Bug#1023609: smbclient does not work with Kerberos ccache of KEYRING: type
Control: tag -1 patch
Control: forwarded -1 https://gitlab.com/samba-team/samba/-/merge_requests/3021
Hi,
My investigation has reveald that the built in version of Heimdall is
perfectly(?) capable of supporting KEYRING ccache. However it needs to
be properly configured. The configuration code is there in
autoconf/automake files of Heimdal but is missing from samba wscript*
files.
I am attaching a patch I've made against debian/2%4.17.7+dfsg-1_bpo11+1.
With this patch applied and LD_LIBRARY_PATH set to
LD_LIBRARY_PATH=${HOME}/src/debian/samba/samba/debian/tmp/usr/lib/x86_64-linux-gnu/samba
smbclient from the original debian package (2:4.17.7+dfsg-1~bpo11+1) is
capable of using KEYRING ccache. The patch applies cleanly to master too
(e437c9288a3c as of now).
--
Łukasz Stelmach
Samsung R Institute Poland
Samsung Electronics
From d76344ee0cefcf8adb42928537ba031dd585f797 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=81ukasz=20Stelmach?=
Date: Mon, 3 Apr 2023 10:07:30 +0200
Subject: [PATCH] Configure builtin heimdal to support KEYRING ccache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Samsung R Institute Poland
Signed-off-by: Åukasz Stelmach
---
third_party/heimdal_build/wscript_build | 8 ++--
third_party/heimdal_build/wscript_configure | 2 ++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/third_party/heimdal_build/wscript_build b/third_party/heimdal_build/wscript_build
index 1518afe9ef4..8aea52b55f5 100644
--- a/third_party/heimdal_build/wscript_build
+++ b/third_party/heimdal_build/wscript_build
@@ -710,7 +710,7 @@ if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
get_port.c init_creds.c init_creds_pw.c
kcm.c keyblock.c keytab.c keytab_any.c
keytab_file.c keytab_memory.c
- keytab_keyfile.c krbhst.c log.c
+ keytab_keyfile.c krbhst.c krcache.c log.c
mcache.c misc.c mk_error.c mk_priv.c
mk_rep.c mk_req.c mk_req_ext.c
mit_glue.c net_read.c net_write.c n-fold.c padata.c pkinit.c pkinit-ec.c
@@ -726,10 +726,14 @@ if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
mk_cred.c kx509_err.c
k524_err.c krb_err.c k5e1_err.c''')] + ["../heimdal_build/krb5-glue.c"]
+krb5_keyutils_dep = ''
+if bld.CONFIG_SET('HAVE_KEYCTL_GET_PERSISTENT'):
+krb5_keyutils_dep = ' keyutils'
+
HEIMDAL_LIBRARY('krb5', KRB5_SOURCE,
version_script='lib/krb5/version-script.map',
includes='../heimdal/lib/krb5 ../heimdal/lib/asn1 ../heimdal/include',
-deps='roken wind asn1 hx509 HEIMDAL_KX509_ASN1 hcrypto com_err HEIMDAL_CONFIG heimbase execinfo samba_intl HEIMDAL_IPC_CLIENT KRB5_CRYPTO',
+deps='roken wind asn1 hx509 HEIMDAL_KX509_ASN1 hcrypto com_err HEIMDAL_CONFIG heimbase execinfo samba_intl HEIMDAL_IPC_CLIENT KRB5_CRYPTO' + krb5_keyutils_dep,
cflags=['-DLOCALSTATEDIR="/2"'] + bld.dynconfig_cflags(),
)
KRB5_PROTO_SOURCE = KRB5_SOURCE + ['lib/krb5/expand_path.c', 'lib/krb5/plugin.c', 'lib/krb5/context.c', 'lib/krb5/crypto.c']
diff --git a/third_party/heimdal_build/wscript_configure b/third_party/heimdal_build/wscript_configure
index a97a1b9baa8..36ba02d25ad 100644
--- a/third_party/heimdal_build/wscript_configure
+++ b/third_party/heimdal_build/wscript_configure
@@ -65,6 +65,8 @@ conf.DEFINE('HAVE_KRB5',1)
conf.CHECK_FUNCS('dirfd', headers='dirent.h')
conf.CHECK_DECLS('dirfd', reverse=True, headers='dirent.h')
conf.CHECK_STRUCTURE_MEMBER('DIR', 'dd_fd', define='HAVE_DIR_DD_FD', headers='dirent.h')
+conf.CHECK_FUNCS_IN('add_key keyctl_get_persistent', 'keyutils', headers='keyutils.h')
+conf.CHECK_SIZEOF('key_serial_t', headers='keyutils.h')
heimdal_no_error_flags = ['-Wno-error=discarded-qualifiers',
'-Wno-error=cast-qual',
--
2.30.2
signature.asc
Description: PGP signature
Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type
07.11.2022 18:45, Vincent Danjean пишет: Package: smbclient Version: 2:4.16.6+dfsg-5~bpo11+1 Severity: normal Hi, I'm trying to use smbclient with kerberos login, for example to get the list of shares with somthing like: smbclient -N --use-kerberos=required -gL samba-server.example.org If using the FILE: ccache, it works. If using a KEYRING: ccache, it does not work. ... This is #963899 "Build smbclient against MIT krb5", fwiw. /mjt
Bug#1023609: [Pkg-samba-maint] Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type
08.11.2022 14:19, Vincent Danjean wrote: [building samba with mit kerberos] Actually, I had a thought like this for quite some time, to try the MIT kerberos samba build. Myself, I don't know much about the two kerberos implementations and less so about their usage in samba. What I do know is that redhat/fedora uses mit-kerberos builds of samba for quite some time, their build instructions removes whole thord_party/heimdal directory as the very first step to ensure this stuff is never used by samba build. So it might be interesting to take a look there. For now I have other stuff to do but this is definitely in my todo list. An additional data point: with samba, you have to rely on your own basically, since for many things, there's no one to assist you. Thank you for your feedback. Perhaps, the first thing I will do will be to get the fedora smbclient binary (with its libraries) just to check that my use case would be successful. In any case, I will report here the progress I do if any. I just gave it a try, and it went rather smooth actually, - one needs to add the libkrb5-dev package to build-depends, specify 3 extra configure options, and adjust file lists for a few packages (exclude heimdal libs and include a few new files). But now I've a big question, actually two: 1. how does one sets up the samba AD DC --with-experimental-mit-ad-dc, 2. how does one "upgrade" existing samba AD DC controller created with samba which was built with the embedded heimdal, to samba built --with-experimental-mit-ad-dc ? I guess this is a question for samba-users@ ? Thanks, /mjt
Bug#1023609: [Pkg-samba-maint] Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type
Le 08/11/2022 à 10:51, Michael Tokarev a écrit :
07.11.2022 23:54, Vincent Danjean wrote:
..
As I'm only using the client part (the AD is managed by Microsoft
products in my case), do you have some advises about how to modify
debian/rules,control to (locally) build the samba package with MIT?
Are you really so serious about using the in-kernel ccache?
I did not find another way to make cifs automount with kerberos working.
Using FILE: ccache does not work because credential are required for
the initial mount (done be autofs), and not only for the latter accesses
(that are done in the user context with its kerberos ticket as I'm
using the multiuser,sec=krb5).
For the initial mount by autofs, I'm using cruid=${UID} to do it
on behalf of the initiating user with its kerberos credentials.
But with FILE: ccache, the exact filename is not known.
Another workaround would be to have a fixed (by user) FILE:filename
but I did not test if that would work with multiple parallel sessions
of the same user on the same machine (and some long, non-interactive
sessions started with k5start)
So, for cifs automount, I need
1) that the cifs mount with the cruid=${UID} be able to find the
kerberos ticket of the user with the ${UID} uid.
