Hi Marco,
I don't think that the env variable set by you is able to reach the
cifs.upcall code, purely based on the way the upcall gets triggered.
The request-key calls cifs.upcall as UID 0 and then changes to the
appropriate uid. And the env variable is read before switching to the
user (maybe a fix is needed here?).
You could try setting the default_ccache_name parameter in krb5.conf
to /tmp/krb5cc_%{uid}_abcdef
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html#libdefaults
Regards,
Shyam
On Sat, Jun 13, 2020 at 8:54 PM Marco Pantel <marco@xxxxxxxxx> wrote:
>
> Hello!
>
> I try to automount a cifs folder on an ubuntu 20.04 client from my nas (QNAP running Samba 4.7.12) using the respective user's kerberos ticket. I hunted the problem down to the method "get_existing_cc" in cifs.upcall which returns the path "/tmp/krb5cc_{uid}" although that filed is named "/tmp/krb5cc_{uid}_abcdef". Env variables $KRB5CCNAME and /proc/{pid}/environ hold that latter name, by the way, so I don't know why "get_existing_cc" comes up with the wrong
> cache filename.
>
> > Jun 13 17:04:11 desktop-linux kernel: CIFS: Attempting to mount //nas/homes/DOMAIN=HOME/Administrator
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: key description:
> > cifs.spnego;0;0;39010000;ver=0x2;host=nas;
> > ip4=172.16.20.20;sec=krb5;uid=0x2715;creduid=0x2715;user=administrator;pid=0x16ce
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: ver=2
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: host=nas
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: ip=172.16.20.20
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: sec=1
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: uid=10005
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: creduid=10005
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: user=administrator
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: pid=5838
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: get_cachename_from_process_env: pathname=/proc/5838/environ
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_10005
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: get_tgt_time: unable to get principal
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: krb5_get_init_creds_keytab: -1765328174
> > Jun 13 17:04:11 desktop-linux cifs.upcall[5845]: Exit status 1
> > Jun 13 17:04:11 desktop-linux mount[5838]: mount error(2): No such file or directory
> > Jun 13 17:04:11 desktop-linux mount[5838]: Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
> > Jun 13 17:04:11 desktop-linux kernel: CIFS VFS: \\nas Send error in SessSetup = -126
> > Jun 13 17:04:11 desktop-linux kernel: CIFS VFS: cifs_mount failed w/return code = -2
> > Jun 13 17:04:11 desktop-linux systemd[1]: home-administrator-Ablage.mount: Mount process exited, code=exited, status=32/n/a
>
> With a symlink named "/tmp/krb5cc_{uid}" to the correct cache file the automount works flawlessly, but that extra six characters being a security feature (from what I read about it) I would not necessarily want to work around it.
> Besides that, I have seen the method returning the correct name during some of my tests, but I'm not able to reconstruct the fstab entry that I used. But every time I put the "noauto" in /etc/fstab, it only returns the shortened cache file name, which of course does not exist.
>
> Is there any advice on how I can fix this problem or is this a bug in cifs.upcall?
>
>
> Best regards
> Marco
--
-Shyam
