[Bug 676525] Re: mount.cifs cannot mount with kerberos

[DG Turner]

Kerberos' purpose is authentication.  More verbosely, using kerberos as
the primary authentication method should ensure that the presented
credentials do in fact belong to the user presenting them (whether that
is a real user or a service is irrelevant).

To force the impersonation of credentials to perform a mount of a
Windows share within the user's home directory is a subversion of the
kerberos mechanism, and potentially allows a breach to propagate.

The concerns raised by this behaviour may raise fewer alarm bells for
those more accustomed to a *nix environment. When the environment is
Windows/Active Directory based, the aforementioned concerns become much
more disconcerting. The potential damage caused by the impersonation of
a user by root could be catastrophic is the right user were
impersonated, which is why several of my systems are configured to send
an alert when a chown of any ticket is attempted.

To make matters more interesting (at least for me), the cruid option
still fails for me when attempting a mount using kerberos credentials.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/676525

Title:
  mount.cifs cannot mount with kerberos

Status in “cifs-utils” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: cifs-utils

  Please tell me if this is the wrong channel.  I have put this in the
  ubuntu forum with no reply here:

  http://ubuntuforums.org/showthread.php?t=1623107

  From the thread:

  mount.cifs used to be able to work with kerberos tickets so long as I
  changed the binary to suid root. I understand why this may have fallen
  out of favour but since Meerkat, I am unable to get mount.cifs to
  mount using kerberos and sudo.

  # Non sudo mount.cifs with/without suid root
  $ mount.cifs //server/share/directory ~/central -o sec=krb5
  mount.cifs: permission denied: no match for /home/CauserC/central found in /etc/fstab

  # Sudo mount.cifs with/without suid root
  $ sudo mount.cifs  //server/share/directory ~/central -o sec=krb5
  mount error(126): Required key not available

  I do definitely have a kerberos ticket, and both klist and "sudo
  klist" show it to me.

  Now, it does work if I do a "sudo kinit $USERNAME." Then a sudo
  mount.cifs mounts the share no problem. This is obviously less than
  ideal because it involves typing in a password again, and subsequent
  non sudo klists result in:

  $ klist
  klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_10009_8ZePnt)

  I'm tempted to file this as a bug report but wanted to check in here
  first to make sure that I'm not doing anything stupid. As I say, I
  never tried this in Lucid as suid root worked fine.

  Any help appreciated

  Chris

  ProblemType: Bug
  DistroRelease: Ubuntu 10.10
  Package: smbfs 2:4.5-2
  ProcVersionSignature: Ubuntu 2.6.35-22.35-generic-pae 2.6.35.4
  Uname: Linux 2.6.35-22-generic-pae i686
  NonfreeKernelModules: nvidia
  Architecture: i386
  Date: Wed Nov 17 15:20:14 2010
  InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_GB.UTF-8
   SHELL=/bin/bash
  SourcePackage: cifs-utils

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/676525/+subscriptions