debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #02235
[Bug 2112614] Re: Regression: After CVE-2025-2312 cifs.upcall can't find credential caches from user env
Performing verification for focal:
We are going to perform a series of mounts and check if they work with a
patched vs unpatched kernel, and make sure all mounts work.
We will start with an unpatched kernel:
ubuntu@focal-dc:~$ uname -rv
5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025
I installed cifs-utils 2:6.9-1ubuntu0.3 from -updates.
Let's try and standard uid 1000 user:
ubuntu@focal-dc:~$ kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025
ubuntu@focal-dc:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 05:04:07 06/16/25 15:04:07 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 05:04:04
ubuntu@focal-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1
ubuntu@focal-dc:~$ mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.230,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,user=ubuntu)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
cifs.upcall[1990]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x7c0
cifs.upcall[1991]: ver=2
cifs.upcall[1991]: host=samba-dc.example.com
cifs.upcall[1991]: ip=192.168.122.230
cifs.upcall[1991]: sec=1
cifs.upcall[1991]: uid=1000
cifs.upcall[1991]: creduid=1000
cifs.upcall[1991]: user=ubuntu
cifs.upcall[1991]: pid=1984
cifs.upcall[1990]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1990]: get_cachename_from_process_env: pid == 0
cifs.upcall[1990]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
cifs.upcall[1990]: main: valid service ticket exists in credential cache
cifs.upcall[1990]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1990]: handle_krb5_mech: obtained service ticket
cifs.upcall[1990]: Exit status 0
I will defer the other UID user for the end.
Let's try as root user:
ubuntu@focal-dc:~$ kdestroy
ubuntu@focal-dc:~$ unset KRB5CCNAME
ubuntu@focal-dc:~$ sudo -s
root@focal-dc:/home/ubuntu# kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025
root@focal-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 05:06:51 06/16/25 15:06:51 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 05:06:48
root@focal-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@focal-dc:/home/ubuntu# mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.230,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,user=root)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
cifs.upcall[2065]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x80b
cifs.upcall[2066]: ver=2
cifs.upcall[2066]: host=samba-dc.example.com
cifs.upcall[2066]: ip=192.168.122.230
cifs.upcall[2066]: sec=1
cifs.upcall[2066]: uid=0
cifs.upcall[2066]: creduid=0
cifs.upcall[2066]: user=root
cifs.upcall[2066]: pid=2059
cifs.upcall[2065]: upcall_target=app, switching namespaces to application thread
cifs.upcall[2065]: get_cachename_from_process_env: pid == 0
cifs.upcall[2065]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[2065]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2065]: handle_krb5_mech: obtained service ticket
cifs.upcall[2065]: Exit status 0
I then enabled -security-proposed from the following ppa:
https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages?field.name_filter=cifs-
utils&field.status_filter=published&field.series_filter=
I then installed cifs-utils 2:6.9-1ubuntu0.4
Let's try and standard uid 1000 user:
ubuntu@focal-dc:~$ kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025
ubuntu@focal-dc:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 05:08:28 06/16/25 15:08:28 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 05:08:25
ubuntu@focal-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1
ubuntu@focal-dc:~$ mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.230,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,user=ubuntu)
$ journalctl -b0
focal-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
focal-dc kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
focal-dc cifs.upcall[2874]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0xb34
focal-dc cifs.upcall[2875]: ver=2
focal-dc cifs.upcall[2875]: host=samba-dc.example.com
focal-dc cifs.upcall[2875]: ip=192.168.122.230
focal-dc cifs.upcall[2875]: sec=1
focal-dc cifs.upcall[2875]: uid=1000
focal-dc cifs.upcall[2875]: creduid=1000
focal-dc cifs.upcall[2875]: user=ubuntu
focal-dc cifs.upcall[2875]: pid=2868
focal-dc cifs.upcall[2874]: upcall_target=app, switching namespaces to application thread
focal-dc cifs.upcall[2874]: get_cachename_from_process_env: pathname=/proc/2868/environ
focal-dc cifs.upcall[2874]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
focal-dc cifs.upcall[2874]: main: valid service ticket exists in credential cache
focal-dc cifs.upcall[2874]: handle_krb5_mech: getting service ticket for samba-dc.example.com
