Bug 15789 - "use-kerberos=desired" broken
Summary: "use-kerberos=desired" broken
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.21.3
Hardware: All All
: P5 regression (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-23 18:10 UTC by will69
Modified: 2025-01-23 23:14 UTC (History)
1 user (show)

See Also:


Attachments
A patch to fix this issue (745 bytes, patch)
2025-01-23 18:10 UTC, will69
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description will69 2025-01-23 18:10:30 UTC
Created attachment 18537 [details]
A patch to fix this issue

Regression in libsmbclient 4.21.* - "use-kerberos=desired" broken

IMPACT:

I believe there is a regression in libsmbclient 4.21.* that affects several clients:

* smbclient --use-kerberos=desired
* samba-4.21.../examples/libsmbclient/testbrowse.c
* KDE dolphin/kioclient/kio-extras/kio_smb
* pysmbc

PROBLEM:

When using the default options for Kerberos with NTLM fallback in libsmbclient, Kerberos is never even tried, effectively forcing NTLM. This may trigger a visible request for user credentials in Samba clients, even though klist shows a valid TGT or even a ticket for the target server.

REPRODUCTION:

Samba's smbclient behavior can be determined by a command line switch:

    # FAILS:
    smbclient -d10 --use-kerberos=desired -c 'dir' //SERVER/SHARE

    # WORKS:
    smbclient -d10 --use-kerberos=required -c 'dir' //SERVER/SHARE

In Samba's 'testbrowse.c' [0], there is a combination of two options that affect  authentication behavior:

    // FAILS: (like use-kerberos=desired, original)
    smbc_setOptionUseKerberos(context, 1);
    smbc_setOptionFallbackAfterKerberos(context, 1);

    // WORKS: (like use-kerberos=required, modified)
    smbc_setOptionUseKerberos(context, 1);
    smbc_setOptionFallbackAfterKerberos(context, 0);

KIO [1] always fails, because there is no way to change the default settings:

    kwriteconfig6 --file kioslaverc --group SMB --key DebugLevel 10
    # QT_FORCE_STDERR_LOGGING=1   # only to see QT side of things
    # QT_LOGGING_RULES="kf.kio.workers.smb=true;log_kio_smb=true"
    kioclient ls smb://USER%40REALM@SERVER/SHARE
    kwriteconfig6 --file kioslaverc --group SMB --key DebugLevel 0

... which look like this [3]:

    smbc_setOptionUseKerberos(m_context.get(), 1)
    smbc_setOptionFallbackAfterKerberos(m_context.get(), 1)

Python, with pysmbc [4]:

    // FAILS:
    import smbc
    ctx = smbc.Context(debug=10, use_kerberos=1)
    // defaults to these:
    // ctx.optionUseKerberos = True
    // ctx.optionFallbackAfterKerberos = True
    ctx.opendir("smb://USER%40REALM@SERVER/SHARE").getdents()

    // WORKS:
    import smbc
    ctx = smbc.Context(debug=10)
    ctx.optionUseKerberos = True
    ctx.optionFallbackAfterKerberos = False
    ctx.opendir("smb://USER%40REALM@SERVER/SHARE").getdents()

FAILURE LOG:

The log (from above) contains:
"gensec_gse_client_start: Not using kerberos to cifs/SERVER as USER@REALM: NT_STATUS_INVALID_PARAMETER"

... and there are a lot of references to NTLMSSP

SUCCESS LOG:

The log (from above) contains:
"gensec_gse_client_prepare_ccache: No kinit required for USER@REALM to access cifs/SERVER"

NOTE:

The Kerberos user prefix 'USER%40REALM@' isn't really necessary, because Samba is quite good at guessing those, but it clears up some confusion in the logs.

WORKAROUND:

Downgrade to libsmbclient 4.20.* and its dependencies.

ANALYSIS:

The following line in source3/libsmb/cliconnect.c [5] prevents the use of Kerberos (with fallback active):

    } else if (use_kerberos && !fallback_after_kerberos) {

... explicitly!

The following line in auth/credentials/credentials.c [6] prevents the use of Kerberos (with fallback active):

    if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {

... by omitting the case CRED_USE_KERBEROS_DESIRED.

FIX:

The attached patch fixes the issue for Samba 4.21.3 and all of the above use cases.

ROOM FOR IMPROVEMENT:

IMHO, ideally, users of libsmbclient shouldn't have to set any authentication-related options at all - apart from a callback function for password input. Instead "client use kerberos = required/desired/off" should be propagated from "smb.conf" to all users of libsmbclient by default. That does not seem to be possible currently. Or is it necessary to trigger processing of "smb.conf" in libsmbclient by calling some function first? Some guidance would be appreciated here. Maybe Samba's libsmbclient example (see above) could be amended to demonstrate proper usage.

BUILD ENVIRONMENT:

See [2], and [1] for a different environment.

TEST ENVIRONMENT:

Some linux client with $KRB5CCNAME pointing to a Kerberos ticket cache with at least a valid TGT in it.

DISCLAIMER:

This is my first deep dive into Samba and my first post to BSO, so please bear with me.

REFERENCES:

[0] https://git.samba.org/?p=samba.git;a=blob;f=examples/libsmbclient/testbrowse.c#l105
[1] https://bugs.kde.org/show_bug.cgi?id=494981 : "Kerberos auth doesn't work since libsmbclient 4.21"
[2] https://build.opensuse.org/package/show/openSUSE%3AFactory/samba
[3] https://lxr.kde.org/source/network/kio-extras/smb/smbcontext.cpp#0038
[4] https://pypi.org/project/pysmbc/
[5] https://git.samba.org/?p=samba.git;a=blob;f=source3/libsmb/cliconnect.c#l218
[6] https://git.samba.org/?p=samba.git;a=blob;f=auth/credentials/credentials.c#l493

THANK YOU for reading this far and considering this issue!