[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
** Package changed: samba (Ubuntu) => cifs-utils (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. https://bugs.launchpad.net/bugs/539791 Title: mount.cifs cannot mount a DFS share when using Kerberos authentication -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
>From https://bugzilla.samba.org/show_bug.cgi?id=7257#c12 : Ok, I think I see what's happening. The server in this case is sending a principal name back to the client in the Negotiate Protocol response. smbclient is using that to get a ticket name. Note that this is really bad behavior by both the server and client. The client, in particular since you're essentially trusting the server to tell you what service principal to use. This allows an attacker to potentially spoof DNS and redirect the connection to a server that he/she controls. Not trusting that info was a conscious decision. You can read the thread from a couple of years ago here: http://lists.samba.org/archive/linux-cifs-client/2008-August/003348.html The correct solution is to fix it so that your KDC holds service principals for all possible hostnames. ...now, that said, I'm not 100% opposed to patches that turn on this behavior as an option. I'm not interested in doing that work, but if you or someone else wants to take it on, I'd be willing to help review them. ** Changed in: samba (Ubuntu) Importance: Medium => Low ** Changed in: samba (Ubuntu) Status: Confirmed => Triaged -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
** Changed in: samba Status: Confirmed => In Progress -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
** Changed in: samba (Ubuntu) Importance: Undecided => Medium ** Changed in: samba (Ubuntu) Status: New => Confirmed -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
** Changed in: samba Status: Unknown => Confirmed -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
Investigating the problem further, I thought the problem might have been that resolving the DFS referral returned a NetBIOS machine name, not a FQDN, for the server hosting the service (ie, WARTHOGS-ADC instead of warthogs-adc.warthogs.biz). After looking around, I followed the advice in Microsoft KB #244380 to make it so that Windows would return FQDN when resolving DFS referral, but it still would not work. Discussing the problem further with colleagues, it seems like cifs.upcall does do any DFS referral resolution, hence why mount.cifs fails to mount a DFS referral *just* when using Kerberos for authentication. I was pointed at the following linux-cifs-client mailing list thread explaining the situation: http://old.nabble.com/Handling-Kerberos-principals-that-don%27t- match-hostnames-td27055470.html In lucid, I tried adding -t to the cifs.spnego entry in /etc/request-key.conf, and it work indeed! \o/ Unfortunately, this option to cifs.upcall is not available in the version we ship in karmic, so this is a lucid-only workaround. However, i understand this is just working around the problem, which is that cifs.upcall do not support resolving DFS referral. Is this correct, or am I wrong somewhere? -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
In lucid, there was the following in /var/log/debug that seems to relate to the problem at hand. ** Attachment added: "debug.txt" http://launchpadlibrarian.net/41057441/debug.txt -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
** Bug watch added: Samba Bugzilla #7257 https://bugzilla.samba.org/show_bug.cgi?id=7257 ** Also affects: samba via https://bugzilla.samba.org/show_bug.cgi?id=7257 Importance: Unknown Status: Unknown -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
We still have the same problem in lucid, using kernel 2.6.32-16-generic. Attached the relevant dmesg snippet. keyutils is 1.2-12, and likewise- open is 5.4.0.39949-3. ** Attachment added: "dmesg-lucid.txt" http://launchpadlibrarian.net/41056228/dmesg-lucid.txt -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
The output of klist after running the mount.cifs command. ** Attachment added: "klist.txt" http://launchpadlibrarian.net/41051333/klist.txt -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
For comparison purpose, here is the output of "smbclient -d3 -k -c showconnect //warthogs.biz/namespace1/firstshare". We can see that it work as expected. ** Attachment added: "smbclient.txt" http://launchpadlibrarian.net/41051221/smbclient.txt -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
For comparison purpose, here is the output of "smbclient -d3 -k -c showconnect //warthogs.biz/namespace1/firstshare". We can see that it work as expected. -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication
** Attachment added: "dmesg.txt" http://launchpadlibrarian.net/41050898/dmesg.txt -- mount.cifs cannot mount a DFS share when using Kerberos authentication https://bugs.launchpad.net/bugs/539791 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs