Bug#1023609: marked as done (smbclient does not work with kerberos ccache of KEYRING: type)

[Debian Bug Tracking System]

Your message dated Sat, 08 Jul 2023 18:32:47 +0000
with message-id <e1qicjf-006ook...@fasolo.debian.org>
and subject line Bug#1023609: fixed in samba 2:4.17.9+dfsg-0+deb12u1
has caused the Debian Bug report #1023609,
regarding smbclient does not work with kerberos ccache of KEYRING: type
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1023609: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023609
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: smbclient
Version: 2:4.16.6+dfsg-5~bpo11+1
Severity: normal

  Hi,

  I'm trying to use smbclient with kerberos login, for example to
get the list of shares with somthing like:

smbclient -N --use-kerberos=required -gL samba-server.example.org

If using the FILE: ccache, it works.
If using a KEYRING: ccache, it does not work.

And the --use-krb5-ccache option does not seems to be taken into account

$ export KRB5CCNAME=FILE:/tmp/ccache_file
$ rm $KRB5CCNAME 
rm: cannot remove 'FILE:/tmp/ccache_file': No such file or directory
$ kinit
Password for XXX@XXX:
$ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/tmp/ccache_file 
-gL samba-server.example.org
[... list of shares ...]
$ smbclient -N --use-kerberos=required -gL samba-server.example.org
[... list of shares ...]
$ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/non-existant -gL 
samba-server.example.org
[... list of shares ...] <- probably a fail-back to KRB5CCNAME
$ export KRB5CCNAME=FILE:/non-existant
$ smbclient -N --use-kerberos=required -gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in 
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/tmp/ccache_file 
-gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in 
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient -N --use-kerberos=required --use-krb5-ccache=/tmp/ccache_file -gL 
samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in 
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ export KRB5CCNAME=KEYRING:persistent:`id -u`:krb_ccache
$ kinit
Password for XXX@XXX:
$ smbclient -N --use-kerberos=required -gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in 
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient -N --use-kerberos=required --use-krb5-ccache=$KRB5CCNAME -gL 
samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in 
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER


klist and other kerberos-enabled tools (such as ssh) work correctly
when KRB5CCNAME is set to FILE:... but also to KEYRING:...

So, from my experiments, it seems:
- the --use-krb5-ccache is never used (at least when KRB5CCNAME is set)
  [it was not the goal of this bug report, but I see it when trying my commands]
- smbclient does not handle ccache using the kernel keyring
  Perhaps this is due to samba using heimdal kerberos implementation?

  Regards,
    Vincent


-- System Information:
Debian Release: 11.5
  APT prefers stable-security
  APT policy: (990, 'stable-security'), (990, 'stable'), (500, 
'stable-updates'), (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.0-0.bpo.3-amd64 (SMP w/6 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages smbclient depends on:
ii  libarchive13  3.4.3-2+deb11u1
ii  libbsd0       0.11.3-1
ii  libc6         2.31-13+deb11u4
ii  libgnutls30   3.7.1-5+deb11u2
ii  libpopt0      1.18-2
ii  libreadline8  8.1-1
ii  libsmbclient  2:4.16.6+dfsg-5~bpo11+1
ii  libtalloc2    2.3.3-4~bpo11+1
ii  libtevent0    0.11.0-1~bpo11+1
ii  samba-common  2:4.16.6+dfsg-5~bpo11+1
ii  samba-libs    2:4.16.6+dfsg-5~bpo11+1

smbclient recommends no packages.

Versions of packages smbclient suggests:
ii  cifs-utils       2:7.0-2~bpo11+1
pn  heimdal-clients  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: samba
Source-Version: 2:4.17.9+dfsg-0+deb12u1
Done: Michael Tokarev <m...@tls.msk.ru>