I'm currently using KEYRING: for that
2) that the smbclient be able to list the available shares with
the credentials of the user with the ${UID} uid
("smbclient -gL server")
=> I'm trying to solve that by trying to recompiling smbclient
with MIT in order to also use the KEYRING: ccache
Changing the AD or the CIFS server (allowing the machine to do the
"smbclient -gL server" without auth or with the host keytab) is not
really an option. The people in charge of the AD won't want to change
such things in the AD for the small group doing HPC on linux in the
big structure using mainly windows (it is already very difficult to
just get some groups we need...)
I suppose there will be :
- a few build dependencies to change (quickly looking, I see nothing
about heimdal?)
- a few configure options to tweek
I should be able to find the options to add such as
--with-system-mitkrb5
(and --with-experimental-mit-ad-dc just to pass the compilation?)
but what should be disabled?
Or which binary packages should I disable/remove ?
I would be very pleased if you can give me a few hints.
I'd have to take a look at this. So far I've no idea how large
this project would be and what'll be needed.
Actually, I had a thought like this for quite some time, to try
the MIT kerberos samba build. Myself, I don't know much about the
two kerberos implementations and less so about their usage in
samba. What I do know is that redhat/fedora uses mit-kerberos builds
of samba for quite some time, their build instructions removes whole
thord_party/heimdal directory as the very first step to ensure this
stuff is never used by samba build. So it might be interesting to
take a look there.
For now I have other stuff to do but this is definitely in my todo list.
An additional data point: with samba, you have to rely on your own
basically, since for many things, there's no one to assist you.
Thank you for your feedback. Perhaps, the first thing I will do
will be to get the fedora smbclient binary (with its libraries)
just to check that my use case would be successful.
In any case, I will report here the progress I do if any.
Regards,
Vincent
Bug#1023609: [Pkg-samba-maint] Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type
07.11.2022 23:54, Vincent Danjean wrote: .. As I'm only using the client part (the AD is managed by Microsoft products in my case), do you have some advises about how to modify debian/rules,control to (locally) build the samba package with MIT? Are you really so serious about using the in-kernel ccache? I suppose there will be : - a few build dependencies to change (quickly looking, I see nothing about heimdal?) - a few configure options to tweek I should be able to find the options to add such as --with-system-mitkrb5 (and --with-experimental-mit-ad-dc just to pass the compilation?) but what should be disabled? Or which binary packages should I disable/remove ? I would be very pleased if you can give me a few hints. I'd have to take a look at this. So far I've no idea how large this project would be and what'll be needed. Actually, I had a thought like this for quite some time, to try the MIT kerberos samba build. Myself, I don't know much about the two kerberos implementations and less so about their usage in samba. What I do know is that redhat/fedora uses mit-kerberos builds of samba for quite some time, their build instructions removes whole thord_party/heimdal directory as the very first step to ensure this stuff is never used by samba build. So it might be interesting to take a look there. For now I have other stuff to do but this is definitely in my todo list. An additional data point: with samba, you have to rely on your own basically, since for many things, there's no one to assist you. /mjt
Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type
