Performing verification for oracular: We are going to perform a series of mounts and check if they work with a patched vs unpatched kernel, and make sure all mounts work.
We will start with an unpatched kernel: $ uname -rv 6.11.0-26-generic #26-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 12 11:25:41 UTC 2025 I installed cifs-utils 2:7.0-2.1ubuntu0.1 from -updates. Let's try and standard uid 1000 user: ubuntu@oracular-dc:~$ kinit [email protected] Password for [email protected]: Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025 ubuntu@oracular-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 04:01:56 06/16/25 14:01:56 krbtgt/[email protected] renew until 06/17/25 04:01:53 ubuntu@oracular-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1 ubuntu@oracular-dc:~$ mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1702]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x688 cifs.upcall[1703]: ver=2 cifs.upcall[1703]: host=samba-dc.example.com cifs.upcall[1703]: ip=192.168.122.229 cifs.upcall[1703]: sec=1 cifs.upcall[1703]: uid=1000 cifs.upcall[1703]: creduid=1000 cifs.upcall[1703]: user=ubuntu cifs.upcall[1703]: pid=1672 cifs.upcall[1702]: upcall_target=app, switching namespaces to application thread cifs.upcall[1702]: get_cachename_from_process_env: pid == 0 cifs.upcall[1702]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 cifs.upcall[1702]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1702]: handle_krb5_mech: using native krb5 cifs.upcall[1702]: handle_krb5_mech: obtained service ticket cifs.upcall[1702]: Exit status 0 ubuntu@oracular-dc:~$ sudo umount /mnt/testshare1 Let's try as a different uid user, e.g. like AD user: ubuntu@oracular-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200 ubuntu@oracular-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200 ubuntu@oracular-dc:~$ klist /tmp/krb5cc_11200 Ticket cache: FILE:/tmp/krb5cc_11200 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 04:01:56 06/16/25 14:01:56 krbtgt/[email protected] renew until 06/17/25 04:01:53 06/16/25 04:02:05 06/16/25 14:01:56 cifs/samba-dc.example.com@ renew until 06/17/25 04:01:53 Ticket server: cifs/[email protected] ubuntu@oracular-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) ubuntu@oracular-dc:~$ mount -l | grep cifs $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1739]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x6be cifs.upcall[1740]: ver=2 cifs.upcall[1740]: host=samba-dc.example.com cifs.upcall[1740]: ip=192.168.122.229 cifs.upcall[1740]: sec=1 cifs.upcall[1740]: uid=0 cifs.upcall[1740]: creduid=1000 cifs.upcall[1740]: user=root cifs.upcall[1740]: pid=1726 cifs.upcall[1739]: upcall_target=app, switching namespaces to application thread cifs.upcall[1739]: get_cachename_from_process_env: pid == 0 cifs.upcall[1739]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 cifs.upcall[1739]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_1000) cifs.upcall[1739]: get_tgt_time: unable to get principal cifs.upcall[1739]: main: valid TGT is not present in credential cache cifs.upcall[1739]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[1739]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1739]: handle_krb5_mech: using GSS-API cifs.upcall[1739]: GSS-API error init_sec_context: No credentials were supplied, or the credentials were unavailable or inaccessible cifs.upcall[1739]: GSS-API error init_sec_context: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000) cifs.upcall[1739]: handle_krb5_mech: failed to obtain service ticket via GSS (458752) cifs.upcall[1739]: Unable to obtain service ticket cifs.upcall[1739]: Exit status 458752 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 kernel: CIFS: VFS: cifs_mount failed w/return code = -126 We fail, due to only searching root's env, reproducing the issue. Let's try as root user: ubuntu@oracular-dc:~$ kdestroy ubuntu@oracular-dc:~$ unset KRB5CCNAME ubuntu@oracular-dc:~$ sudo -s root@oracular-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025 root@oracular-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 04:06:23 06/16/25 14:06:23 krbtgt/[email protected] renew until 06/17/25 04:06:21 root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@oracular-dc:/home/ubuntu# mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1767]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6e1 cifs.upcall[1768]: ver=2 cifs.upcall[1768]: host=samba-dc.example.com cifs.upcall[1768]: ip=192.168.122.229 cifs.upcall[1768]: sec=1 cifs.upcall[1768]: uid=0 cifs.upcall[1768]: creduid=0 cifs.upcall[1768]: user=root cifs.upcall[1768]: pid=1761 cifs.upcall[1767]: upcall_target=app, switching namespaces to application thread cifs.upcall[1767]: get_cachename_from_process_env: pid == 0 cifs.upcall[1767]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1767]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1767]: handle_krb5_mech: using native krb5 cifs.upcall[1767]: handle_krb5_mech: obtained service ticket