Performing verification for focal: We are going to perform a series of mounts and check if they work with a patched vs unpatched kernel, and make sure all mounts work.
We will start with an unpatched kernel: ubuntu@focal-dc:~$ uname -rv 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 I installed cifs-utils 2:6.9-1ubuntu0.3 from -updates. Let's try and standard uid 1000 user: ubuntu@focal-dc:~$ kinit [email protected] Password for [email protected]: Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025 ubuntu@focal-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 05:04:07 06/16/25 15:04:07 krbtgt/[email protected] renew until 06/17/25 05:04:04 ubuntu@focal-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1 ubuntu@focal-dc:~$ mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.230,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,user=ubuntu) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. cifs.upcall[1990]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x7c0 cifs.upcall[1991]: ver=2 cifs.upcall[1991]: host=samba-dc.example.com cifs.upcall[1991]: ip=192.168.122.230 cifs.upcall[1991]: sec=1 cifs.upcall[1991]: uid=1000 cifs.upcall[1991]: creduid=1000 cifs.upcall[1991]: user=ubuntu cifs.upcall[1991]: pid=1984 cifs.upcall[1990]: upcall_target=app, switching namespaces to application thread cifs.upcall[1990]: get_cachename_from_process_env: pid == 0 cifs.upcall[1990]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 cifs.upcall[1990]: main: valid service ticket exists in credential cache cifs.upcall[1990]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1990]: handle_krb5_mech: obtained service ticket cifs.upcall[1990]: Exit status 0 I will defer the other UID user for the end. Let's try as root user: ubuntu@focal-dc:~$ kdestroy ubuntu@focal-dc:~$ unset KRB5CCNAME ubuntu@focal-dc:~$ sudo -s root@focal-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025 root@focal-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 05:06:51 06/16/25 15:06:51 krbtgt/[email protected] renew until 06/17/25 05:06:48 root@focal-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@focal-dc:/home/ubuntu# mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.230,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,user=root) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. cifs.upcall[2065]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x80b cifs.upcall[2066]: ver=2 cifs.upcall[2066]: host=samba-dc.example.com cifs.upcall[2066]: ip=192.168.122.230 cifs.upcall[2066]: sec=1 cifs.upcall[2066]: uid=0 cifs.upcall[2066]: creduid=0 cifs.upcall[2066]: user=root cifs.upcall[2066]: pid=2059 cifs.upcall[2065]: upcall_target=app, switching namespaces to application thread cifs.upcall[2065]: get_cachename_from_process_env: pid == 0 cifs.upcall[2065]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2065]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2065]: handle_krb5_mech: obtained service ticket cifs.upcall[2065]: Exit status 0 I then enabled -security-proposed from the following ppa: https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages?field.name_filter=cifs- utils&field.status_filter=published&field.series_filter= I then installed cifs-utils 2:6.9-1ubuntu0.4 Let's try and standard uid 1000 user: ubuntu@focal-dc:~$ kinit [email protected] Password for [email protected]: Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025 ubuntu@focal-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 05:08:28 06/16/25 15:08:28 krbtgt/[email protected] renew until 06/17/25 05:08:25 ubuntu@focal-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1 ubuntu@focal-dc:~$ mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.230,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,user=ubuntu) $ journalctl -b0 focal-dc kernel: CIFS: Attempting to mount //samba-dc.example.com/demo focal-dc kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. focal-dc cifs.upcall[2874]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0xb34 focal-dc cifs.upcall[2875]: ver=2 focal-dc cifs.upcall[2875]: host=samba-dc.example.com focal-dc cifs.upcall[2875]: ip=192.168.122.230 focal-dc cifs.upcall[2875]: sec=1 focal-dc cifs.upcall[2875]: uid=1000 focal-dc cifs.upcall[2875]: creduid=1000 focal-dc cifs.upcall[2875]: user=ubuntu focal-dc cifs.upcall[2875]: pid=2868 focal-dc cifs.upcall[2874]: upcall_target=app, switching namespaces to application thread focal-dc cifs.upcall[2874]: get_cachename_from_process_env: pathname=/proc/2868/environ focal-dc cifs.upcall[2874]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 focal-dc cifs.upcall[2874]: main: valid service ticket exists in credential cache focal-dc cifs.upcall[2874]: handle_krb5_mech: getting service ticket for samba-dc.example.com focal-dc cifs.upcall[2874]: handle_krb5_mech: obtained service ticket focal-dc cifs.upcall[2874]: Exit status 0 ubuntu@focal-dc:~$ sudo umount /mnt/testshare1 Let's try as root user: ubuntu@focal-dc:~$ sudo umount /mnt/testshare1 ubuntu@focal-dc:~$ kdestroy ubuntu@focal-dc:~$ unset KRB5CCNAME ubuntu@focal-dc:~$ sudo -s root@focal-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 05:06:51 06/16/25 15:06:51 krbtgt/[email protected] renew until 06/17/25 05:06:48 06/16/25 05:07:00 06/16/25 15:06:51 cifs/samba-dc.example.com@ renew until 06/17/25 05:06:48 06/16/25 05:07:00 06/16/25 15:06:51 cifs/[email protected] renew until 06/17/25 05:06:48 root@focal-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@focal-dc:/home/ubuntu# mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.16 $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. cifs.upcall[2962]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0xb8c cifs.upcall[2963]: ver=2 cifs.upcall[2963]: host=samba-dc.example.com cifs.upcall[2963]: ip=192.168.122.230 cifs.upcall[2963]: sec=1 cifs.upcall[2963]: uid=0 cifs.upcall[2963]: creduid=0 cifs.upcall[2963]: user=root cifs.upcall[2963]: pid=2956 cifs.upcall[2962]: upcall_target=app, switching namespaces to application thread cifs.upcall[2962]: get_cachename_from_process_env: pid == 0 cifs.upcall[2962]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2962]: main: valid service ticket exists in credential cache cifs.upcall[2962]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[2962]: handle_krb5_mech: obtained service ticket cifs.upcall[2962]: Exit status 0 Next, we will just do a run with a patched kernel. I enabled -proposed and installed: ubuntu@focal-dc:~$ uname -rv 5.4.0-218-generic #238-Ubuntu SMP Mon May 19 10:42:47 UTC 2025 We will keep cifs-utils from -security-proposed installed. Let's try and standard uid 1000 user: ubuntu@focal-dc:~$ kinit [email protected] Password for [email protected]: Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025 ubuntu@focal-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 05:14:43 06/16/25 15:14:43 krbtgt/[email protected] renew until 06/17/25 05:14:41 ubuntu@focal-dc:~$ sudo mount -t cifs -o cruid=ubuntu,user=ubuntu,sec=krb5i,uid=1000,gid=1000,cred=/tmp/krb5cc_1000 //samba-dc.example.com/demo /mnt/testshare1 ubuntu@focal-dc:~$ mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=1000,cache=strict,upcall_target=app,username=ubuntu,uid=1000,forceuid,gid=1000,forcegid,addr=192.168.122.230,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,user=ubuntu) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. cifs.upcall[1553]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x3e8;creduid=0x3e8;user=ubuntu;pid=0x5ff;upcall_target=app cifs.upcall[1554]: ver=2 cifs.upcall[1554]: host=samba-dc.example.com cifs.upcall[1554]: ip=192.168.122.230 cifs.upcall[1554]: sec=1 cifs.upcall[1554]: uid=1000 cifs.upcall[1554]: creduid=1000 cifs.upcall[1554]: user=ubuntu cifs.upcall[1554]: pid=1535 cifs.upcall[1554]: upcall_target=app cifs.upcall[1553]: upcall_target=app, switching namespaces to application thread cifs.upcall[1553]: get_cachename_from_process_env: pathname=/proc/1535/environ cifs.upcall[1553]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_1000 cifs.upcall[1553]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1553]: handle_krb5_mech: obtained service ticket cifs.upcall[1553]: Exit status 0 Let's try as root user: ubuntu@focal-dc:~$ kdestroy ubuntu@focal-dc:~$ unset KRB5CCNAME ubuntu@focal-dc:~$ sudo -s root@focal-dc:/home/ubuntu# kinit [email protected] Password for [email protected]: Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025 root@focal-dc:/home/ubuntu# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 