Performing verification for noble. I set up a fresh noble VM with the same reproducer as documented in https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2099914
The kernel is the latest 6.8.0-60-generic from -updates. $ uname -rv 6.8.0-60-generic #63-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 15 19:04:15 UTC 2025 cifs-utils is 2:7.0-2build1 from -release. $ apt-cache policy cifs-utils | grep Installed cifs-utils: Installed: 2:7.0-2build1 We kinit and get a tgt: root@samba-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 41 days on Fri Jul 4 02:00:18 2025 root@samba-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/23/25 03:58:13 05/23/25 13:58:13 krbtgt/[email protected] renew until 05/24/25 03:58:10 Mount the cifs share: root@samba-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba- dc.example.com/demo /mnt/testshare1 We now have a service ticket: root@samba-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/23/25 03:58:13 05/23/25 13:58:13 krbtgt/[email protected] renew until 05/24/25 03:58:10 05/23/25 03:59:05 05/23/25 13:58:13 cifs/samba-dc.example.com@ renew until 05/24/25 03:58:10 Ticket server: cifs/[email protected] Unmount the share: root@samba-dc:/home/ubuntu# umount /mnt/testshare1 Perform some kerberos credential case surgery to remove the TGT: root@samba-dc:/home/ubuntu# cd python-krb5ccparse/ root@samba-dc:/home/ubuntu/python-krb5ccparse# ./kremovetkt -c /tmp/krb5cc_0 -o /tmp/removed -p krbtgt/[email protected] Keeping ticket for krb5_ccache_conf_data/fast_avail/krbtgt/[email protected]@X-CACHECONF: Keeping ticket for krb5_ccache_conf_data/pa_type/krbtgt/[email protected]@X-CACHECONF: Skipping ticket for krbtgt/[email protected] Keeping ticket for cifs/samba-dc.example.com@ Lets see if it is successful: root@samba-dc:/home/ubuntu/python-krb5ccparse# kdestroy root@samba-dc:/home/ubuntu/python-krb5ccparse# mv /tmp/removed /tmp/krb5cc_0 root@samba-dc:/home/ubuntu/python-krb5ccparse# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/23/25 03:59:05 05/23/25 13:58:13 cifs/samba-dc.example.com@ renew until 05/24/25 03:58:10 Ticket server: cifs/[email protected] We only have service ticket now, so try mount the share: root@samba-dc:/home/ubuntu/python-krb5ccparse# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) # journalctl -b0 May 23 04:00:49 samba-dc kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified May 23 04:00:49 samba-dc kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified May 23 04:00:49 samba-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo May 23 04:00:49 samba-dc cifs.upcall[2192]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0> May 23 04:00:49 samba-dc cifs.upcall[2193]: ver=2 May 23 04:00:49 samba-dc cifs.upcall[2193]: host=samba-dc.example.com May 23 04:00:49 samba-dc cifs.upcall[2193]: ip=192.168.122.124 May 23 04:00:49 samba-dc cifs.upcall[2193]: sec=1 May 23 04:00:49 samba-dc cifs.upcall[2193]: uid=0 May 23 04:00:49 samba-dc cifs.upcall[2193]: creduid=0 May 23 04:00:49 samba-dc cifs.upcall[2193]: user=root May 23 04:00:49 samba-dc cifs.upcall[2193]: pid=2186 May 23 04:00:49 samba-dc cifs.upcall[2192]: get_cachename_from_process_env: pid == 0 May 23 04:00:49 samba-dc cifs.upcall[2192]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 May 23 04:00:49 samba-dc cifs.upcall[2192]: krb5_get_init_creds_keytab: -1765328378 May 23 04:00:49 samba-dc cifs.upcall[2192]: handle_krb5_mech: getting service ticket for samba-dc.example.com May 23 04:00:49 samba-dc cifs.upcall[2192]: handle_krb5_mech: using GSS-API May 23 04:00:49 samba-dc cifs.upcall[2192]: GSS-API error init_sec_context: Unspecified GSS failure. Minor code may provide more information May 23 04:00:49 samba-dc cifs.upcall[2192]: GSS-API error init_sec_context: Matching credential not found (filename: /tmp/krb5cc_0) May 23 04:00:49 samba-dc cifs.upcall[2192]: handle_krb5_mech: failed to obtain service ticket via GSS (851968) May 23 04:00:49 samba-dc cifs.upcall[2192]: Unable to obtain service ticket May 23 04:00:49 samba-dc cifs.upcall[2192]: Exit status 851968 May 23 04:00:49 samba-dc kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed May 23 04:00:49 samba-dc kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 