall[1703]: sec=1
cifs.upcall[1703]: uid=1000
cifs.upcall[1703]: creduid=1000
cifs.upcall[1703]: user=ubuntu
cifs.upcall[1703]: pid=1672
cifs.upcall[1702]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1702]: get_cachename_from_process_env: pid == 0
cifs.upcall[1702]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
cifs.upcall[1702]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1702]: handle_krb5_mech: using native krb5
cifs.upcall[1702]: handle_krb5_mech: obtained service ticket
cifs.upcall[1702]: Exit status 0
ubuntu@oracular-dc:~$ sudo umount /mnt/testshare1
Let's try as a different uid user, e.g. like AD user:
ubuntu@oracular-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
ubuntu@oracular-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200
ubuntu@oracular-dc:~$ klist /tmp/krb5cc_11200
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 04:01:56 06/16/25 14:01:56 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 04:01:53
06/16/25 04:02:05 06/16/25 14:01:56 cifs/samba-dc.example.com@
renew until 06/17/25 04:01:53
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
ubuntu@oracular-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
ubuntu@oracular-dc:~$ mount -l | grep cifs
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1739]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x6be
cifs.upcall[1740]: ver=2
cifs.upcall[1740]: host=samba-dc.example.com
cifs.upcall[1740]: ip=192.168.122.229
cifs.upcall[1740]: sec=1
cifs.upcall[1740]: uid=0
cifs.upcall[1740]: creduid=1000
cifs.upcall[1740]: user=root
cifs.upcall[1740]: pid=1726
cifs.upcall[1739]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1739]: get_cachename_from_process_env: pid == 0
cifs.upcall[1739]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
cifs.upcall[1739]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000)
cifs.upcall[1739]: get_tgt_time: unable to get principal
cifs.upcall[1739]: main: valid TGT is not present in credential cache
cifs.upcall[1739]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[1739]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1739]: handle_krb5_mech: using GSS-API
cifs.upcall[1739]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[1739]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
cifs.upcall[1739]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[1739]: Unable to obtain service ticket
cifs.upcall[1739]: Exit status 458752
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS: VFS: cifs_mount failed w/return code = -126
We fail, due to only searching root's env, reproducing the issue.
Let's try as root user:
ubuntu@oracular-dc:~$ kdestroy
ubuntu@oracular-dc:~$ unset KRB5CCNAME
ubuntu@oracular-dc:~$ sudo -s
root@oracular-dc:/home/ubuntu# kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025
root@oracular-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 04:06:23 06/16/25 14:06:23 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 04:06:21
root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@oracular-dc:/home/ubuntu# mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1)
$ journalctl -b0
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1767]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6e1
cifs.upcall[1768]: ver=2
cifs.upcall[1768]: host=samba-dc.example.com
cifs.upcall[1768]: ip=192.168.122.229
cifs.upcall[1768]: sec=1
cifs.upcall[1768]: uid=0
cifs.upcall[1768]: creduid=0
cifs.upcall[1768]: user=root
cifs.upcall[1768]: pid=1761
cifs.upcall[1767]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1767]: get_cachename_from_process_env: pid == 0
cifs.upcall[1767]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1767]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1767]: handle_krb5_mech: using native krb5
cifs.upcall[1767]: handle_krb5_mech: obtained service ticket
cifs.upcall[1767]: Exit status 0
I then enabled -security-proposed from the following ppa:
https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages?field.name_filter=cifs-
utils&field.status_filter=published&field.series_filter=
I then installed cifs-utils 2:7.0-2.1ubuntu0.2
Let's try and standard uid 1000 user:
ubuntu@oracular-dc:~$ kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025
