Public bug reported:
kubuntu 19.10 with kernel 5.3.0-29-generic and64.
This looks like a regression in the kernel CIFS module after the 4.15 & 5.0
kernels.
These earlier kernels follow the DFS referrals without error.
The problem:
- Use mount.cifs with kerberos authentication to mount a samba server hosting a
DFS root.
You will get a KRB ticket for the "dfs_root" machine.
- Attempt to access a host a host via a DFS referral (call this "target_host")
- Access will fail with "Permission Denied".
- Use Wireshark to monitor CIFS and KRB traffic.
- The kernel attempts to authenticate to "target_host" using the KRB ticket for
"dfs_root".
Note:
- A DFS target running Win2008R2 will reply with
STATUS_MORE_PROCESSING_REQUIRED, then the
kernel will get a KRB ticket for "target_host" and use it.
The connection is then successful.
- A DFS target running Samba 4.7.6 will reply with STATUS_LOGON_FAILURE.
The connection fails.
Expected Result:
- Successful connection.
- The kernel should get a KRB ticket for "target_host" and use it.
(This is what kernels 4.15 and 5.0 do [and a Windows client])
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1862858
Title:
CIFS acesses DFS referral with wrong Kerberos ticket
Status in linux package in Ubuntu:
New
Bug description:
kubuntu 19.10 with kernel 5.3.0-29-generic and64.
This looks like a regression in the kernel CIFS module after the 4.15 & 5.0
kernels.
These earlier kernels follow the DFS referrals without error.
The problem:
- Use mount.cifs with kerberos authentication to mount a samba server hosting
a DFS root.
You will get a KRB ticket for the "dfs_root" machine.
- Attempt to access a host a host via a DFS referral (call this "target_host")
- Access will fail with "Permission Denied".
- Use Wireshark to monitor CIFS and KRB traffic.
- The kernel attempts to authenticate to "target_host" using the KRB ticket
for "dfs_root".
Note:
- A DFS target running Win2008R2 will reply with
STATUS_MORE_PROCESSING_REQUIRED, then the
kernel will get a KRB ticket for "target_host" and use it.
The connection is then successful.
- A DFS target running Samba 4.7.6 will reply with STATUS_LOGON_FAILURE.
The connection fails.
Expected Result:
- Successful connection.
- The kernel should get a KRB ticket for "target_host" and use it.
(This is what kernels 4.15 and 5.0 do [and a Windows client])
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862858/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