07:26:38 06/16/25 17:26:38 krbtgt/[email protected] renew until 06/17/25 07:26:35 root@focal-dc:/home/ubuntu# mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1 root@focal-dc:/home/ubuntu# mount -l | grep cifs //samba-dc.example.com/demo on /mnt/testshare1 type cifs (rw,relatime,vers=3.1.1,sec=krb5i,cruid=0,cache=strict,upcall_target=app,username=root,uid=0,forceuid,gid=0,forcegid,addr=192.168.122.230,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1,user=root) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. cifs.upcall[1592]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x625;upcall_target=app cifs.upcall[1593]: ver=2 cifs.upcall[1593]: host=samba-dc.example.com cifs.upcall[1593]: ip=192.168.122.230 cifs.upcall[1593]: sec=1 cifs.upcall[1593]: uid=0 cifs.upcall[1593]: creduid=0 cifs.upcall[1593]: user=root cifs.upcall[1593]: pid=1573 cifs.upcall[1593]: upcall_target=app cifs.upcall[1592]: upcall_target=app, switching namespaces to application thread cifs.upcall[1592]: get_cachename_from_process_env: pid == 0 cifs.upcall[1592]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1592]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1592]: handle_krb5_mech: obtained service ticket cifs.upcall[1592]: Exit status 0 We are just going to focus on different uid user, e.g. like AD user, as something different is happening on focal than any other release. Let's start with: unpatched kernel / -release cifs-utils kernel: 5.4.0-216-generic cifs-utils: 2:6.9-1 ubuntu@focal-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200 ubuntu@focal-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200 ubuntu@focal-dc:~$ klist /tmp/krb5cc_11200 Ticket cache: FILE:/tmp/krb5cc_11200 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 06:51:11 06/16/25 16:51:11 krbtgt/[email protected] renew until 06/17/25 06:51:08 ubuntu@focal-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. cifs.upcall[2023]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x7e1 cifs.upcall[2023]: ver=2 cifs.upcall[2023]: host=samba-dc.example.com cifs.upcall[2023]: ip=192.168.122.230 cifs.upcall[2023]: sec=1 cifs.upcall[2023]: uid=0 cifs.upcall[2023]: creduid=0 cifs.upcall[2023]: user=root cifs.upcall[2023]: pid=2017 cifs.upcall[2023]: get_cachename_from_process_env: pid == 0 cifs.upcall[2023]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2023]: get_tgt_time: unable to get principal cifs.upcall[2023]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[2023]: Exit status 1 kernel: CIFS VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS VFS: \\samba-dc.example.com Send error in SessSetup = -126 kernel: CIFS VFS: cifs_mount failed w/return code = -2 It fails. It seems cifs-utils on focal only checks the roots env regardless what you try. If we upgrade to 2:6.9-1ubuntu0.3 from -updates: ubuntu@focal-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_11200 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 06:51:11 06/16/25 16:51:11 krbtgt/[email protected] renew until 06/17/25 06:51:08 ubuntu@focal-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. cifs.upcall[2225]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x8ab cifs.upcall[2226]: ver=2 cifs.upcall[2226]: host=samba-dc.example.com cifs.upcall[2226]: ip=192.168.122.230 cifs.upcall[2226]: sec=1 cifs.upcall[2226]: uid=0 cifs.upcall[2226]: creduid=0 cifs.upcall[2226]: user=root cifs.upcall[2226]: pid=2219 cifs.upcall[2225]: upcall_target=app, switching namespaces to application thread cifs.upcall[2225]: get_cachename_from_process_env: pid == 0 cifs.upcall[2225]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[2225]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0) cifs.upcall[2225]: get_tgt_time: unable to get principal cifs.upcall[2225]: main: valid TGT is not present in credential cache cifs.upcall[2225]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[2225]: Exit status 1 kernel: CIFS VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS VFS: \\samba-dc.example.com Send error in SessSetup = -126 kernel: CIFS VFS: cifs_mount failed w/return code = -2 Still broken. Seems focal never had a regression because it never worked in the first place. If we move to 2:6.9-1ubuntu0.4 