from:"Bharath SM"

[Bug 2099914] [NEW] cifs.upcall program in cifs-utils package incorrectly makes an upcall to different namespace in case of container environments

2025-02-24 Thread Bharath SM

Public bug reported:

In some cases, the cifs.upcall program from the cifs-utils package makes
an upcall to the wrong namespace in containerized environments.

Consider the following scenario:

A CIFS/SMB file share is mounted on a host node using Kerberos
authentication.

During the session setup phase, the Linux kernel's cifs.ko module makes
an upcall to user space to retrieve the Kerberos service ticket from the
credential cache.

In typical (non-container) environments, this process works correctly,
but in containerized environments, the upcall may be directed to a
different namespace than intended, leading to issues. For example:

a) The file share is mounted on the host node at /mnt/testshare1, meaning the 
Kerberos credential cache is stored in the host's namespace. 
b) A Docker container is created, and the file share path /mnt/testshare1 is 
exported to the container at /sharedpath. 
c) When the service ticket expires and the SMB connection is lost, before the 
ticket is refreshed in the credential cache, an application inside the 
container performs a file operation. This triggers the kernel to attempt a 
session reconnect.
d) During the session setup, a Kerberos ticket is needed, so the kernel invokes 
the cifs.upcall binary using the request_key function. However, cifs.upcall 
switches to the namespace of the caller (i.e., the container), causing it to 
attempt to read the credential cache from the container's namespace. But since 
the original mount happened in the host namespace, the credential cache is 
located on the host, not in the container. This results in the upcall failing 
to access the correct credential cache or accessinng credential cache which 
doesn't belong to correct user.


It fixed here:
https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174

Documentation: https://git.samba.org/?p=cifs-
utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4

** Affects: cifs-utils (Ubuntu)
 Importance: Undecided
 Status: New

** Attachment added: "Repro or simulation steps"
   
https://bugs.launchpad.net/bugs/2099914/+attachment/5860177/+files/simulate_bug.txt

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2099914

Title:
  cifs.upcall program in cifs-utils package incorrectly makes an upcall
  to different namespace in case of container environments

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2099917] [NEW] cifs.upcall program in the cifs-utils package fails to use a valid service ticket from the credential cache if the TGT is expired or not exist

2025-02-24 Thread Bharath SM

Public bug reported:

cifs.upcall program in the cifs-utils package fails to use a valid
service ticket from the credential cache if the TGT is expired or not
exist


When mounting an SMB file share on Linux using the kernel client with Kerberos 
authentication, the Linux kernel's cifs.ko module makes an upcall to user space 
during the session setup phase to retrieve the Kerberos service ticket from the 
credential cache. However, the current cifs.upcall fails to retrieve the 
service ticket even if it is valid, but instead it makes check to TGT to see if 
its valid and then retrieve the service ticket, but if we already have valid 
service ticket we shouldn't need to check for TGT.

i.e in cases where the kernel handles upcalls for SMB session setup
requests with Kerberos authentication, if the credential cache already
contains a valid service ticket, it should be used directly without
needing to check the TGT again.


Fixed commit: 
https://git.samba.org/?p=cifs-utils.git;a=commit;h=af76bf2a11a060afdfd97104617a701d19d5890d

** Affects: cifs-utils (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2099917

Title:
  cifs.upcall program in the cifs-utils package fails to use a valid
  service ticket from the credential cache if the TGT is expired or not
  exist

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2099914] [NEW] cifs.upcall program in cifs-utils package incorrectly makes an upcall to different namespace in case of container environments

[Bug 2099917] [NEW] cifs.upcall program in the cifs-utils package fails to use a valid service ticket from the credential cache if the TGT is expired or not exist

2 matches

Site Navigation

Mail list logo

Footer information