ubuntu@oracular-dc:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 04:09:12 06/16/25 14:09:12 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 04:09:10
ubuntu@oracular-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1
ubuntu@oracular-dc:~$ mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1)
$ journalctl -b0
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1939]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x78d
cifs.upcall[1940]: ver=2
cifs.upcall[1940]: host=samba-dc.example.com
cifs.upcall[1940]: ip=192.168.122.229
cifs.upcall[1940]: sec=1
cifs.upcall[1940]: uid=1000
cifs.upcall[1940]: creduid=1000
cifs.upcall[1940]: user=ubuntu
cifs.upcall[1940]: pid=1933
cifs.upcall[1939]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1939]: get_cachename_from_process_env: pathname=/proc/1933/environ
cifs.upcall[1939]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
cifs.upcall[1939]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1939]: handle_krb5_mech: using native krb5
cifs.upcall[1939]: handle_krb5_mech: obtained service ticket
cifs.upcall[1939]: Exit status 0
ubuntu@oracular-dc:~$ sudo umount /mnt/testshare1
Let's try as a different uid user, e.g. like AD user:
ubuntu@oracular-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200
ubuntu@oracular-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
ubuntu@oracular-dc:~$ klist /tmp/krb5cc_11200
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 04:09:12 06/16/25 14:09:12 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 04:09:10
06/16/25 04:09:19 06/16/25 14:09:12 cifs/samba-dc.example.com@
renew until 06/17/25 04:09:10
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
ubuntu@oracular-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
ubuntu@oracular-dc:~$ mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1969]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x7ab
cifs.upcall[1970]: ver=2
cifs.upcall[1970]: host=samba-dc.example.com
cifs.upcall[1970]: ip=192.168.122.229
cifs.upcall[1970]: sec=1
cifs.upcall[1970]: uid=0
cifs.upcall[1970]: creduid=0
cifs.upcall[1970]: user=root
cifs.upcall[1970]: pid=1963
cifs.upcall[1969]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1969]: get_cachename_from_process_env: pid == 0
cifs.upcall[1969]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1969]: main: valid service ticket exists in credential cache
cifs.upcall[1969]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1969]: handle_krb5_mech: using native krb5
cifs.upcall[1969]: handle_krb5_mech: obtained service ticket
cifs.upcall[1969]: Exit status 0
The mount now works correctly, and the regression is fixed.
Let's try as root user:
ubuntu@oracular-dc:~$ unset KRB5CCNAME
ubuntu@oracular-dc:~$ kdestroy
kdestroy: No credentials cache found while destroying cache
ubuntu@oracular-dc:~$ sudo -s
root@oracular-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 04:06:23 06/16/25 14:06:23 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 04:06:21
06/16/25 04:06:31 06/16/25 14:06:23 cifs/samba-dc.example.com@
renew until 06/17/25 04:06:21
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@oracular-dc:/home/ubuntu# mount -l | grep cifs
//samba-dc.example.com/demo on /mnt
$ journalctl -b0
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1998]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x7c8
cifs.upcall[1999]: ver=2
cifs.upcall[1999]: host=samba-dc.example.com
cifs.upcall[1999]: ip=192.168.122.229
cifs.upcall[1999]: sec=1
cifs.upcall[1999]: uid=0
cifs.upcall[1999]: creduid=0
cifs.upcall[1999]: user=root
cifs.upcall[1999]: pid=1992
cifs.upcall[1998]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1998]: get_cachename_from_process_env: pid == 0
cifs.upcall[1998]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1998]: main: valid service ticket exists in credential cache
cifs.upcall[1998]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1998]: handle_krb5_mech: using native krb5
cifs.upcall[1998]: handle_krb5_mech: obtained service ticket
cifs.upcall[1998]: Exit status 0
Next, we will just do a run with a patched kernel. I enabled -proposed and
installed:
ubuntu@oracular-dc:~$ uname -rv
6.11.0-28-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Mon May 19 14:45:34 UTC 2025
We will keep cifs-utils from -security-proposed installed.
