Performing verification for plucky: We are going to perform a series of mounts and check if they work with a patched vs unpatched kernel, and make sure all mounts work.
For plucky, all kernels are patched, so we are just going to check cifs-utils with 6.14.0-15-generic. I installed cifs-utils 2:7.2-2 from -release. Let's try and standard uid 1000 user: ubuntu@plucky-dc:~$ kinit [email protected] Password for [email protected]: Warning: Your password will expire in 38 days on Fri Jul 25 00:23:17 2025 ubuntu@plucky-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 03:43:53 06/16/25 13:43:53 krbtgt/[email protected] renew until 06/17/25 03:43:51 ubuntu@plucky-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1 ubuntu@plucky-dc:~$ mount -l //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,upcall_target=app,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.106,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,nativesocket,symlink=native,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[2109]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.106;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x837;upcall_target=app cifs.upcall[2110]: ver=2 cifs.upcall[2110]: host=samba-dc.example.com cifs.upcall[2110]: ip=192.168.122.106 cifs.upcall[2110]: sec=1 cifs.upcall[2110]: uid=1000 cifs.upcall[2110]: creduid=1000 cifs.upcall[2110]: user=ubuntu cifs.upcall[2110]: pid=2103 cifs.upcall[2110]: upcall_target=app cifs.upcall[2109]: upcall_target=app, switching namespaces to application thread cifs.upcall[2109]: get_cachename_from_process_env: pathname=/proc/2103/environ cifs.upcall[2109]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 cifs.upcall[2109]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2109]: handle_krb5_mech: using native krb5 cifs.upcall[2109]: handle_krb5_mech: obtained service ticket cifs.upcall[2109]: Exit status 0 ubuntu@plucky-dc:~$ sudo umount /mnt/testshare1 Let's try as a different uid user, e.g. like AD user: ubuntu@plucky-dc:~$ kinit [email protected] Password for [email protected]: Warning: Your password will expire in 38 days on Fri Jul 25 00:23:17 2025 ubuntu@plucky-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 03:36:35 06/16/25 13:36:35 krbtgt/[email protected] renew until 06/17/25 03:36:33 ubuntu@plucky-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200 ubuntu@plucky-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200 ubuntu@plucky-dc:~$ klist /tmp/krb5cc_11200 Ticket cache: FILE:/tmp/krb5cc_11200 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 03:36:35 06/16/25 13:36:35 krbtgt/[email protected] renew until 06/17/25 03:36:33 ubuntu@plucky-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 ubuntu@plucky-dc:~$ mount -l ... //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,upcall_target=app,username=root,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.122.106,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,nativesocket,symlink=native,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[2019]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.106;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x7bd;upcall_target=app cifs.upcall[2020]: ver=2 cifs.upcall[2020]: host=samba-dc.example.com cifs.upcall[2020]: ip=192.168.122.106 cifs.upcall[2020]: sec=1 cifs.upcall[2020]: uid=0 cifs.upcall[2020]: creduid=1000 cifs.upcall[2020]: user=root cifs.upcall[2020]: pid=1981 cifs.upcall[2020]: upcall_target=app cifs.upcall[2019]: upcall_target=app, switching namespaces to application thread cifs.upcall[2019]: get_cachename_from_process_env: pathname=/proc/1981/environ cifs.upcall[2019]: get_cachename_from_process_env: cachename = /tmp/krb5cc_11200 cifs.upcall[2019]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_11200 cifs.upcall[2019]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2019]: handle_krb5_mech: using native krb5 cifs.upcall[2019]: handle_krb5_mech: obtained service ticket cifs.upcall[2019]: Exit status 0 Let's try as root user: root@plucky-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 38 days on Fri Jul 25 00:23:17 2025 root@plucky-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 03:41:48 06/16/25 13:41:48 krbtgt/[email protected] renew until 06/17/25 03:41:45 root@plucky-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@plucky-dc:/home/ubuntu# mount -l ... //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,upcall_target=app,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.106,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,nativesocket,symlink=native,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[2087]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.106;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x821;upcall_target=app cifs.upcall[2088]: ver=2 cifs.upcall[2088]: host=samba-dc.example.com cifs.upcall[2088]: ip=192.168.122.106 cifs.upcall[2088]: sec=1 cifs.upcall[2088]: uid=0 cifs.upcall[2088]: creduid=0 cifs.upcall[2088]: user=root cifs.upcall[2088]: pid=2081 cifs.upcall[2088]: upcall_target=app cifs.upcall[2087]: upcall_target=app, switching namespaces to application thread cifs.upcall[2087]: get_cachename_from_process_env: pid == 0 cifs.upcall[2087]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2087]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2087]: handle_krb5_mech: using native krb5 cifs.upcall[2087]: handle_krb5_mech: obtained service ticket cifs.upcall[2087]: Exit status 0 root@plucky-dc:/home/ubuntu# umount /mnt/testshare1 Since plucky's kernel always sets UPTARGET_APP, it always works. I then enabled -security-proposed from the following