focal-dc cifs.upcall[2874]: handle_krb5_mech: obtained service ticket
focal-dc cifs.upcall[2874]: Exit status 0
ubuntu@focal-dc:~$ sudo umount /mnt/testshare1
Let's try as root user:
ubuntu@focal-dc:~$ sudo umount /mnt/testshare1
ubuntu@focal-dc:~$ kdestroy
ubuntu@focal-dc:~$ unset KRB5CCNAME
ubuntu@focal-dc:~$ sudo -s
root@focal-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 05:06:51 06/16/25 15:06:51 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 05:06:48
06/16/25 05:07:00 06/16/25 15:06:51 cifs/samba-dc.example.com@
renew until 06/17/25 05:06:48
06/16/25 05:07:00 06/16/25 15:06:51 cifs/samba-dc.example.com@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 05:06:48
root@focal-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@focal-dc:/home/ubuntu# mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.16
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
cifs.upcall[2962]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0xb8c
cifs.upcall[2963]: ver=2
cifs.upcall[2963]: host=samba-dc.example.com
cifs.upcall[2963]: ip=192.168.122.230
cifs.upcall[2963]: sec=1
cifs.upcall[2963]: uid=0
cifs.upcall[2963]: creduid=0
cifs.upcall[2963]: user=root
cifs.upcall[2963]: pid=2956
cifs.upcall[2962]: upcall_target=app, switching namespaces to application thread
cifs.upcall[2962]: get_cachename_from_process_env: pid == 0
cifs.upcall[2962]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[2962]: main: valid service ticket exists in credential cache
cifs.upcall[2962]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[2962]: handle_krb5_mech: obtained service ticket
cifs.upcall[2962]: Exit status 0
Next, we will just do a run with a patched kernel. I enabled -proposed and
installed:
ubuntu@focal-dc:~$ uname -rv
5.4.0-218-generic #238-Ubuntu SMP Mon May 19 10:42:47 UTC 2025
We will keep cifs-utils from -security-proposed installed.
Let's try and standard uid 1000 user:
ubuntu@focal-dc:~$ kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025
ubuntu@focal-dc:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 05:14:43 06/16/25 15:14:43 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 05:14:41
ubuntu@focal-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1
ubuntu@focal-dc:~$ mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,upcall_target=app,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.230,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,user=ubuntu)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
cifs.upcall[1553]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x5ff;upcall_target=app
cifs.upcall[1554]: ver=2
cifs.upcall[1554]: host=samba-dc.example.com
cifs.upcall[1554]: ip=192.168.122.230
cifs.upcall[1554]: sec=1
cifs.upcall[1554]: uid=1000
cifs.upcall[1554]: creduid=1000
cifs.upcall[1554]: user=ubuntu
cifs.upcall[1554]: pid=1535
cifs.upcall[1554]: upcall_target=app
cifs.upcall[1553]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1553]: get_cachename_from_process_env: pathname=/proc/1535/environ
cifs.upcall[1553]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
cifs.upcall[1553]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1553]: handle_krb5_mech: obtained service ticket
cifs.upcall[1553]: Exit status 0
Let's try as root user:
ubuntu@focal-dc:~$ kdestroy
ubuntu@focal-dc:~$ unset KRB5CCNAME
ubuntu@focal-dc:~$ sudo -s
root@focal-dc:/home/ubuntu# kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025
root@focal-dc:/home/ubuntu# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 07:26:38 06/16/25 17:26:38 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 07:26:35
root@focal-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
root@focal-dc:/home/ubuntu# mount -l | grep cifs
//samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,upcall_target=app,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.230,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,user=root)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
cifs.upcall[1592]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x625;upcall_target=app
cifs.upcall[1593]: ver=2
cifs.upcall[1593]: host=samba-dc.example.com
cifs.upcall[1593]: ip=192.168.122.230
cifs.upcall[1593]: sec=1
cifs.upcall[1593]: uid=0
cifs.upcall[1593]: creduid=0
cifs.upcall[1593]: user=root
cifs.upcall[1593]: pid=1573
cifs.upcall[1593]: upcall_target=app
cifs.upcall[1592]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1592]: get_cachename_from_process_env: pid == 0
cifs.upcall[1592]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1592]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1592]: handle_krb5_mech: obtained service ticket
cifs.upcall[1592]: Exit status 0
We are just going to focus on different uid user, e.g. like AD user, as
something different is happening on focal than any other release.
