Bug 565446 - mount.cifs sec=krb5i doesn't work with samba-client 3.4.5-0.47.fc11
Summary: mount.cifs sec=krb5i doesn't work with samba-client 3.4.5-0.47.fc11
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 11
Hardware: i586
OS: Linux
low
medium
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-02-15 11:13 UTC by Ludek Finstrle
Modified: 2010-06-28 15:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-28 15:40:24 UTC


Attachments (Terms of Use)
patch to this bug with change TALLOC_FREE to SAFE_FREE (1.39 KB, patch)
2010-02-16 13:30 UTC, Ludek Finstrle
no flags Details | Diff
patch to this bug with change smb_krb5_unparse_name first arg from NULL to talloc_tos() (876 bytes, patch)
2010-02-16 13:34 UTC, Ludek Finstrle
no flags Details | Diff
patch -- allocate temporary talloc context to use in smb_krb5_unparse_name (1.75 KB, patch)
2010-02-16 14:17 UTC, Jeff Layton
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Samba Project 6868 None None None Never

Description Ludek Finstrle 2010-02-15 11:13:30 UTC
Description of problem:
I have configured samba mount using sec=krb5i since samba-client 3.3.2.
It stopped working after upgrading to 3.4.5-0.47.fc11. I'm not sure if it works with 3.4.5-0.46.fc11 but definetely it worked with samba-client-3.4.2-0.42.fc11.i586

The error message is:
# mount.cifs //proliant10.office.hci/home /mnt -o username=finstrle,domain=OFFICE.HCI,uid=500,file_mode=0777,iocharset=utf8,nosuid,nodev,sec=krb5i
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

it work ok without configuration change when I downgrade back to the 3.3.2 (yum disablerepo=updates). So I think there is no mistake in configuration.
/etc/request-key.conf:
create cifs.spnego      *       *               /usr/sbin/cifs.upcall %k %d
create dns_resolver     *       *               /usr/sbin/cifs.upcall %k %d

Version-Release number of selected component (if applicable):
Broken krb5i: 3.4.5-0.47.fc11
Last (sure) ok: 3.4.2-0.42.fc11.i586

How reproducible:
Try to use krb5i to mount cifs share againist AD (I think we have win 2003R2 server). My linux box isn't part of domain.

Steps to Reproduce:
1.install samba packages
2.configure /etc/krb5.conf
3.add these lines to /etc/request-key.conf:
create cifs.spnego      *       *               /usr/sbin/cifs.upcall %k %d
create dns_resolver     *       *               /usr/sbin/cifs.upcall %k %d
4.as root: kinit <login@REALM>
5.as root: mount.cifs //<server>/<share> /mnt -o username=<username>,domain=<domain realm>,iocharset=utf8,nosuid,nodev,sec=krb5i
  
Actual results:
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)


Expected results:
mount the share to the /mnt

Additional info:

Comment 1 Ludek Finstrle 2010-02-15 12:00:45 UTC
I found that last working (even test version) is 3.4.3-0.44.fc11.

I also get better trace using:
echo 3 > /proc/fs/cifs/cifsFYI
and then dmesg.

The working verison 3.4.3-0.44.fc11 dmesg:

 fs/cifs/cifsfs.c: Devname: //proliant10.office.hci/home flags: 64
 fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 235 with uid: 0
 fs/cifs/connect.c: Domain name set
 fs/cifs/connect.c: iocharset set to utf8
 fs/cifs/connect.c: Username: finstrle
 fs/cifs/connect.c: UNC: \\proliant10.office.hci\home ip: 192.168.33.2
 fs/cifs/connect.c: Socket created
 fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58
 fs/cifs/connect.c: Existing smb sess not found
 fs/cifs/cifssmb.c: secFlags 0x1009
 fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security
 fs/cifs/transport.c: For smb_command 114
 fs/cifs/connect.c: Demultiplex PID: 6669
 fs/cifs/transport.c: Sending smb:  total_len 82
 fs/cifs/connect.c: rfc1002 length 0xb7
 fs/cifs/cifssmb.c: Dialect: 2
 fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
 fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
 fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92
 fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
 fs/cifs/asn1.c: Need to call asn1_octets_decode() function for proliant10$@OFFICE.HCI
 fs/cifs/cifssmb.c: Must sign - secFlags 0x1009
 fs/cifs/cifssmb.c: negprot rc 0
 fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x8001f3fd TimeAdjust: -3600
 fs/cifs/sess.c: sess setup type 7
 fs/cifs/cifs_spnego.c: key description = ver=0x2;host=proliant10.office.hci;ip4=192.168.33.2;sec=mskrb5;uid=0x1f4;user=finstrle
 fs/cifs/transport.c: For smb_command 115
 fs/cifs/transport.c: Sending smb:  total_len 4018
 fs/cifs/connect.c: rfc1002 length 0xd5
 fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
 fs/cifs/sess.c: ssetup rc from sendrecv2 is 0
 fs/cifs/sess.c: UID = 4098
 fs/cifs/sess.c: bleft 139
 fs/cifs/sess.c: serverOS=Windows Server 2003 R2 3790 Service Pack 2
 fs/cifs/sess.c: serverNOS=Windows Server 2003 R2 5.2
 fs/cifs/sess.c: ssetup freeing small buf f66d6e00
 fs/cifs/connect.c: CIFS Session Established successfully
 fs/cifs/connect.c: file mode: 0x1ff  dir mode: 0x1ff
 fs/cifs/transport.c: For smb_command 117
 fs/cifs/transport.c: Sending smb:  total_len 112
 fs/cifs/connect.c: rfc1002 length 0x42
 fs/cifs/connect.c: disk share connection
 fs/cifs/connect.c: nativeFileSystem=NTFS
 fs/cifs/connect.c: Tcon flags: 0x1
 fs/cifs/connect.c: CIFS Tcon rc = 0
 fs/cifs/cifssmb.c: In QFSDeviceInfo
 fs/cifs/transport.c: For smb_command 50
 fs/cifs/transport.c: Sending smb:  total_len 72
 fs/cifs/connect.c: rfc1002 length 0x44
 fs/cifs/cifssmb.c: In QFSAttributeInfo
 fs/cifs/transport.c: For smb_command 50
 fs/cifs/transport.c: Sending smb:  total_len 72
 fs/cifs/connect.c: rfc1002 length 0x50
 fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 235) rc = 0
 fs/cifs/inode.c: CIFS VFS: in cifs_iget as Xid: 236 with uid: 0
 fs/cifs/inode.c: Getting info on
 fs/cifs/transport.c: For smb_command 50
 fs/cifs/transport.c: Sending smb:  total_len 78
 fs/cifs/connect.c: rfc1002 length 0x92
 fs/cifs/inode.c: Old time 0
 fs/cifs/inode.c: New time 6536948

