[Kernel-packages] [Bug 1862858] [NEW] CIFS acesses DFS referral with wrong Kerberos ticket

steveb Tue, 11 Feb 2020 15:51:27 -0800

Public bug reported:

kubuntu 19.10 with kernel 5.3.0-29-generic and64.


This looks like a regression in the kernel CIFS module after the 4.15 & 5.0 
kernels.
These earlier kernels follow the DFS referrals without error.

The problem:
- Use mount.cifs with kerberos authentication to mount a samba server hosting a 
DFS root.
  You will get a KRB ticket for the "dfs_root" machine.
- Attempt to access a host a host via a DFS referral (call this "target_host")
- Access will fail with "Permission Denied".
- Use Wireshark to monitor CIFS and KRB traffic.
- The kernel attempts to authenticate to "target_host" using the KRB ticket for 
"dfs_root".
Note:
 - A DFS target running Win2008R2 will reply with 
STATUS_MORE_PROCESSING_REQUIRED, then the
   kernel will get a KRB ticket for "target_host" and use it.
   The connection is then successful.
 - A DFS target running Samba 4.7.6 will reply with STATUS_LOGON_FAILURE.
   The connection fails.

Expected Result:
- Successful connection.
- The kernel should get a KRB ticket for "target_host" and use it.
  (This is what kernels 4.15 and 5.0 do [and a Windows client])

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1862858

Title:
  CIFS acesses DFS referral with wrong Kerberos ticket

Status in linux package in Ubuntu:
  New

Bug description:
  kubuntu 19.10 with kernel 5.3.0-29-generic and64.

  This looks like a regression in the kernel CIFS module after the 4.15 & 5.0 
kernels.
  These earlier kernels follow the DFS referrals without error.

  The problem:
  - Use mount.cifs with kerberos authentication to mount a samba server hosting 
a DFS root.
    You will get a KRB ticket for the "dfs_root" machine.
  - Attempt to access a host a host via a DFS referral (call this "target_host")
  - Access will fail with "Permission Denied".
  - Use Wireshark to monitor CIFS and KRB traffic.
  - The kernel attempts to authenticate to "target_host" using the KRB ticket 
for "dfs_root".
  Note:
   - A DFS target running Win2008R2 will reply with 
STATUS_MORE_PROCESSING_REQUIRED, then the
     kernel will get a KRB ticket for "target_host" and use it.
     The connection is then successful.
   - A DFS target running Samba 4.7.6 will reply with STATUS_LOGON_FAILURE.
     The connection fails.

  Expected Result:
  - Successful connection.
  - The kernel should get a KRB ticket for "target_host" and use it.
    (This is what kernels 4.15 and 5.0 do [and a Windows client])

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862858/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1862858] [NEW] CIFS acesses DFS referral with wrong Kerberos ticket

Reply via email to