[Bug 2012143] The source of the extra randomness in the krb5 credential cache name, explained

Mon Mar 20 19:27:38 UTC 2023

Hi,

FYI.  Looks like the "extra stuff" added to the credential
cache name comes from sssd, via pam_sss, or perhaps pam_sss_gss.

Further information here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033164

Supposedly, $KRB5CCNAME is set.  So the problem seems to be
that cifs.upcall is not looking at this value.  Perhaps this
is because systemd.automount is doing things as root?

In any case, cifs.upcall is not getting the information it needs
to work properly.  If the cause is that the automounting is
happening as root, I don't see that there's a mechanism in place
whereby it could.  At least not by adding fstab entries.  Perhaps
there's some systemd-fu that would make it work.

Regards,

Karl <kop at karlpinc.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2012143

Title:
  cifs.upcall does not use the kerberos default credential cache file,
  so many features fail

Status in cifs-utils package in Ubuntu:
  New

Bug description:
  cifs.upcall does not use the default kerberos credential cache file
  name.  Attempting to make smb3 mounts in /etc/fstab with
  username=...,cruid=...,domain=...,sec=krb5,multiuser,_netdev,x-systemd.automount
  fail, with messages in the journalctl logs like:

  ...krb5_child[4725]: No credentials cache found (filename:
  /tmp/krb5cc_127408622_wH2NwY

  This can be worked-around by adding:

  [libdefaults]
  # Use the same cache path as cifs.upcall
  # Supposedly the value we set is the default, but there seems to be
  # an additional underscore and then a 4 character hash unless
  # this is set.  The result, unless we set this param, is that
  # cifs.upcall cannot get the kerberos ticket-granting-ticket.
  # This is only visible in the journalctrl logs.
  	default_ccache_name = FILE:/tmp/krb5cc_%{euid}

  to /etc/krb5.conf.  I believe a reboot is required.

  This is with user accounts authenticated against MS Active Directory.  (Which
  uses kerberos).

  Without the workaround the user accounts do not authenticate, so per-
  user mounts are not possible.

  See also Ubuntu bug #2012140
  https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2012140

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: cifs-utils 2:6.14-1ubuntu0.1
  ProcVersionSignature: Ubuntu 5.15.0-67.74-generic 5.15.85
  Uname: Linux 5.15.0-67-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.3
  Architecture: amd64
  CasperMD5CheckResult: pass
  Date: Sat Mar 18 17:43:19 2023
  InstallationDate: Installed on 2023-03-09 (9 days ago)
  InstallationMedia: Ubuntu-Server 22.04.2 LTS "Jammy Jellyfish" - Release amd64 (20230217.1)
  ProcEnviron:
   SHELL=/bin/bash
   LANG=en_US.UTF-8
   TERM=xterm-256color
   PATH=(custom, no user)
  SourcePackage: cifs-utils
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2012143/+subscriptions