Created attachment 18537 [details] A patch to fix this issue Regression in libsmbclient 4.21.* - "use-kerberos=desired" broken IMPACT: I believe there is a regression in libsmbclient 4.21.* that affects several clients: * smbclient --use-kerberos=desired * samba-4.21.../examples/libsmbclient/testbrowse.c * KDE dolphin/kioclient/kio-extras/kio_smb * pysmbc PROBLEM: When using the default options for Kerberos with NTLM fallback in libsmbclient, Kerberos is never even tried, effectively forcing NTLM. This may trigger a visible request for user credentials in Samba clients, even though klist shows a valid TGT or even a ticket for the target server. REPRODUCTION: Samba's smbclient behavior can be determined by a command line switch: # FAILS: smbclient -d10 --use-kerberos=desired -c 'dir' //SERVER/SHARE # WORKS: smbclient -d10 --use-kerberos=required -c 'dir' //SERVER/SHARE In Samba's 'testbrowse.c' [0], there is a combination of two options that affect authentication behavior: // FAILS: (like use-kerberos=desired, original) smbc_setOptionUseKerberos(context, 1); smbc_setOptionFallbackAfterKerberos(context, 1); // WORKS: (like use-kerberos=required, modified) smbc_setOptionUseKerberos(context, 1); smbc_setOptionFallbackAfterKerberos(context, 0); KIO [1] always fails, because there is no way to change the default settings: kwriteconfig6 --file kioslaverc --group SMB --key DebugLevel 10 # QT_FORCE_STDERR_LOGGING=1 # only to see QT side of things # QT_LOGGING_RULES="kf.kio.workers.smb=true;log_kio_smb=true" kioclient ls smb://USER%40REALM@SERVER/SHARE kwriteconfig6 --file kioslaverc --group SMB --key DebugLevel 0 ... which look like this [3]: smbc_setOptionUseKerberos(m_context.get(), 1) smbc_setOptionFallbackAfterKerberos(m_context.get(), 1) Python, with pysmbc [4]: // FAILS: import smbc ctx = smbc.Context(debug=10, use_kerberos=1) // defaults to these: // ctx.optionUseKerberos = True // ctx.optionFallbackAfterKerberos = True ctx.opendir("smb://USER%40REALM@SERVER/SHARE").getdents() // WORKS: import smbc ctx = smbc.Context(debug=10) ctx.optionUseKerberos = True ctx.optionFallbackAfterKerberos = False ctx.opendir("smb://USER%40REALM@SERVER/SHARE").getdents() FAILURE LOG: The log (from above) contains: "gensec_gse_client_start: Not using kerberos to cifs/SERVER as USER@REALM: NT_STATUS_INVALID_PARAMETER" ... and there are a lot of references to NTLMSSP SUCCESS LOG: The log (from above) contains: "gensec_gse_client_prepare_ccache: No kinit required for USER@REALM to access cifs/SERVER" NOTE: The Kerberos user prefix 'USER%40REALM@' isn't really necessary, because Samba is quite good at guessing those, but it clears up some confusion in the logs. WORKAROUND: Downgrade to libsmbclient 4.20.* and its dependencies. ANALYSIS: The following line in source3/libsmb/cliconnect.c [5] prevents the use of Kerberos (with fallback active): } else if (use_kerberos && !fallback_after_kerberos) { ... explicitly! The following line in auth/credentials/credentials.c [6] prevents the use of Kerberos (with fallback active): if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) { ... by omitting the case CRED_USE_KERBEROS_DESIRED. FIX: The attached patch fixes the issue for Samba 4.21.3 and all of the above use cases. ROOM FOR IMPROVEMENT: IMHO, ideally, users of libsmbclient shouldn't have to set any authentication-related options at all - apart from a callback function for password input. Instead "client use kerberos = required/desired/off" should be propagated from "smb.conf" to all users of libsmbclient by default. That does not seem to be possible currently. Or is it necessary to trigger processing of "smb.conf" in libsmbclient by calling some function first? Some guidance would be appreciated here. Maybe Samba's libsmbclient example (see above) could be amended to demonstrate proper usage. BUILD ENVIRONMENT: See [2], and [1] for a different environment. TEST ENVIRONMENT: Some linux client with $KRB5CCNAME pointing to a Kerberos ticket cache with at least a valid TGT in it. DISCLAIMER: This is my first deep dive into Samba and my first post to BSO, so please bear with me. REFERENCES: [0] https://git.samba.org/?p=samba.git;a=blob;f=examples/libsmbclient/testbrowse.c#l105 [1] https://bugs.kde.org/show_bug.cgi?id=494981 : "Kerberos auth doesn't work since libsmbclient 4.21" [2] https://build.opensuse.org/package/show/openSUSE%3AFactory/samba [3] https://lxr.kde.org/source/network/kio-extras/smb/smbcontext.cpp#0038 [4] https://pypi.org/project/pysmbc/ [5] https://git.samba.org/?p=samba.git;a=blob;f=source3/libsmb/cliconnect.c#l218 [6] https://git.samba.org/?p=samba.git;a=blob;f=auth/credentials/credentials.c#l493 THANK YOU for reading this far and considering this issue!
