667382 – cifs.upcall does not accept the '-l' command line option

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 667382 - cifs.upcall does not accept the '-l' command line option

Summary: cifs.upcall does not accept the '-l' command line option

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	cifs-utils
Sub Component:
Version:	6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jeff Layton
QA Contact:	yanfu,wang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-01-05 13:56 UTC by Stefan Walter
Modified:	2014-06-18 07:40 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-05-19 13:07:01 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0569	0	normal	SHIPPED_LIVE	cifs-utils bug fix update	2011-05-18 17:57:06 UTC

Description Stefan Walter 2011-01-05 13:56:00 UTC

Description of problem:

When mounting a share as root with kerberos, cifs.upcall will always use
the ticket of root (/tmp/krb5cc_0) instead the one of the user specified
with 'uid=' or 'user=':

I do:

# mount.cifs -o user=walteste,uid=walteste,sec=krb5 '//nas-nethz-users.d.ethz.ch/share-w-$' /mnt

In the logs I see this:

Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_0
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is valid ccache
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_50515_glVIiD
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: /tmp/krb5cc_50515_glVIiD is owned by 50515, not 0
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_42474_6j8kJD
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: /tmp/krb5cc_42474_6j8kJD is owned by 42474, not 0
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_50515_aZvk46
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: /tmp/krb5cc_50515_aZvk46 is owned by 50515, not 0
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_50515_B96At9
Jan  5 14:26:57 osaka cifs.upcall: find_krb5_cc: /tmp/krb5cc_50515_B96At9 is owned by 50515, not 0

The '-l' option of cifs.upcall seems to be intended to address this but it
is not implemented:

# cifs.upcall -l
cifs.upcall: invalid option -- 'l'

Version-Release number of selected component (if applicable):

cifs-utils-4.4-5

Steps to Reproduce:

1. Log in as the user who owns the share and do a 'kinit' to get a ticket
2. As root get a ticket for some other user, e.g., via keytab
3. As root mount the share with sec=krb5 and user/uid options specified
  
Actual results:

Share is mounted but the user has no access.

Expected results:

Share is mounted and user can access files.

Comment 1 Jeff Layton 2011-01-05 14:02:49 UTC

This is correct behavior. If you require the legacy behavior from cifs.upcall, then please specify the --legacy-uid flag in request-key.conf. See the cifs.upcall manpage for more info.

Comment 2 Jeff Layton 2011-01-05 14:48:41 UTC

Ahh sorry, just noticed the latter part about -l not working. Will have a look...

Comment 4 Jeff Layton 2011-01-05 15:39:28 UTC

Ok, I've just sent a couple of patches to the list and to you that should fix this bug (and another, related bug that causes a segfault). Are you able to test these and let me know if they fix the problem?

Comment 6 Jeff Layton 2011-01-05 17:38:46 UTC

I have some candidate packages here:

    http://people.redhat.com/jlayton/rhel6/cifs-utils/

Could you test them and let me know if they fix the problem for you?

Comment 7 Stefan Walter 2011-01-06 10:49:18 UTC

I Installed cifs-utils-4.7-4.el6 on my test systems and that accepts the '-l'
option just fine and the mount works. Thanks a lot.

When will this patch make it to the regular RHEL6 updates? Will it help if
I also open a case at access.redhat.com?

Comment 8 Jeff Layton 2011-01-06 12:57:16 UTC

Great, thanks for testing it. It should make 6.1. Opening a case at access.redhat.com would be ideal. When you do so, be sure to reference this BZ so that they know that it's a known bug with a pending fix.

Comment 10 yanfu,wang 2011-03-18 08:24:09 UTC

reproduced on RHEL6.0:
[root@hp-p6100z-02 ~]# rpm -qa|grep cifs-utils
cifs-utils-4.4-5.el6.x86_64
[root@hp-p6100z-02 ~]# cifs.upcall -l
cifs.upcall: invalid option -- 'l'

verified on RHEL6.1 on i386 and x86_64:
[root@sun-x8450-01 ~]# rpm -qa|grep cifs-utils
cifs-utils-4.8.1-1.el6.x86_64
[root@hp-p6100z-02 ~]# cifs.upcall -l
Usage: cifs.upcall [-t] [-v] [-l] key_serial

Comment 11 errata-xmlrpc 2011-05-19 13:07:01 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0569.html

Note You need to log in before you can comment on or make changes to this bug.