ppa: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages?field.name_filter=cifs- utils&field.status_filter=published&field.series_filter= I then installed cifs-utils 2:7.2-2ubuntu0.1 Let's try and standard uid 1000 user: ubuntu@plucky-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 03:43:53 06/16/25 13:43:53 krbtgt/[email protected] renew until 06/17/25 03:43:51 06/16/25 03:44:36 06/16/25 13:43:53 cifs/samba-dc.example.com@ renew until 06/17/25 03:43:51 Ticket server: cifs/[email protected] ubuntu@plucky-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1 ubuntu@plucky-dc:~$ mount -l //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,upcall_target=app,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.106,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,nativesocket,symlink=native,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[2284]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.106;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x8e6;upcall_target=app cifs.upcall[2285]: ver=2 cifs.upcall[2285]: host=samba-dc.example.com cifs.upcall[2285]: ip=192.168.122.106 cifs.upcall[2285]: sec=1 cifs.upcall[2285]: uid=1000 cifs.upcall[2285]: creduid=1000 cifs.upcall[2285]: user=ubuntu cifs.upcall[2285]: pid=2278 cifs.upcall[2285]: upcall_target=app cifs.upcall[2284]: upcall_target=app, switching namespaces to application thread cifs.upcall[2284]: get_cachename_from_process_env: pathname=/proc/2278/environ cifs.upcall[2284]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 cifs.upcall[2284]: main: valid service ticket exists in credential cache cifs.upcall[2284]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2284]: handle_krb5_mech: using native krb5 cifs.upcall[2284]: handle_krb5_mech: obtained service ticket cifs.upcall[2284]: Exit status 0 ubuntu@plucky-dc:~$ sudo umount /mnt/testshare1 Let's try as a different uid user, e.g. like AD user: ubuntu@plucky-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200 ubuntu@plucky-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200 ubuntu@plucky-dc:~$ klist /tmp/krb5cc_11200 Ticket cache: FILE:/tmp/krb5cc_11200 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 03:43:53 06/16/25 13:43:53 krbtgt/[email protected] renew until 06/17/25 03:43:51 06/16/25 03:44:36 06/16/25 13:43:53 cifs/samba-dc.example.com@ renew until 06/17/25 03:43:51 Ticket server: cifs/[email protected] ubuntu@plucky-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 ubuntu@plucky-dc:~$ mount -l ... //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,upcall_target=app,username=root,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.122.106,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,nativesocket,symlink=native,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[2312]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.106;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x902;upcall_target=app cifs.upcall[2313]: ver=2 cifs.upcall[2313]: host=samba-dc.example.com cifs.upcall[2313]: ip=192.168.122.106 cifs.upcall[2313]: sec=1 cifs.upcall[2313]: uid=0 cifs.upcall[2313]: creduid=0 cifs.upcall[2313]: user=root cifs.upcall[2313]: pid=2306 cifs.upcall[2313]: upcall_target=app cifs.upcall[2312]: upcall_target=app, switching namespaces to application thread cifs.upcall[2312]: get_cachename_from_process_env: pid == 0 cifs.upcall[2312]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2312]: main: valid service ticket exists in credential cache cifs.upcall[2312]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2312]: handle_krb5_mech: using native krb5 cifs.upcall[2312]: handle_krb5_mech: obtained service ticket cifs.upcall[2312]: Exit status 0 Let's try as root user: root@plucky-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 03:41:48 06/16/25 13:41:48 krbtgt/[email protected] renew until 06/17/25 03:41:45 06/16/25 03:41:58 06/16/25 13:41:48 cifs/samba-dc.example.com@ renew until 06/17/25 03:41:45 Ticket server: cifs/[email protected] root@plucky-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@plucky-dc:/home/ubuntu# mount -l ... //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,upcall_target=app,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.106,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,nativesocket,symlink=native,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[2345]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.106;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x923;upcall_target=app cifs.upcall[2346]: ver=2 cifs.upcall[2346]: host=samba-dc.example.com cifs.upcall[2346]: ip=192.168.122.106 cifs.upcall[2346]: sec=1 cifs.upcall[2346]: uid=0 cifs.upcall[2346]: creduid=0 cifs.upcall[2346]: user=root cifs.upcall[2346]: pid=2339 cifs.upcall[2346]: upcall_target=app cifs.upcall[2345]: upcall_target=app, switching namespaces to application thread cifs.upcall[2345]: get_cachename_from_process_env: pid == 0 cifs.upcall[2345]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2345]: main: valid service ticket exists in credential cache cifs.upcall[2345]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2345]: handle_krb5_mech: using native krb5 cifs.upcall[2345]: handle_krb5_mech: obtained service ticket cifs.upcall[2345]: Exit status 0 Everything still mounts okay with the cifs-utils package in -security- proposed. Happy to mark verified for plucky. ** Tags added: verification-done-plucky -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2112614 Title: Regression: After CVE-2025-2312 cifs.upcall can't find credential caches from user env To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