Let's start with:
unpatched kernel / -release cifs-utils
kernel: 5.4.0-216-generic
cifs-utils: 2:6.9-1
ubuntu@focal-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
ubuntu@focal-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200
ubuntu@focal-dc:~$ klist /tmp/krb5cc_11200
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 06:51:11 06/16/25 16:51:11 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 06:51:08
ubuntu@focal-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(2): No such file or directory
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
cifs.upcall[2023]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x7e1
cifs.upcall[2023]: ver=2
cifs.upcall[2023]: host=samba-dc.example.com
cifs.upcall[2023]: ip=192.168.122.230
cifs.upcall[2023]: sec=1
cifs.upcall[2023]: uid=0
cifs.upcall[2023]: creduid=0
cifs.upcall[2023]: user=root
cifs.upcall[2023]: pid=2017
cifs.upcall[2023]: get_cachename_from_process_env: pid == 0
cifs.upcall[2023]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[2023]: get_tgt_time: unable to get principal
cifs.upcall[2023]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[2023]: Exit status 1
kernel: CIFS VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS VFS: cifs_mount failed w/return code = -2
It fails. It seems cifs-utils on focal only checks the roots env regardless what
you try.
If we upgrade to 2:6.9-1ubuntu0.3 from -updates:
ubuntu@focal-dc:~$ klist
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 06:51:11 06/16/25 16:51:11 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 06:51:08
ubuntu@focal-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(2): No such file or directory
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
cifs.upcall[2225]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x8ab
cifs.upcall[2226]: ver=2
cifs.upcall[2226]: host=samba-dc.example.com
cifs.upcall[2226]: ip=192.168.122.230
cifs.upcall[2226]: sec=1
cifs.upcall[2226]: uid=0
cifs.upcall[2226]: creduid=0
cifs.upcall[2226]: user=root
cifs.upcall[2226]: pid=2219
cifs.upcall[2225]: upcall_target=app, switching namespaces to application thread
cifs.upcall[2225]: get_cachename_from_process_env: pid == 0
cifs.upcall[2225]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[2225]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0)
cifs.upcall[2225]: get_tgt_time: unable to get principal
cifs.upcall[2225]: main: valid TGT is not present in credential cache
cifs.upcall[2225]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[2225]: Exit status 1
kernel: CIFS VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS VFS: cifs_mount failed w/return code = -2
Still broken. Seems focal never had a regression because it never worked in the
first place.
If we move to 2:6.9-1ubuntu0.4 in -security-proposed:
ubuntu@focal-dc:~$ klist
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 06:51:11 06/16/25 16:51:11 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 06:51:08
ubuntu@focal-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(2): No such file or directory
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
cifs.upcall[3008]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0xbba
cifs.upcall[3009]: ver=2
cifs.upcall[3009]: host=samba-dc.example.com
cifs.upcall[3009]: ip=192.168.122.230
cifs.upcall[3009]: sec=1
cifs.upcall[3009]: uid=0
cifs.upcall[3009]: creduid=0
cifs.upcall[3009]: user=root
cifs.upcall[3009]: pid=3002
cifs.upcall[3008]: upcall_target=app, switching namespaces to application thread
cifs.upcall[3008]: get_cachename_from_process_env: pid == 0
cifs.upcall[3008]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[3008]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0)
cifs.upcall[3008]: get_tgt_time: unable to get principal
cifs.upcall[3008]: main: valid TGT is not present in credential cache
cifs.upcall[3008]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[3008]: Exit status 1
sudo[3000]: pam_unix(sudo:session): session closed for user root
kernel: CIFS VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS VFS: cifs_mount failed w/return code = -2
It still doesn't make things any better, but they are no worse than what is
currently in -updates.
If we enable -proposed and install a patched kernel:
ubuntu@focal-dc:~$ uname -rv
5.4.0-218-generic #238-Ubuntu SMP Mon May 19 10:42:47 UTC 2025
ubuntu@focal-dc:~$ kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025
ubuntu@focal-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
ubuntu@focal-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200
ubuntu@focal-dc:~$ klist /tmp/krb5cc_11200
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 07:00:38 06/16/25 17:00:38 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 07:00:35
ubuntu@focal-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(2): No such file or directory
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
cifs.upcall[1577]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x625;upcall_target=app
cifs.upcall[1578]: ver=2
cifs.upcall[1578]: host=samba-dc.example.com
cifs.upcall[1578]: ip=192.168.122.230
cifs.upcall[1578]: sec=1
cifs.upcall[1578]: uid=0
cifs.upcall[1578]: creduid=0
cifs.upcall[1578]: user=root
cifs.upcall[1578]: pid=1573
cifs.upcall[1578]: upcall_target=app
cifs.upcall[1577]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1577]: get_cachename_from_process_env: pid == 0
cifs.upcall[1577]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1577]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0)
cifs.upcall[1577]: get_tgt_time: unable to get principal
cifs.upcall[1577]: main: valid TGT is not present in credential cache
cifs.upcall[1577]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[1577]: Exit status 1
sudo[1571]: pam_unix(sudo:session): session closed for user root
kernel: CIFS VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS VFS: cifs_mount failed w/return code = -2
Patched kernel doesn't change the behaviour.
If we try a HWE kernel:
ubuntu@focal-dc:~$ uname -rv
5.15.0-140-generic #150~20.04.1-Ubuntu SMP Fri Apr 25 10:28:04 UTC 2025
ubuntu@focal-dc:~$ kinit Administrator@xxxxxxxxxxxxxxxxxxxx
Password for Administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025
ubuntu@focal-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
ubuntu@focal-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200
ubuntu@focal-dc:~$ klist /tmp/krb5cc_11200
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: Administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/16/25 07:04:26 06/16/25 17:04:26 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/17/25 07:04:23
ubuntu@focal-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
kernel: CIFS: Attempting to mount \\samba-dc.example.com\demo
cifs.upcall[1688]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x694
cifs.upcall[1689]: ver=2
cifs.upcall[1689]: host=samba-dc.example.com
cifs.upcall[1689]: ip=192.168.122.230
cifs.upcall[1689]: sec=1
cifs.upcall[1689]: uid=0
cifs.upcall[1689]: creduid=0
cifs.upcall[1689]: user=root
cifs.upcall[1689]: pid=1684
cifs.upcall[1688]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1688]: get_cachename_from_process_env: pid == 0
cifs.upcall[1688]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1688]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0)
cifs.upcall[1688]: get_tgt_time: unable to get principal
cifs.upcall[1688]: main: valid TGT is not present in credential cache
cifs.upcall[1688]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[1688]: Exit status 1
sudo[1682]: pam_unix(sudo:session): session closed for user root
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS: VFS: cifs_mount failed w/return code = -126
The HWE kernel doesn't improve things either, its cifs-utils itself.
I think what's going on here is that on jammy and onward, cifs-utils will
try both root, and the user uid / env in two separate calls.