cifs.upcall[1767]: Exit status 0 I then enabled -security-proposed from the following ppa: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages?field.name_filter=cifs- utils&field.status_filter=published&field.series_filter= I then installed cifs-utils 2:7.0-2.1ubuntu0.2 Let's try and standard uid 1000 user: ubuntu@oracular-dc:~$ kinit [email protected] Password for [email protected]: Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025 ubuntu@oracular-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 04:09:12 06/16/25 14:09:12 krbtgt/[email protected] renew until 06/17/25 04:09:10 ubuntu@oracular-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1 ubuntu@oracular-dc:~$ mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1939]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x78d cifs.upcall[1940]: ver=2 cifs.upcall[1940]: host=samba-dc.example.com cifs.upcall[1940]: ip=192.168.122.229 cifs.upcall[1940]: sec=1 cifs.upcall[1940]: uid=1000 cifs.upcall[1940]: creduid=1000 cifs.upcall[1940]: user=ubuntu cifs.upcall[1940]: pid=1933 cifs.upcall[1939]: upcall_target=app, switching namespaces to application thread cifs.upcall[1939]: get_cachename_from_process_env: pathname=/proc/1933/environ cifs.upcall[1939]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 cifs.upcall[1939]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1939]: handle_krb5_mech: using native krb5 cifs.upcall[1939]: handle_krb5_mech: obtained service ticket cifs.upcall[1939]: Exit status 0 ubuntu@oracular-dc:~$ sudo umount /mnt/testshare1 Let's try as a different uid user, e.g. like AD user: ubuntu@oracular-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200 ubuntu@oracular-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200 ubuntu@oracular-dc:~$ klist /tmp/krb5cc_11200 Ticket cache: FILE:/tmp/krb5cc_11200 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 04:09:12 06/16/25 14:09:12 krbtgt/[email protected] renew until 06/17/25 04:09:10 06/16/25 04:09:19 06/16/25 14:09:12 cifs/samba-dc.example.com@ renew until 06/17/25 04:09:10 Ticket server: cifs/[email protected] ubuntu@oracular-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 ubuntu@oracular-dc:~$ mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1969]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x7ab cifs.upcall[1970]: ver=2 cifs.upcall[1970]: host=samba-dc.example.com cifs.upcall[1970]: ip=192.168.122.229 cifs.upcall[1970]: sec=1 cifs.upcall[1970]: uid=0 cifs.upcall[1970]: creduid=0 cifs.upcall[1970]: user=root cifs.upcall[1970]: pid=1963 cifs.upcall[1969]: upcall_target=app, switching namespaces to application thread cifs.upcall[1969]: get_cachename_from_process_env: pid == 0 cifs.upcall[1969]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1969]: main: valid service ticket exists in credential cache cifs.upcall[1969]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1969]: handle_krb5_mech: using native krb5 cifs.upcall[1969]: handle_krb5_mech: obtained service ticket cifs.upcall[1969]: Exit status 0 The mount now works correctly, and the regression is fixed. Let's try as root user: ubuntu@oracular-dc:~$ unset KRB5CCNAME ubuntu@oracular-dc:~$ kdestroy kdestroy: No credentials cache found while destroying cache ubuntu@oracular-dc:~$ sudo -s root@oracular-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 04:06:23 06/16/25 14:06:23 krbtgt/[email protected] renew until 06/17/25 04:06:21 06/16/25 04:06:31 06/16/25 14:06:23 cifs/samba-dc.example.com@ renew until 06/17/25 04:06:21 Ticket server: cifs/[email protected] root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@oracular-dc:/home/ubuntu# mount -l | grep cifs //samba-dc.example.com/demo on /mnt $ journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1998]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x7c8 cifs.upcall[1999]: ver=2 cifs.upcall[1999]: host=samba-dc.example.com cifs.upcall[1999]: ip=192.168.122.229 cifs.upcall[1999]: sec=1 cifs.upcall[1999]: uid=0 cifs.upcall[1999]: creduid=0 cifs.upcall[1999]: user=root cifs.upcall[1999]: pid=1992 cifs.upcall[1998]: upcall_target=app, switching namespaces to application thread cifs.upcall[1998]: get_cachename_from_process_env: pid == 0 cifs.upcall[1998]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1998]: main: valid service ticket exists in credential cache cifs.upcall[1998]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1998]: handle_krb5_mech: using native krb5 cifs.upcall[1998]: handle_krb5_mech: obtained service ticket cifs.upcall[1998]: Exit status 0 Next, we will just do a run with a patched kernel. I enabled -proposed and installed: ubuntu@oracular-dc:~$ uname -rv 6.11.0-28-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Mon May 19 14:45:34 UTC 2025 We will keep cifs-utils from -security-proposed installed. Let's try and standard uid 1000 user: ubuntu@oracular-dc:~$ kinit [email protected] Password for [email protected]: Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025 