Package: cifs-utils Severity: normal Hello,
I am unable to setup the appropriate environment to confirm that this bug can be reproduced on Debian. I strongly believe it can, and that someone familiar with the cifs.upcall code (or familiar with setting up SMB or Active Directory file shares) should be easily able to verify the problem. I have reproduced the bug on Ubuntu 18 and 20. Given that the Debian and Ubuntu devs work together and based on my limited attempts to compare the Debian and Ubuntu code I hope this bug report will be useful to both distros. (And hold out vague hope that the bug will be fixed for Bullseye.) The problem is that the default Kerberos credential cache is in a file with a name that looks like: /tmp/krb5cc_10011_r0AC1F But cifs.upcall looks for credentials in a file with a name that looks like: /tmp/krb5cc_10011 This creates problems with sec=krb5* cifs mounts, breaking the "multiuser" option. I see no options to adjust the credential cache file name used by cifs.upcall. However, a work-around is to put: [libdefaults] default_ccache_name = FILE:/tmp/krb5cc_%{euid} into /etc/krb5.conf. I cannot speak to what effect the above work-around has on security. As near as I can tell the Kerberos docs at MIT say that the default credential cache name is "krb5cc_%{euid}", and have not determined where, or why, the change was made. Setting "log level = 3" in /etc/samba/smb.conf ([global]) is helpful when debugging this. I found more detail in the journalctl logs than in the syslogs, although I configured for syslogging. FYI. The Ubuntu tests I ran were against an Microsoft Windows Active Directory share. After spending some time attempting to reproduce this on Debian and failing to setup a SAMBA test environment, and failing to spend enough time with the code to come up with a patch, and not having the resources to reproduce the Ubuntu environments in a lab, I cannot presently continue. It seems better to send in a partial bug report than leave the problem outstanding. This may be related to Debian bug #968943. It is almost surely related to Ubuntu bug number # 1900856: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1900856 -- System Information: Debian Release: 10.9 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cifs-utils depends on: ii libc6 2.28-10 ii libcap-ng0 0.7.9-2 ii libkeyutils1 1.6-6 ii libkrb5-3 1.17-3+deb10u1 ii libpam0g 1.3.1-5 ii libtalloc2 2.1.14-2 ii libwbclient0 2:4.9.5+dfsg-5+deb10u1 cifs-utils recommends no packages. Versions of packages cifs-utils suggests: ii keyutils 1.6-6 ii smbclient 2:4.9.5+dfsg-5+deb10u1 pn winbind <none>