This looks like a regression introduced by fb7e19826afab4fce33769eb7aef16a1c650b23a 's3:libsmb: explicitly use the default krb5 ccache in cli_session_creds_init() without a password' Metze, looks like the change above does not take --use-kerberos=desired into account, only --use-kerberos=required.
Hi. I wonder what's the plan here? Is the fix attached in this bug correct, if so do we expect it go to the three anytime soon?
This regression is causing a major headache to every desktop Linux user who needs to access SMB shares in an AD DS environment. It's not exactly a niche case.
Hi there... Samba 4.20 has just been marked as Discontinued (End of Life) so there won't be any other versions of this release series. This means that distros that still have not done this, are now forced to upgrade to a never version 4.21 (or beyond) to continue receiving security fixes from the upstream. Unfortunately, all of them are impacted by this bug. I wonder what is needed to address the issue. Is the fix [1] provided by will69@ several months ago correct? If so, would it be possible to apply it? https://bugzilla.samba.org/attachment.cgi?id=18537
This bug was referenced in samba master: 88f42eb222f299189d5f5f8204ae353e63a50970 1c48599105736499d18aa1f647bce9e1f8dbdcca bc868800276fe09cbcb206ebe4cb4da32af7599f
Created attachment 18852 [details] patch for 4-22-test through to v4-24-test backport of fix from versions 4-22 => 4.24 patch applies to v4-22-test => v4-24-test (not sure if v4-22 is still in support)
https://wiki.samba.org/index.php/Samba_Release_Planning suggests 4.22 is still "maintenance mode" [1] and https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.22 states there is a release planned for today. https://wiki.samba.org/index.php/Samba_Release_Planning#Maintenance_Mode Maintenance mode means that there are regular bug fix releases to address major issues and security issues. Less patches are backported to this branch than to the current release series. Jule, could we please include the fix for this bug?
Comment on attachment 18852 [details] patch for 4-22-test through to v4-24-test lgtm
This bug was referenced in samba v4-24-test: b81c865e0bb0b2f72bbd27ed130816442c030b81 bbc1d2a3d6d21753a3c58acb0b676c75cffa3cb7 005b8a1ff05e535faf82b3cbc20f0f99458e3a65
This bug was referenced in samba v4-24-stable (Release samba-4.24.0rc3): b81c865e0bb0b2f72bbd27ed130816442c030b81 bbc1d2a3d6d21753a3c58acb0b676c75cffa3cb7 005b8a1ff05e535faf82b3cbc20f0f99458e3a65
This bug was referenced in samba v4-23-test: 0b82fdedd07d0bc0ea48a3bfb34c250faa4b6321 ad5edb8d0e94afaae0b3cd0c79eed58af1eb3c2e 98ba05559b25be0e0a6e15838a489a7fb0b34813
This bug was referenced in samba v4-23-stable (Release samba-4.23.6): 0b82fdedd07d0bc0ea48a3bfb34c250faa4b6321 ad5edb8d0e94afaae0b3cd0c79eed58af1eb3c2e 98ba05559b25be0e0a6e15838a489a7fb0b34813
This bug was referenced in samba v4-22-test: b6d084e8e1e884ac339fb59665a551faef85365d 2358c39db5b54883aa9d291338552bde3b3ea512 3d467f5b859ae676909ac3f193ad9131c8c6e5b3
This bug was referenced in samba v4-22-stable (Release samba-4.22.9): b6d084e8e1e884ac339fb59665a551faef85365d 2358c39db5b54883aa9d291338552bde3b3ea512 3d467f5b859ae676909ac3f193ad9131c8c6e5b3