Let's try and standard uid 1000 user:
ubuntu@oracular-dc:~$ kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025
ubuntu@oracular-dc:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 04:16:05 06/16/25 14:16:05 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 04:16:02
ubuntu@oracular-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1
ubuntu@oracular-dc:~$ mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,upcall_target=app,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1)
$ journalctl -b0
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1555]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x5f8;upcall_target=app
cifs.upcall[1556]: ver=2
cifs.upcall[1556]: host=samba-dc.example.com
cifs.upcall[1556]: ip=192.168.122.229
cifs.upcall[1556]: sec=1
cifs.upcall[1556]: uid=1000
cifs.upcall[1556]: creduid=1000
cifs.upcall[1556]: user=ubuntu
cifs.upcall[1556]: pid=1528
cifs.upcall[1556]: upcall_target=app
cifs.upcall[1555]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1555]: get_cachename_from_process_env: pathname=/proc/1528/environ
cifs.upcall[1555]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
cifs.upcall[1555]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1555]: handle_krb5_mech: using native krb5
cifs.upcall[1555]: handle_krb5_mech: obtained service ticket
cifs.upcall[1555]: Exit status 0
Let's try as a different uid user, e.g. like AD user:
ubuntu@oracular-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200
ubuntu@oracular-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
ubuntu@oracular-dc:~$ klist
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 04:16:05 06/16/25 14:16:05 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 04:16:02
06/16/25 04:16:16 06/16/25 14:16:05 cifs/samba-dc.example.com@
renew until 06/17/25 04:16:02
Ticket server: cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
(reverse-i-search)`mount -t ': sudo ^Cunt -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1
ubuntu@oracular-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
ubuntu@oracular-dc:~$ mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,upcall_target=app,username=root,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1583]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x626;upcall_target=app
cifs.upcall[1584]: ver=2
cifs.upcall[1584]: host=samba-dc.example.com
cifs.upcall[1584]: ip=192.168.122.229
cifs.upcall[1584]: sec=1
cifs.upcall[1584]: uid=0
cifs.upcall[1584]: creduid=1000
cifs.upcall[1584]: user=root
cifs.upcall[1584]: pid=1574
cifs.upcall[1584]: upcall_target=app
cifs.upcall[1583]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1583]: get_cachename_from_process_env: pathname=/proc/1574/environ
cifs.upcall[1583]: get_cachename_from_process_env: cachename = /tmp/krb5cc_11200
cifs.upcall[1583]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_11200
cifs.upcall[1583]: main: valid service ticket exists in credential cache
cifs.upcall[1583]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1583]: handle_krb5_mech: using native krb5
cifs.upcall[1583]: handle_krb5_mech: obtained service ticket
cifs.upcall[1583]: Exit status 0
Let's try as root user:
root@oracular-dc:/home/ubuntu# kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025
root@oracular-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 04:18:38 06/16/25 14:18:38 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 04:18:36
root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@oracular-dc:/home/ubuntu# mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,upcall_target=app,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1)
$ journalctl -b0
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1613]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x649;upcall_target=app
cifs.upcall[1614]: ver=2
cifs.upcall[1614]: host=samba-dc.example.com
cifs.upcall[1614]: ip=192.168.122.229
cifs.upcall[1614]: sec=1
cifs.upcall[1614]: uid=0
cifs.upcall[1614]: creduid=0
cifs.upcall[1614]: user=root
cifs.upcall[1614]: pid=1609
cifs.upcall[1614]: upcall_target=app
cifs.upcall[1613]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1613]: get_cachename_from_process_env: pid == 0
cifs.upcall[1613]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1613]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1613]: handle_krb5_mech: using native krb5
cifs.upcall[1613]: handle_krb5_mech: obtained service ticket
cifs.upcall[1613]: Exit status 0
Everything still mounts okay with the cifs-utils package in -security-
proposed.
Happy to mark verified for oracular.
** Tags added: verification-done-oracular
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2112614
Title:
Regression: After CVE-2025-2312 cifs.upcall can't find credential
caches from user env
Status in cifs-utils package in Ubuntu:
Fix Released
Status in cifs-utils source package in Focal:
Fix Committed
Status in cifs-utils source package in Jammy:
Fix Committed
Status in cifs-utils source package in Noble:
Fix Committed
Status in cifs-utils source package in Oracular:
Fix Committed
Status in cifs-utils source package in Plucky:
Fix Committed
Status in cifs-utils source package in Questing:
Fix Released
Bug description:
[Impact]
Unfortunately, the release of CVE-2025-2312 caused a minor regression for some
users of cifs-utils, particularly those with AD users mounting shares from
non-standard UID numbers that aren't the default 0 or 1000.
Trying to mount a share with credentials in environment variables like
$KRB5CCNAME gets messages like:
$ echo $KRB5CCNAME
/tmp/krb5cc_11200
$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
Affected packages:
questing: 2:7.3-1
plucky: 2:7.2-2
oracular: 2:7.0-2.1ubuntu0.1
noble: 2:7.0-2ubuntu0.1
jammy: 2:6.14-1ubuntu0.2
focal: 2:6.9-1ubuntu0.3
We changed debian/patches/CVE-2025-2312-1.patch:
@@ -1384,7 +1423,7 @@
* look at the environ file.
*/
env_cachename =
- get_cachename_from_process_env(env_probe ? arg->pid : 0);
+ get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
rc = setuid(uid);
if (rc == -1) {
Unfortunately, we missed the UPTARGET_UNSPECIFIED option.