The broken version 3.4.4-0.45.fc11 dmesg:
 fs/cifs/cifsfs.c: Devname: //proliant10.office.hci/home flags: 64
 fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 234 with uid: 0
 fs/cifs/connect.c: Domain name set
 fs/cifs/connect.c: iocharset set to utf8
 fs/cifs/connect.c: Username: finstrle
 fs/cifs/connect.c: UNC: \\proliant10.office.hci\home ip: 192.168.33.2
 fs/cifs/connect.c: Socket created
 fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x1b58
 fs/cifs/connect.c: Existing smb sess not found
 fs/cifs/connect.c: Demultiplex PID: 6623
 fs/cifs/cifssmb.c: secFlags 0x1009
 fs/cifs/cifssmb.c: Kerberos only mechanism, enable extended security
 fs/cifs/transport.c: For smb_command 114
 fs/cifs/transport.c: Sending smb:  total_len 82
 fs/cifs/connect.c: rfc1002 length 0xb7
 fs/cifs/cifssmb.c: Dialect: 2
 fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0xbb92
 fs/cifs/asn1.c: OID len = 7 oid = 0x1 0x2 0x348 0x1bb92
 fs/cifs/asn1.c: OID len = 8 oid = 0x1 0x2 0x348 0x1bb92
 fs/cifs/asn1.c: OID len = 10 oid = 0x1 0x3 0x6 0x1
 fs/cifs/asn1.c: Need to call asn1_octets_decode() function for proliant10$@OFFICE.HCI
 fs/cifs/cifssmb.c: Must sign - secFlags 0x1009
 fs/cifs/cifssmb.c: negprot rc 0
 fs/cifs/connect.c: Security Mode: 0xf Capabilities: 0x8001f3fd TimeAdjust: -3600
 fs/cifs/sess.c: sess setup type 7
 fs/cifs/cifs_spnego.c: key description = ver=0x2;host=proliant10.office.hci;ip4=192.168.33.2;sec=mskrb5;uid=0x1f4;user=finstrle
 fs/cifs/sess.c: ssetup freeing small buf f4972540
 CIFS VFS: Send error in SessSetup = -126
 fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 234) rc = -126
 CIFS VFS: cifs_mount failed w/return code = -126

Comment 2 Jeff Layton 2010-02-15 12:03:59 UTC
After you run the kinit above, can you run 'klist' and paste the output into this bug?

Comment 3 Jeff Layton 2010-02-15 12:08:38 UTC
Actually, even better would be a kinit after a mount attempt.

Comment 4 Jeff Layton 2010-02-15 12:09:02 UTC
...I mean a klist after a mount attempt, not a kinit...

Comment 5 Ludek Finstrle 2010-02-15 12:23:38 UTC
klist before and after the mount command is the same (with broken version):

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: finstrle@OFFICE.HCI

Valid starting     Expires            Service principal
02/15/10 13:17:42  02/15/10 23:17:47  krbtgt/OFFICE.HCI@OFFICE.HCI
	renew until 02/16/10 13:17:42


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

How can I trace which host/xxx it tries?

# kvno host/proliant10.office.hci@OFFICE.HCI
host/proliant10.office.hci@OFFICE.HCI: kvno = 25

This kvno command add also (klist)
02/15/10 13:20:41  02/15/10 23:17:47  host/proliant10.office.hci@OFFICE.HCI
	renew until 02/16/10 13:17:42

But the mount command still failed.

Comment 6 Jeff Layton 2010-02-15 12:53:10 UTC
Hmmm...looks like that should be working.

cifs.upcall will log at the daemon.debug level. What might be good is to configure syslog to log that to a separate file. Something like this in syslog.conf:

    daemon.debug	/var/log/daemon.debug

...reload syslog and reattempt the mount and then check and see if there's anything interesting in that file.

Comment 7 Ludek Finstrle 2010-02-16 08:26:57 UTC
Nothing interesting:
Feb 16 09:23:44 finstrle cifs.upcall: key description: cifs.spnego;0;0;3f000000;ver=0x2;host=proliant10.office.hci;ip4=192.168.33.2;sec=mskrb5;uid=0x1f4;user=finstrle
Feb 16 09:23:44 finstrle cifs.upcall: find_krb5_cc: considering /tmp/<file>

Any idea what's wrong? Can I get more detailed debug info?

Comment 8 Ludek Finstrle 2010-02-16 08:44:56 UTC
For complete information. The change to get it working/not working is only this:

# here I have non function version of samba: libsmbclient, samba-common, samba-client, samba-winbind
$ rpm -Uvh ~luf/Download/samba/*.rpm
$ mount.cifs //proliant10.office.hci/home /mnt -o username=finstrle,domain=OFFICE,uid=500,file_mode=0777,iocharset=utf8,nosuid,nodev,sec=krb5i
mount error(126): Required key not available
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

# here I have older version of samba packages
rpm -Uvh ~luf/Download/samba.working-latest/* --force
mount.cifs //proliant10.office.hci/home /mnt -o username=finstrle,domain=OFFICE,uid=500,file_mode=0777,iocharset=utf8,nosuid,nodev,sec=krb5i
# this worked ...

