11996 – Kerberos share remains available in smbclient after ticket is destroyed

Bug 11996 - Kerberos share remains available in smbclient after ticket is destroyed

Summary: Kerberos share remains available in smbclient after ticket is destroyed

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	libsmbclient (show other bugs)
Version:	4.4.4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-06-25 21:58 UTC by Paul Smedley
Modified:	2016-06-25 22:47 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paul Smedley 2016-06-25 21:58:46 UTC

Accessing a kerberos enabled share remains possible for the current session, even after kdestroy is run to destroy the kerberos ticket.

Is this the intended behaviour or a possible security issue?

To reproduce:
kinit username
smbclient //KERBEROS/Shared

Access the share, browse, etc

In another command session, run kdestroy -A to destroy all kerberos tickets

smbclient will still be connected, and can browser directory listings, retrieve files, etc

I would have thought there should be some periodic check that the ticket still exists and is valid?

Comment 1 Jeremy Allison 2016-06-25 22:09:59 UTC

That's a server policy, not a client one. The 'periodic check' you're looking for is the ticket lifetime, which is a policy set on the kdc. I'll check in the code what happens server-side once the ticket has timed out, but this isn't a Samba code bug.

Comment 2 Stefan Metzmacher 2016-06-25 22:47:03 UTC

(In reply to Jeremy Allison from comment #1)

It should result in a NT_STATUS_NETWORK_SESSION_EXPIRED (for SMB1 only if the clients supports reauthentication and set CAP_DYNAMIC_REAUTH).