The fix from Henrique Carvalho simply sets upcall_target to be UPTARGET_APP
if UPTARGET_UNSPECIFIED is the current option.
This affects users who use the non-patched kernels.
I'm broken, please get me a fix / Workarounds:
1) You can install the test packages in the [Testcase] section.
or
2) You can enable -proposed and install any of the 5.4.0-218-generic, 5.15.0-142-generic, 6.8.0-62-generic or 6.11.0-28-generic kernels.
or
3) You can edit the following files:
/etc/krb5.conf - Add this to [libdefaults]:
default_ccache_name = /tmp/krb5cc_%{uid}
/etc/sssd/sssd.conf - Add this to [domain]
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%{uid}
Ideally restart sssd so sssd-pam can find the kerberos crediental cache again.
sudo systemctl restart sssd
or
4) you can simply downgrade the package to what is in the release pocket.
[Testcase]
Follow the entire testcase of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
first.
$ kinit administrator
Password for administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 36 days on Sat Jul 12 01:54:39 2025
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/05/25 21:44:07 06/06/25 07:44:07 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/06/25 21:44:04
$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
$ klist /tmp/krb5cc_11200
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/05/25 21:44:07 06/06/25 07:44:07 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/06/25 21:44:04
$ export KRB5CCNAME=/tmp/krb5cc_11200
$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[5177]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.248;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x142c
cifs.upcall[5178]: ver=2
cifs.upcall[5178]: host=samba-dc.example.com
cifs.upcall[5178]: ip=192.168.122.248
cifs.upcall[5178]: sec=1
cifs.upcall[5178]: uid=0
cifs.upcall[5178]: creduid=1000
cifs.upcall[5178]: user=root
cifs.upcall[5178]: pid=5164
cifs.upcall[5177]: upcall_target=app, switching namespaces to application thread
cifs.upcall[5177]: get_cachename_from_process_env: pid == 0
cifs.upcall[5177]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
cifs.upcall[5177]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000)
cifs.upcall[5177]: get_tgt_time: unable to get principal
cifs.upcall[5177]: main: valid TGT is not present in credential cache
cifs.upcall[5177]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[5177]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[5177]: handle_krb5_mech: using GSS-API
cifs.upcall[5177]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[5177]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
cifs.upcall[5177]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[5177]: Unable to obtain service ticket
cifs.upcall[5177]: Exit status 458752
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS: VFS: cifs_mount failed w/return code = -126
If you install the test packages in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression-
test
Please note this package is NOT SUPPORTED by Canonical, and is for TESTING
PURPOSES ONLY. ONLY Install in a dedicated test environment.
Instructions to Install (On a focal, jammy, noble, oracular, plucky system):
1) sudo add-apt-repository ppa:mruffell/sf407276-regression-test
2) sudo apt update
3) sudo apt install cifs-utils
4) sudo apt-cache policy cifs-utils | grep Installed
Check for +sf407276v20250531b1
The share mounts normally as expected.
[Where problems can occur]
This is a part of the fix of CVE-2025-2312, and we need to make sure that we
again, test the following scenarios:
* patched kernel, patched cifs-utils
* patched kernel, existing cifs-utils
* existing kernel, patched cifs-utils
This time, we really need to spend a bit more time on the unpatched kernel
scenario, because clearly I wasn't thorough enough.
If a regression were to occur, it could affect mounting of cifs / smb shares and
users would not be able to access their data.
Due to the nature of this bug, there is no secret leakage from
CVE-2025-2312.
[Other info]
This regression was caused in:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
This has been fixed upstream in cifs-utils 7.4 by:
commit f4fd27cf60d6431d83ea18b4962aef845f9312bd
Author: Henrique Carvalho <henrique.carvalho@xxxxxxxx>
Date: Fri May 30 12:28:14 2025 -0300
Subject: cifs.upcall: correctly treat UPTARGET_UNSPECIFIED as UPTARGET_APP
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=f4fd27cf60d6431d83ea18b4962aef845f9312bd
Mailing list link:
https://lore.kernel.org/linux-cifs/20250530152814.1592508-1-henrique.carvalho@xxxxxxxx/T/
Note, there is an additional regression caused by:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917
that is getting fixed in:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2113906
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614/+subscriptions
References