May 23 04:00:49 samba-dc kernel: CIFS: VFS: cifs_mount failed w/return code = -126 We fail, due to cifs-utils in -release not seeing a TGT, and backing out, even though we have a valid cifs service ticket. I then enabled -security-proposed: sudo add-apt-repository ppa:ubuntu-security-proposed/ppa and installed cifs-utils 2:7.0-2ubuntu0.1 I then attempted the mount: root@samba-dc:/home/ubuntu/python-krb5ccparse# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/23/25 03:59:05 05/23/25 13:58:13 cifs/samba-dc.example.com@ renew until 05/24/25 03:58:10 Ticket server: cifs/[email protected] root@samba-dc:/home/ubuntu/python-krb5ccparse# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@samba-dc:/home/ubuntu/python-krb5ccparse# mount -l ... //samba-dc.example.com/demo on /mnt/testshare1 type cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.124,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) # stat /mnt/testshare1/ File: /mnt/testshare1/ Size: 0 Blocks: 0 IO Block: 1048576 directory Device: 0,38 Inode: 297860 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2025-04-09 04:29:15.755959600 +0000 Modify: 2025-04-09 02:54:45.264000000 +0000 Change: 2025-04-09 02:54:45.264000000 +0000 Birth: 2025-04-09 02:54:45.264000000 +0000 # journalctl -b0 May 23 04:02:32 samba-dc kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified May 23 04:02:32 samba-dc kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified May 23 04:02:32 samba-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo May 23 04:02:32 samba-dc cifs.upcall[2718]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0> May 23 04:02:32 samba-dc cifs.upcall[2719]: ver=2 May 23 04:02:32 samba-dc cifs.upcall[2719]: host=samba-dc.example.com May 23 04:02:32 samba-dc cifs.upcall[2719]: ip=192.168.122.124 May 23 04:02:32 samba-dc cifs.upcall[2719]: sec=1 May 23 04:02:32 samba-dc cifs.upcall[2719]: uid=0 May 23 04:02:32 samba-dc cifs.upcall[2719]: creduid=0 May 23 04:02:32 samba-dc cifs.upcall[2719]: user=root May 23 04:02:32 samba-dc cifs.upcall[2719]: pid=2712 May 23 04:02:32 samba-dc cifs.upcall[2718]: upcall_target=app, switching namespaces to application thread May 23 04:02:32 samba-dc cifs.upcall[2718]: get_cachename_from_process_env: pid == 0 May 23 04:02:32 samba-dc cifs.upcall[2718]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 May 23 04:02:32 samba-dc cifs.upcall[2718]: main: valid service ticket exists in credential cache May 23 04:02:32 samba-dc cifs.upcall[2718]: handle_krb5_mech: getting service ticket for samba-dc.example.com May 23 04:02:32 samba-dc cifs.upcall[2718]: handle_krb5_mech: using native krb5 May 23 04:02:32 samba-dc cifs.upcall[2718]: handle_krb5_mech: obtained service ticket May 23 04:02:32 samba-dc cifs.upcall[2718]: Exit status 0 The filesystem is mounted correctly. I also did a mount with both TGT and service ticket: root@samba-dc:/home/ubuntu/python-krb5ccparse# umount /mnt/testshare1 root@samba-dc:/home/ubuntu/python-krb5ccparse# kdestroy root@samba-dc:/home/ubuntu/python-krb5ccparse# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 41 days on Fri Jul 4 02:00:18 2025 root@samba-dc:/home/ubuntu/python-krb5ccparse# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/23/25 04:04:03 05/23/25 14:04:03 krbtgt/[email protected] renew until 05/24/25 04:03:59 root@samba-dc:/home/ubuntu/python-krb5ccparse# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@samba-dc:/home/ubuntu/python-krb5ccparse# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 05/23/25 04:04:03 05/23/25 14:04:03 krbtgt/[email protected] renew until 05/24/25 04:03:59 05/23/25 04:04:22 05/23/25 14:04:03 cifs/samba-dc.example.com@ renew until 05/24/25 04:03:59 Ticket server: cifs/[email protected] The filesystem is again mounted correctly, so no regressions with both TGT and service ticket either. The package in -proposed fixes the issue. Happy to mark noble as verified. ** Tags added: verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2099917 Title: cifs.upcall: If kerberos credential cache already contains a valid service ticket, use that even if TGT is expired To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099917/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