We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1023...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Tokarev <m...@tls.msk.ru> (supplier of updated samba package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 07 Jul 2023 11:40:17 +0300
Source: samba
Architecture: source
Version: 2:4.17.9+dfsg-0+deb12u1
Distribution: bookworm-proposed-updates
Urgency: medium
Maintainer: Debian Samba Maintainers <pkg-samba-ma...@lists.alioth.debian.org>
Changed-By: Michael Tokarev <m...@tls.msk.ru>
Closes: 1023609
Changes:
 samba (2:4.17.9+dfsg-0+deb12u1) bookworm-proposed-updates; urgency=medium
 .
   * d/copyright: filter out autogenerated manpages from the upstream source
     when dfsg-repacking.  The manpages are generated during build if not up
     to date, and changes significantly in every upstream release since the
     version number and the release date are included in every manpage.
   * new upstream stable/bugfix release, with the following fixes:
    * https://bugzilla.samba.org/show_bug.cgi?id=14030
      named crashes on DLZ zone update
      (this was in debian in previous upload)
    * https://bugzilla.samba.org/show_bug.cgi?id=15275
      smbd_scavenger crashes when service smbd is stopped
    * https://bugzilla.samba.org/show_bug.cgi?id=15361
      winbind recurses into itself via rpcd_lsad
    * https://bugzilla.samba.org/show_bug.cgi?id=15374
      aes256 smb3 encryption algorithms are not allowed in smb3_sid_parse()
    * https://bugzilla.samba.org/show_bug.cgi?id=15378
      vfs_fruit might cause a failing open for delete
    * https://bugzilla.samba.org/show_bug.cgi?id=15382
      cli_list loops 100% CPU against pre-lanman2 servers
    * https://bugzilla.samba.org/show_bug.cgi?id=15391
      smbclient leaks fds with showacls
    * https://bugzilla.samba.org/show_bug.cgi?id=15403
      smbget memory leak if failed to download files recursively
    * https://bugzilla.samba.org/show_bug.cgi?id=15404
      Backport --pidl-developer fixes
    * https://bugzilla.samba.org/show_bug.cgi?id=15413
      winbindd gets stuck on NT_STATUS_RPC_SEC_PKG_ERROR
   * remove dnsserver-rename-dns_name_equal.patch
     (included upstream)
   * heimdal-to-support-KEYRING-ccache.patch: enable KEYRING in heimdal
     (ability to store kerberos tickets in kernel keyring) (Closes: #1023609)
   * d/control: build-depend on libkeyutils-dev
     (it is pulled by some other dep, but better to be safe)
Checksums-Sha1:
 a34fc61b96591a528c2918efafa4a8c065cd4201 4447 samba_4.17.9+dfsg-0+deb12u1.dsc
 539fd9df4670fe8830eb750bfcdbef38f8a3a4ad 18207296 samba_4.17.9+dfsg.orig.tar.xz
 5dbfa9b9df9a0ed5cbb16f7c5f582b05cecbc01f 270924 
samba_4.17.9+dfsg-0+deb12u1.debian.tar.xz
 e687134b7c9a0a704c2e84a066b8e7a7f58330c1 6380 
samba_4.17.9+dfsg-0+deb12u1_source.buildinfo
Checksums-Sha256:
 e922195d0be561349688ed99f366f16ba5153445d4f34ed69a7c62aca5e05b4d 4447 
samba_4.17.9+dfsg-0+deb12u1.dsc
 56fb922ed85dc75d47e15558c298f66a931475f1b9b816285335ecf6de0afded 18207296 
samba_4.17.9+dfsg.orig.tar.xz
 fc25d541ab02f653566d3805829382c42929c52265b3423daf34d5fb444de13f 270924 
samba_4.17.9+dfsg-0+deb12u1.debian.tar.xz
 e9203e8e44c3f880e964969481079117c825319561766b5dd78945711b72b6f0 6380 
samba_4.17.9+dfsg-0+deb12u1_source.buildinfo
Files:
 8f578674b3c92ee54a906c96492ec01b 4447 net optional 
samba_4.17.9+dfsg-0+deb12u1.dsc
 e8186fd82d38152af8f79cdbe6eb9cd1 18207296 net optional 
samba_4.17.9+dfsg.orig.tar.xz
 aa071c3fd1dc95984ecbf90f152da4a9 270924 net optional 
samba_4.17.9+dfsg-0+deb12u1.debian.tar.xz
 067567505bf5dcd950862d448132e5da 6380 net optional 
samba_4.17.9+dfsg-0+deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFDBAEBCgAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmSoB4IPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZbuwH/3HQZqK796S9rt5FQhmEFgKUo9EDMbtRFlGx
00JWS/vZvhYRs/xX/bSzVd2gDRD3ICznefG/vAv7S7/r7az8OpMrSmOwhINZPAAc
N2VACvra8QIHGhnrR48awniWtRv/923NP77galH7HaQHdL+RmUROEcNRSLRQcPQ6
GEe96UQmpIb+G1RCGi7/y688Vc6E+ZEkd2wHN6eXYtohpq0qhtN5EW1Lk1i+y8vq
UcaIcen8uIyIwofT668OHuMn90HvVqKPTbXYv+vz2pxZ8bQHN7w8eLNGJwwWMD9V
L+/Z5dZebc9xpjeQ2d+EnzX+RYG7W+pmSzpZRPJuGj9qFFbx4ig=
=0E2T
-----END PGP SIGNATURE-----

--- End Message ---