ubuntu@oracular-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 04:16:05 06/16/25 14:16:05 krbtgt/[email protected] renew until 06/17/25 04:16:02 ubuntu@oracular-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1 ubuntu@oracular-dc:~$ mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,upcall_target=app,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1555]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x5f8;upcall_target=app cifs.upcall[1556]: ver=2 cifs.upcall[1556]: host=samba-dc.example.com cifs.upcall[1556]: ip=192.168.122.229 cifs.upcall[1556]: sec=1 cifs.upcall[1556]: uid=1000 cifs.upcall[1556]: creduid=1000 cifs.upcall[1556]: user=ubuntu cifs.upcall[1556]: pid=1528 cifs.upcall[1556]: upcall_target=app cifs.upcall[1555]: upcall_target=app, switching namespaces to application thread cifs.upcall[1555]: get_cachename_from_process_env: pathname=/proc/1528/environ cifs.upcall[1555]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 cifs.upcall[1555]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1555]: handle_krb5_mech: using native krb5 cifs.upcall[1555]: handle_krb5_mech: obtained service ticket cifs.upcall[1555]: Exit status 0 Let's try as a different uid user, e.g. like AD user: ubuntu@oracular-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200 ubuntu@oracular-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200 ubuntu@oracular-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_11200 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 04:16:05 06/16/25 14:16:05 krbtgt/[email protected] renew until 06/17/25 04:16:02 06/16/25 04:16:16 06/16/25 14:16:05 cifs/samba-dc.example.com@ renew until 06/17/25 04:16:02 Ticket server: cifs/[email protected] (reverse-i-search)`mount -t ': sudo ^Cunt -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1 ubuntu@oracular-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 ubuntu@oracular-dc:~$ mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,upcall_target=app,username=root,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1583]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x626;upcall_target=app cifs.upcall[1584]: ver=2 cifs.upcall[1584]: host=samba-dc.example.com cifs.upcall[1584]: ip=192.168.122.229 cifs.upcall[1584]: sec=1 cifs.upcall[1584]: uid=0 cifs.upcall[1584]: creduid=1000 cifs.upcall[1584]: user=root cifs.upcall[1584]: pid=1574 cifs.upcall[1584]: upcall_target=app cifs.upcall[1583]: upcall_target=app, switching namespaces to application thread cifs.upcall[1583]: get_cachename_from_process_env: pathname=/proc/1574/environ cifs.upcall[1583]: get_cachename_from_process_env: cachename = /tmp/krb5cc_11200 cifs.upcall[1583]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_11200 cifs.upcall[1583]: main: valid service ticket exists in credential cache cifs.upcall[1583]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1583]: handle_krb5_mech: using native krb5 cifs.upcall[1583]: handle_krb5_mech: obtained service ticket cifs.upcall[1583]: Exit status 0 Let's try as root user: root@oracular-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 38 days on Fri Jul 25 01:30:38 2025 root@oracular-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 04:18:38 06/16/25 14:18:38 krbtgt/[email protected] renew until 06/17/25 04:18:36 root@oracular-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@oracular-dc:/home/ubuntu# mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,upcall_target=app,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.229,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,reparse=nfs,rsize=4194304,wsize=4194304,bsize=1048576,retrans=1,echo_interval=60,actimeo=1,closetimeo=1) $ journalctl -b0 kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified kernel: CIFS: Attempting to mount //samba-dc.example.com/demo cifs.upcall[1613]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.229;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x649;upcall_target=app cifs.upcall[1614]: ver=2 cifs.upcall[1614]: host=samba-dc.example.com cifs.upcall[1614]: ip=192.168.122.229 cifs.upcall[1614]: sec=1 cifs.upcall[1614]: uid=0 cifs.upcall[1614]: creduid=0 cifs.upcall[1614]: user=root cifs.upcall[1614]: pid=1609 cifs.upcall[1614]: upcall_target=app cifs.upcall[1613]: upcall_target=app, switching namespaces to application thread cifs.upcall[1613]: get_cachename_from_process_env: pid == 0 cifs.upcall[1613]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1613]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1613]: handle_krb5_mech: using native krb5 cifs.upcall[1613]: handle_krb5_mech: obtained service ticket cifs.upcall[1613]: Exit status 0 Everything still mounts okay with the cifs-utils package in -security- proposed. Happy to mark verified for oracular. ** Tags added: verification-done-oracular -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2112614 Title: Regression: After CVE-2025-2312 cifs.upcall can't find credential caches from user env To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
