Bug 667382

Summary: cifs.upcall does not accept the '-l' command line option
Product: Red Hat Enterprise Linux 6 Reporter: Stefan Walter <walteste>
Component: cifs-utilsAssignee: Jeff Layton <jlayton>
Status: CLOSED ERRATA QA Contact: yanfu,wang <yanwang>
Severity: medium Docs Contact:
Priority: low    
Version: 6.0CC: metze, steved, yanwang
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 13:07:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stefan Walter 2011-01-05 13:56:00 UTC 
Description of problem:

When mounting a share as root with kerberos, cifs.upcall will always use
the ticket of root (/tmp/krb5cc_0) instead the one of the user specified
with 'uid=' or 'user=':

I do:

# mount.cifs -o user=walteste,uid=walteste,sec=krb5 '//nas-nethz-users.d.ethz.ch/share-w-$' /mnt

In the logs I see this:

Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_0
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is valid ccache
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_50515_glVIiD
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: /tmp/krb5cc_50515_glVIiD is owned by 50515, not 0
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_42474_6j8kJD
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: /tmp/krb5cc_42474_6j8kJD is owned by 42474, not 0
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_50515_aZvk46
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: /tmp/krb5cc_50515_aZvk46 is owned by 50515, not 0
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_50515_B96At9
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: /tmp/krb5cc_50515_B96At9 is owned by 50515, not 0

The '-l' option of cifs.upcall seems to be intended to address this but it
is not implemented:

# cifs.upcall -l
cifs.upcall: invalid option -- 'l'

Version-Release number of selected component (if applicable):

cifs-utils-4.4-5

Steps to Reproduce:

1. Log in as the user who owns the share and do a 'kinit' to get a ticket
2. As root get a ticket for some other user, e.g., via keytab
3. As root mount the share with sec=krb5 and user/uid options specified
  
Actual results:

Share is mounted but the user has no access.

Expected results:

Share is mounted and user can access files.
Comment 1 Jeff Layton 2011-01-05 14:02:49 UTC 
This is correct behavior. If you require the legacy behavior from cifs.upcall, then please specify the --legacy-uid flag in request-key.conf. See the cifs.upcall manpage for more info.
Comment 2 Jeff Layton 2011-01-05 14:48:41 UTC 
Ahh sorry, just noticed the latter part about -l not working. Will have a look...
Comment 4 Jeff Layton 2011-01-05 15:39:28 UTC 
Ok, I've just sent a couple of patches to the list and to you that should fix this bug (and another, related bug that causes a segfault). Are you able to test these and let me know if they fix the problem?
Comment 6 Jeff Layton 2011-01-05 17:38:46 UTC 
I have some candidate packages here:

    http://people.redhat.com/jlayton/rhel6/cifs-utils/

Could you test them and let me know if they fix the problem for you?
Comment 7 Stefan Walter 2011-01-06 10:49:18 UTC 
I Installed cifs-utils-4.7-4.el6 on my test systems and that accepts the '-l'
option just fine and the mount works. Thanks a lot.

When will this patch make it to the regular RHEL6 updates? Will it help if
I also open a case at access.redhat.com?
Comment 8 Jeff Layton 2011-01-06 12:57:16 UTC 
Great, thanks for testing it. It should make 6.1. Opening a case at access.redhat.com would be ideal. When you do so, be sure to reference this BZ so that they know that it's a known bug with a pending fix.
Comment 10 yanfu,wang 2011-03-18 08:24:09 UTC 
reproduced on RHEL6.0:
[root@hp-p6100z-02 ~]# rpm -qa|grep cifs-utils
cifs-utils-4.4-5.el6.x86_64
[root@hp-p6100z-02 ~]# cifs.upcall -l
cifs.upcall: invalid option -- 'l'

verified on RHEL6.1 on i386 and x86_64:
[root@sun-x8450-01 ~]# rpm -qa|grep cifs-utils
cifs-utils-4.8.1-1.el6.x86_64
[root@hp-p6100z-02 ~]# cifs.upcall -l
Usage: cifs.upcall [-t] [-v] [-l] key_serial
Comment 11 errata-xmlrpc 2011-05-19 13:07:01 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0569.html