Comment 9 Ludek Finstrle 2010-02-16 09:29:08 UTC
I tried the debug with working version of samba and I see that the debug continues with:

Feb 16 10:06:27 finstrle cifs.upcall: find_krb5_cc: FILE:/tmp/<file> is valid ccache
Feb 16 10:06:27 finstrle cifs.upcall: handle_krb5_mech: getting service ticket for cifs/proliant10.office.hci
Feb 16 10:06:27 finstrle cifs.upcall: handle_krb5_mech: obtained service ticket

Hmmm, why newer samba doesn't recognize the kerberos ccache as valid?

Comment 10 Ludek Finstrle 2010-02-16 10:18:32 UTC
I take a look into source code and there is code change in cifs.upcall.
It seems that cifs.upcall fails somewhere becouse there have to be some log entry after considering (it isn't so it has to fail the process). I'm looking deeper.

Comment 11 Ludek Finstrle 2010-02-16 12:19:31 UTC
I think I find the bug. I have to verify it and then I'll upload the patch.

Comment 12 Ludek Finstrle 2010-02-16 12:31:47 UTC
The basic problem is in source3/client/cifs.upcall.c (function get_tgt_time). It fails on TALLOC_FREE(name);
When I remove the line it works ok.
I tried switch lines from:

krb5_free_cred_contents(context, &creds);
TALLOC_FREE(name);

to

TALLOC_FREE(name);
krb5_free_cred_contents(context, &creds);

with no success.

Comment 13 Jeff Layton 2010-02-16 12:43:49 UTC
Thanks for tracking it down that far. I'm not sure why that would fall down...

Gunther, any ideas?

Comment 14 Jeff Layton 2010-02-16 12:45:48 UTC
Also, Ludek...what version of libtalloc do you have installed?

Comment 15 Ludek Finstrle 2010-02-16 13:05:03 UTC
I try put TALLOC_FREE(name); right below the if with smb_krb5_unparse_name and it failed again. So now I'm trying this change:
if (smb_krb5_unparse_name(NULL, context, creds.server, &name)) {

to

if (smb_krb5_unparse_name(talloc_tos(), context, creds.server, &name)) {

I do it becouse I see no other smb_krb5_unparse_name with NULL. Maybe use SAFE_FREE (when first arg is NULL) instead of TALLOC_FREE?

Comment 16 Ludek Finstrle 2010-02-16 13:05:41 UTC
libtalloc 1.3.1-0.fc11

Comment 17 Ludek Finstrle 2010-02-16 13:11:10 UTC
That's it!
There is problem in NULL in smb_krb5_unparse_name.

There is two ways:
1) use talloc_tos() instead of NULL
2) use SAFE_FREE(name) instead of TALLOC_FREE(name)

Comment 18 Ludek Finstrle 2010-02-16 13:12:50 UTC
That's it - I mean I tried 1) use talloc_tos() instead of NULL (rebuild the samba-client RPM from src.rpm) and now it works ok.

Do you need something else from me?

Comment 19 Jeff Layton 2010-02-16 13:20:08 UTC
Interesting -- thanks for tracking it down. At this point I think we have it covered. I *thought* it was ok to do a talloc allocation with a null context, but maybe that's not the case with older talloc versions.

At this point, I'll wait for GD to chime in since he's worked with talloc more than I have...