Le 07/11/2022 à 18:58, Andrew Bartlett a écrit : On Mon, 2022-11-07 at 16:45 +0100, Vincent Danjean wrote: - smbclient does not handle ccache using the kernel keyring Perhaps this is due to samba using heimdal kerberos implementation? That is all this is. An MIT build would work, but that isn't a supported way to build the AD DC at this time. As I'm only using the client part (the AD is managed by Microsoft products in my case), do you have some advises about how to modify debian/rules,control to (locally) build the samba package with MIT? I suppose there will be : - a few build dependencies to change (quickly looking, I see nothing about heimdal?) - a few configure options to tweek I should be able to find the options to add such as --with-system-mitkrb5 (and --with-experimental-mit-ad-dc just to pass the compilation?) but what should be disabled? Or which binary packages should I disable/remove ? I would be very pleased if you can give me a few hints. Regards Vincent Andrew Bartlett
Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type
On Mon, 2022-11-07 at 16:45 +0100, Vincent Danjean wrote: > - smbclient does not handle ccache using the kernel keyring > Perhaps this is due to samba using heimdal kerberos implementation? That is all this is. An MIT build would work, but that isn't a supported way to build the AD DC at this time. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Bug#1023609: smbclient does not work with kerberos ccache of KEYRING: type
Package: smbclient Version: 2:4.16.6+dfsg-5~bpo11+1 Severity: normal Hi, I'm trying to use smbclient with kerberos login, for example to get the list of shares with somthing like: smbclient -N --use-kerberos=required -gL samba-server.example.org If using the FILE: ccache, it works. If using a KEYRING: ccache, it does not work. And the --use-krb5-ccache option does not seems to be taken into account $ export KRB5CCNAME=FILE:/tmp/ccache_file $ rm $KRB5CCNAME rm: cannot remove 'FILE:/tmp/ccache_file': No such file or directory $ kinit Password for XXX@XXX: $ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/tmp/ccache_file -gL samba-server.example.org [... list of shares ...] $ smbclient -N --use-kerberos=required -gL samba-server.example.org [... list of shares ...] $ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/non-existant -gL samba-server.example.org [... list of shares ...] <- probably a fail-back to KRB5CCNAME $ export KRB5CCNAME=FILE:/non-existant $ smbclient -N --use-kerberos=required -gL samba-server.example.org gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT session setup failed: NT_STATUS_INVALID_PARAMETER $ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/tmp/ccache_file -gL samba-server.example.org gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT session setup failed: NT_STATUS_INVALID_PARAMETER $ smbclient -N --use-kerberos=required --use-krb5-ccache=/tmp/ccache_file -gL samba-server.example.org gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT session setup failed: NT_STATUS_INVALID_PARAMETER $ export KRB5CCNAME=KEYRING:persistent:`id -u`:krb_ccache $ kinit Password for XXX@XXX: $ smbclient -N --use-kerberos=required -gL samba-server.example.org gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT session setup failed: NT_STATUS_INVALID_PARAMETER $ smbclient -N --use-kerberos=required --use-krb5-ccache=$KRB5CCNAME -gL samba-server.example.org gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT session setup failed: NT_STATUS_INVALID_PARAMETER klist and other kerberos-enabled tools (such as ssh) work correctly when KRB5CCNAME is set to FILE:... but also to KEYRING:... So, from my experiments, it seems: - the --use-krb5-ccache is never used (at least when KRB5CCNAME is set) [it was not the goal of this bug report, but I see it when trying my commands] - smbclient does not handle ccache using the kernel keyring Perhaps this is due to samba using heimdal kerberos implementation? Regards, Vincent -- System Information: Debian Release: 11.5 APT prefers stable-security APT policy: (990, 'stable-security'), (990, 'stable'), (500, 'stable-updates'), (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.0-0.bpo.3-amd64 (SMP w/6 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages smbclient depends on: ii libarchive13 3.4.3-2+deb11u1 ii libbsd0 0.11.3-1 ii libc6 2.31-13+deb11u4 ii libgnutls30 3.7.1-5+deb11u2 ii libpopt0 1.18-2 ii libreadline8 8.1-1 ii libsmbclient 2:4.16.6+dfsg-5~bpo11+1 ii libtalloc22.3.3-4~bpo11+1 ii libtevent00.11.0-1~bpo11+1 ii samba-common 2:4.16.6+dfsg-5~bpo11+1 ii samba-libs2:4.16.6+dfsg-5~bpo11+1 smbclient recommends no packages. Versions of packages smbclient suggests: ii cifs-utils 2:7.0-2~bpo11+1 pn heimdal-clients -- no debconf information
