Bug 11996 - Kerberos share remains available in smbclient after ticket is destroyed
Summary: Kerberos share remains available in smbclient after ticket is destroyed
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.4.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-06-25 21:58 UTC by Paul Smedley
Modified: 2016-06-25 22:47 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Paul Smedley 2016-06-25 21:58:46 UTC
Accessing a kerberos enabled share remains possible for the current session, even after kdestroy is run to destroy the kerberos ticket.

Is this the intended behaviour or a possible security issue?

To reproduce:
kinit username
smbclient //KERBEROS/Shared

Access the share, browse, etc

In another command session, run kdestroy -A to destroy all kerberos tickets

smbclient will still be connected, and can browser directory listings, retrieve files, etc

I would have thought there should be some periodic check that the ticket still exists and is valid?
Comment 1 Jeremy Allison 2016-06-25 22:09:59 UTC
That's a server policy, not a client one. The 'periodic check' you're looking for is the ticket lifetime, which is a policy set on the kdc. I'll check in the code what happens server-side once the ticket has timed out, but this isn't a Samba code bug.
Comment 2 Stefan Metzmacher 2016-06-25 22:47:03 UTC
(In reply to Jeremy Allison from comment #1)

It should result in a NT_STATUS_NETWORK_SESSION_EXPIRED (for SMB1 only if the clients supports reauthentication and set CAP_DYNAMIC_REAUTH).