Comment 20 Ludek Finstrle 2010-02-16 13:27:34 UTC
There is no problem in allocation at all but it's not (talloc?) in deeper function (convert_string_allocate) is:

        if (ctx) {
                ob = (char *)TALLOC_REALLOC(ctx, ob, destlen + 2);
        } else {
                ob = (char *)SMB_REALLOC(ob, destlen + 2);
        }

Also in error handling in this function is:

                if (ctx) {
                        TALLOC_FREE(ob);
                } else {
                        SAFE_FREE(ob);
                }

So this is the root of problem.

Comment 21 Ludek Finstrle 2010-02-16 13:30:56 UTC
Created attachment 394540 [details]
patch to this bug with change TALLOC_FREE to SAFE_FREE

Comment 22 Ludek Finstrle 2010-02-16 13:34:26 UTC
Created attachment 394541 [details]
patch to this bug with change smb_krb5_unparse_name first arg from NULL to talloc_tos()

Comment 23 Ludek Finstrle 2010-02-16 13:36:54 UTC
Both patches also contains char *name = NULL;

If you'll need more info please contact me directly by e-mail. I don't know why I don't receive e-mail notifications for comments.

Comment 24 Jeff Layton 2010-02-16 13:43:09 UTC
Actually Simo piped in that he knows what the problem is:

08:38 < simo> jlayton, if you pass NULL down many calls into the conversion we do SMB_STRDUP() instead of talloc_strdup()
08:39 <@jlayton> ahh
08:39 < simo> jlayton, the fix is to either make sure we use SDAFE_FREE() or always pass a real context
08:39 < simo> I would say it is safer to passa real context here

...I'll spin up a patch to do that. I think that just means doing a talloc_init early in that function.

Comment 25 Jeff Layton 2010-02-16 13:43:57 UTC
talloc_tos() is probably incorrect there too -- as gd points out:

08:29 <@gd> it would leak, as there is no talloc_stackframe around

Comment 26 Jeff Layton 2010-02-16 14:17:48 UTC
Created attachment 394553 [details]
patch -- allocate temporary talloc context to use in smb_krb5_unparse_name

I think this patch does the right thing here. Ludek, would you be able to test it and let me know if it fixes the problem?

Comment 27 Ludek Finstrle 2010-02-16 14:29:10 UTC
I'll test it tomorrow as I have to leave computer today.

Comment 28 Jeff Layton 2010-02-16 15:37:44 UTC
Reassigning to GD to handle while I'm traveling...

Comment 29 Ludek Finstrle 2010-02-17 09:11:10 UTC
I confirm Jeff's patch fix this problem. It works ok.

Comment 30 Fedora Update System 2010-02-17 12:37:30 UTC
samba-3.4.5-56.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/samba-3.4.5-56.fc12

Comment 31 Fedora Update System 2010-02-17 12:38:36 UTC
samba-3.4.5-0.48.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/samba-3.4.5-0.48.fc11

Comment 32 Guenther Deschner 2010-02-17 12:41:52 UTC
Thanks, Ludek, for testing.

I prepared updates for f11/f12, once they are available to you, could you please give karma ?

Comment 33 Ludek Finstrle 2010-02-17 13:18:13 UTC
I downloaded and updated to samba-3.4.5-0.48.fc11 and it works as expected.
Thanks you and Jeff for fast reaction.

Comment 34 Fedora Update System 2010-02-18 22:34:35 UTC
samba-3.4.5-0.48.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update samba'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-1364

Comment 35 Fedora Update System 2010-02-18 22:36:04 UTC
samba-3.4.5-56.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update samba'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1653

Comment 36 Fedora Update System 2010-02-25 13:27:49 UTC
samba-3.4.6-0.49.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/samba-3.4.6-0.49.fc11

Comment 37 Fedora Update System 2010-02-26 03:36:25 UTC
samba-3.4.6-0.49.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update samba'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-2900

Comment 38 Bug Zapper 2010-04-28 11:51:36 UTC
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 39 Bug Zapper 2010-06-28 15:40:24 UTC
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.