This is from jammy:
kernel: CIFS: Attempting to mount \\samba-dc.example.com\demo
cifs.upcall[1495]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.79;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x5c1;upcall_target=app
cifs.upcall[1496]: ver=2
cifs.upcall[1496]: host=samba-dc.example.com
cifs.upcall[1496]: ip=192.168.122.79
cifs.upcall[1496]: sec=1
cifs.upcall[1496]: uid=0
cifs.upcall[1496]: creduid=0
cifs.upcall[1496]: user=root
cifs.upcall[1496]: pid=1473
cifs.upcall[1496]: upcall_target=app
cifs.upcall[1495]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1495]: get_cachename_from_process_env: pid == 0
cifs.upcall[1495]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1495]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0)
cifs.upcall[1495]: get_tgt_time: unable to get principal
cifs.upcall[1495]: main: valid TGT is not present in credential cache
cifs.upcall[1495]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[1495]: Exit status 1
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS: VFS: cifs_mount failed w/return code = -126
kernel: CIFS: Attempting to mount \\samba-dc.example.com\demo
cifs.upcall[1500]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.79;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x5c1;upcall_target=app
cifs.upcall[1501]: ver=2
cifs.upcall[1501]: host=samba-dc.example.com
cifs.upcall[1501]: ip=192.168.122.79
cifs.upcall[1501]: sec=1
cifs.upcall[1501]: uid=0
cifs.upcall[1501]: creduid=1000
cifs.upcall[1501]: user=root
cifs.upcall[1501]: pid=1473
cifs.upcall[1501]: upcall_target=app
cifs.upcall[1500]: upcall_target=app, switching namespaces to application thread
cifs.upcall[1500]: get_cachename_from_process_env: pathname=/proc/1473/environ
cifs.upcall[1500]: get_cachename_from_process_env: cachename = /tmp/krb5cc_11200
cifs.upcall[1500]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_11200
cifs.upcall[1500]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1500]: handle_krb5_mech: obtained service ticket
cifs.upcall[1500]: Exit status 0
You see, focal only makes the very first call.
Regardless, the new cifs-utils package in -security-proposed does not make things
better or worse than they currently are.
I think its best to still go with release. We keep the code changes in sync with
jammy onward, fix a known memory leak, and keep the code correct for unpatched
kernels.
I will mark verified for focal.
** Tags added: verification-done-focal
** Tags removed: regression-update
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2112614
Title:
Regression: After CVE-2025-2312 cifs.upcall can't find credential
caches from user env
Status in cifs-utils package in Ubuntu:
Fix Released
Status in cifs-utils source package in Focal:
Fix Committed
Status in cifs-utils source package in Jammy:
Fix Committed
Status in cifs-utils source package in Noble:
Fix Committed
Status in cifs-utils source package in Oracular:
Fix Committed
Status in cifs-utils source package in Plucky:
Fix Committed
Status in cifs-utils source package in Questing:
Fix Released
Bug description:
[Impact]
Unfortunately, the release of CVE-2025-2312 caused a minor regression for some
users of cifs-utils, particularly those with AD users mounting shares from
non-standard UID numbers that aren't the default 0 or 1000.
Trying to mount a share with credentials in environment variables like
$KRB5CCNAME gets messages like:
$ echo $KRB5CCNAME
/tmp/krb5cc_11200
$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
Affected packages:
questing: 2:7.3-1
plucky: 2:7.2-2
oracular: 2:7.0-2.1ubuntu0.1
noble: 2:7.0-2ubuntu0.1
jammy: 2:6.14-1ubuntu0.2
focal: 2:6.9-1ubuntu0.3
We changed debian/patches/CVE-2025-2312-1.patch:
@@ -1384,7 +1423,7 @@
* look at the environ file.
*/
env_cachename =
- get_cachename_from_process_env(env_probe ? arg->pid : 0);
+ get_cachename_from_process_env((env_probe && (arg->upcall_target == UPTARGET_APP)) ? arg->pid : 0);
rc = setuid(uid);
if (rc == -1) {
Unfortunately, we missed the UPTARGET_UNSPECIFIED option.
The fix from Henrique Carvalho simply sets upcall_target to be UPTARGET_APP
if UPTARGET_UNSPECIFIED is the current option.
This affects users who use the non-patched kernels.
I'm broken, please get me a fix / Workarounds:
1) You can install the test packages in the [Testcase] section.
or
2) You can enable -proposed and install any of the 5.4.0-218-generic, 5.15.0-142-generic, 6.8.0-62-generic or 6.11.0-28-generic kernels.
or
3) You can edit the following files:
/etc/krb5.conf - Add this to [libdefaults]:
default_ccache_name = /tmp/krb5cc_%{uid}
/etc/sssd/sssd.conf - Add this to [domain]
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%{uid}
Ideally restart sssd so sssd-pam can find the kerberos crediental cache again.
sudo systemctl restart sssd
or
4) you can simply downgrade the package to what is in the release pocket.