in -security-proposed: ubuntu@focal-dc:~$ klist Ticket cache: FILE:/tmp/krb5cc_11200 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 06:51:11 06/16/25 16:51:11 krbtgt/[email protected] renew until 06/17/25 06:51:08 ubuntu@focal-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. cifs.upcall[3008]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0xbba cifs.upcall[3009]: ver=2 cifs.upcall[3009]: host=samba-dc.example.com cifs.upcall[3009]: ip=192.168.122.230 cifs.upcall[3009]: sec=1 cifs.upcall[3009]: uid=0 cifs.upcall[3009]: creduid=0 cifs.upcall[3009]: user=root cifs.upcall[3009]: pid=3002 cifs.upcall[3008]: upcall_target=app, switching namespaces to application thread cifs.upcall[3008]: get_cachename_from_process_env: pid == 0 cifs.upcall[3008]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[3008]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0) cifs.upcall[3008]: get_tgt_time: unable to get principal cifs.upcall[3008]: main: valid TGT is not present in credential cache cifs.upcall[3008]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[3008]: Exit status 1 sudo[3000]: pam_unix(sudo:session): session closed for user root kernel: CIFS VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS VFS: \\samba-dc.example.com Send error in SessSetup = -126 kernel: CIFS VFS: cifs_mount failed w/return code = -2 It still doesn't make things any better, but they are no worse than what is currently in -updates. If we enable -proposed and install a patched kernel: ubuntu@focal-dc:~$ uname -rv 5.4.0-218-generic #238-Ubuntu SMP Mon May 19 10:42:47 UTC 2025 ubuntu@focal-dc:~$ kinit [email protected] Password for [email protected]: Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025 ubuntu@focal-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200 ubuntu@focal-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200 ubuntu@focal-dc:~$ klist /tmp/krb5cc_11200 Ticket cache: FILE:/tmp/krb5cc_11200 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 07:00:38 06/16/25 17:00:38 krbtgt/[email protected] renew until 06/17/25 07:00:35 ubuntu@focal-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) $ journalctl -b0 kernel: CIFS: Attempting to mount //samba-dc.example.com/demo kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount. cifs.upcall[1577]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x625;upcall_target=app cifs.upcall[1578]: ver=2 cifs.upcall[1578]: host=samba-dc.example.com cifs.upcall[1578]: ip=192.168.122.230 cifs.upcall[1578]: sec=1 cifs.upcall[1578]: uid=0 cifs.upcall[1578]: creduid=0 cifs.upcall[1578]: user=root cifs.upcall[1578]: pid=1573 cifs.upcall[1578]: upcall_target=app cifs.upcall[1577]: upcall_target=app, switching namespaces to application thread cifs.upcall[1577]: get_cachename_from_process_env: pid == 0 cifs.upcall[1577]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1577]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0) cifs.upcall[1577]: get_tgt_time: unable to get principal cifs.upcall[1577]: main: valid TGT is not present in credential cache cifs.upcall[1577]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[1577]: Exit status 1 sudo[1571]: pam_unix(sudo:session): session closed for user root kernel: CIFS VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS VFS: \\samba-dc.example.com Send error in SessSetup = -126 kernel: CIFS VFS: cifs_mount failed w/return code = -2 Patched kernel doesn't change the behaviour. If we try a HWE kernel: ubuntu@focal-dc:~$ uname -rv 5.15.0-140-generic #150~20.04.1-Ubuntu SMP Fri Apr 25 10:28:04 UTC 2025 ubuntu@focal-dc:~$ kinit [email protected] Password for [email protected]: Warning: Your password will expire in 41 days on Mon Jul 28 02:14:31 2025 ubuntu@focal-dc:~$ mv /tmp/krb5cc_1000 /tmp/krb5cc_11200 ubuntu@focal-dc:~$ export KRB5CCNAME=/tmp/krb5cc_11200 ubuntu@focal-dc:~$ klist /tmp/krb5cc_11200 Ticket cache: FILE:/tmp/krb5cc_11200 Default principal: [email protected] Valid starting Expires Service principal 06/16/25 07:04:26 06/16/25 17:04:26 krbtgt/[email protected] renew until 06/17/25 07:04:23 ubuntu@focal-dc:~$ sudo mount -t cifs -o sec=krb5i //samba-dc.example.com/demo /mnt/testshare1 mount error(126): Required key not available Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg) kernel: CIFS: Attempting to mount \\samba-dc.example.com\demo cifs.upcall[1688]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.230;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x694 cifs.upcall[1689]: ver=2 cifs.upcall[1689]: host=samba-dc.example.com cifs.upcall[1689]: ip=192.168.122.230 cifs.upcall[1689]: sec=1 cifs.upcall[1689]: uid=0 cifs.upcall[1689]: creduid=0 cifs.upcall[1689]: user=root cifs.upcall[1689]: pid=1684 cifs.upcall[1688]: upcall_target=app, switching namespaces to application thread cifs.upcall[1688]: get_cachename_from_process_env: pid == 0 cifs.upcall[1688]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1688]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0) cifs.upcall[1688]: get_tgt_time: unable to get principal cifs.upcall[1688]: main: valid TGT is not present in credential cache cifs.upcall[1688]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[1688]: Exit status 1 sudo[1682]: pam_unix(sudo:session): session closed for user root kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 kernel: CIFS: VFS: cifs_mount failed w/return code = -126 The HWE kernel doesn't improve things either, its cifs-utils itself. I think what's going on here is that on jammy and onward, cifs-utils will try both root, and the user uid / env in two separate calls. This is from jammy: kernel: CIFS: Attempting to mount \\samba-dc.example.com\demo cifs.upcall[1495]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.79;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x5c1;upcall_target=app cifs.upcall[1496]: ver=2 cifs.upcall[1496]: host=samba-dc.example.com cifs.upcall[1496]: ip=192.168.122.79 cifs.upcall[1496]: sec=1 cifs.upcall[1496]: uid=0 cifs.upcall[1496]: creduid=0 cifs.upcall[1496]: user=root cifs.upcall[1496]: pid=1473 cifs.upcall[1496]: upcall_target=app cifs.upcall[1495]: upcall_target=app, switching namespaces to application thread cifs.upcall[1495]: get_cachename_from_process_env: pid == 0 cifs.upcall[1495]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0 cifs.upcall[1495]: check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_0) cifs.upcall[1495]: get_tgt_time: unable to get principal cifs.upcall[1495]: main: valid TGT is not present in credential cache cifs.upcall[1495]: krb5_get_init_creds_keytab: -1765328378 cifs.upcall[1495]: Exit status 1 kernel: CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed kernel: CIFS: VFS: \\samba-dc.example.com Send error in SessSetup = -126 kernel: CIFS: VFS: cifs_mount failed w/return code = -126 kernel: CIFS: Attempting to mount \\samba-dc.example.com\demo cifs.upcall[1500]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.79;sec=krb5;uid=0x0;creduid=0x3e8;user=root;pid=0x5c1;upcall_target=app cifs.upcall[1501]: ver=2 cifs.upcall[1501]: host=samba-dc.example.com cifs.upcall[1501]: ip=192.168.122.79 cifs.upcall[1501]: sec=1 cifs.upcall[1501]: uid=0 cifs.upcall[1501]: creduid=1000 cifs.upcall[1501]: user=root cifs.upcall[1501]: pid=1473 cifs.upcall[1501]: upcall_target=app cifs.upcall[1500]: upcall_target=app, switching namespaces to application thread cifs.upcall[1500]: get_cachename_from_process_env: pathname=/proc/1473/environ cifs.upcall[1500]: get_cachename_from_process_env: cachename = /tmp/krb5cc_11200 cifs.upcall[1500]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_11200 cifs.upcall[1500]: handle_krb5_mech: getting service ticket for samba-dc.example.com cifs.upcall[1500]: handle_krb5_mech: obtained service ticket cifs.upcall[1500]: Exit status 0 You see, focal only makes the very first call. Regardless, the new cifs-utils package in -security-proposed does not make things better or worse than they currently are. I think its best to still go with release. We keep the code changes in sync with jammy onward, fix a known memory leak, and keep the code correct for unpatched kernels. I will mark verified for focal. ** Tags added: verification-done-focal ** Tags removed: regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2112614 Title: Regression: After CVE-2025-2312 cifs.upcall can't find credential caches from user env To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2112614/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