[Testcase]
Follow the entire testcase of https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
first.
$ kinit administrator
Password for administrator@xxxxxxxxxxxxxxxxxxxx:
Warning: Your password will expire in 36 days on Sat Jul 12 01:54:39 2025
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/05/25 21:44:07 06/06/25 07:44:07 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/06/25 21:44:04
$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200
$ klist /tmp/krb5cc_11200
Ticket cache: FILE:/tmp/krb5cc_11200
Default principal: administrator@xxxxxxxxxxxxxxxxxxxx
Valid starting Expires Service principal
06/05/25 21:44:07 06/06/25 07:44:07 krbtgt/SAMBA-DC.EXAMPLE.COM@xxxxxxxxxxxxxxxxxxxx
renew until 06/06/25 21:44:04
$ export KRB5CCNAME=/tmp/krb5cc_11200
$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
$ journalctl -b0
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[5177]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.248;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x142c
cifs.upcall[5178]: ver=2
cifs.upcall[5178]: host=samba-dc.example.com
cifs.upcall[5178]: ip=192.168.122.248
cifs.upcall[5178]: sec=1
cifs.upcall[5178]: uid=0
cifs.upcall[5178]: creduid=1000
cifs.upcall[5178]: user=root
cifs.upcall[5178]: pid=5164
cifs.upcall[5177]: upcall_target=app, switching namespaces to application thread
cifs.upcall[5177]: get_cachename_from_process_env: pid == 0
cifs.upcall[5177]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000
cifs.upcall[5177]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000)
cifs.upcall[5177]: get_tgt_time: unable to get principal
cifs.upcall[5177]: main: valid TGT is not present in credential cache
cifs.upcall[5177]: krb5_get_init_creds_keytab: -1765328378
cifs.upcall[5177]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[5177]: handle_krb5_mech: using GSS-API
cifs.upcall[5177]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible
cifs.upcall[5177]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)
cifs.upcall[5177]: handle_krb5_mech: failed to obtain service ticket via GSS (458752)
cifs.upcall[5177]: Unable to obtain service ticket
cifs.upcall[5177]: Exit status 458752
kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126
kernel: CIFS: VFS: cifs_mount failed w/return code = -126
If you install the test packages in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-regression-
test
Please note this package is NOT SUPPORTED by Canonical, and is for TESTING
PURPOSES ONLY. ONLY Install in a dedicated test environment.
Instructions to Install (On a focal, jammy, noble, oracular, plucky system):
1) sudo add-apt-repository ppa:mruffell/sf407276-regression-test
2) sudo apt update
3) sudo apt install cifs-utils
4) sudo apt-cache policy cifs-utils | grep Installed
Check for +sf407276v20250531b1
The share mounts normally as expected.
[Where problems can occur]
This is a part of the fix of CVE-2025-2312, and we need to make sure that we
again, test the following scenarios:
* patched kernel, patched cifs-utils
* patched kernel, existing cifs-utils
* existing kernel, patched cifs-utils
This time, we really need to spend a bit more time on the unpatched kernel
scenario, because clearly I wasn't thorough enough.
If a regression were to occur, it could affect mounting of cifs / smb shares and
users would not be able to access their data.
Due to the nature of this bug, there is no secret leakage from
CVE-2025-2312.
[Other info]
This regression was caused in:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
This has been fixed upstream in cifs-utils 7.4 by:
commit f4fd27cf60d6431d83ea18b4962aef845f9312bd
Author: Henrique Carvalho <henrique.carvalho@xxxxxxxx>
Date: Fri May 30 12:28:14 2025 -0300
Subject: cifs.upcall: correctly treat UPTARGET_UNSPECIFIED as UPTARGET_APP
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=f4fd27cf60d6431d83ea18b4962aef845f9312bd
Mailing list link:
https://lore.kernel.org/linux-cifs/20250530152814.1592508-1-henrique.carvalho@xxxxxxxx/T/
Note, there is an additional regression caused by:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917
that is getting fixed in:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2113906
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614/+subscriptions
References
