View Issue Details

IDProjectCategoryView StatusLast Update
0007188Kali Linux[All Projects] Kali Package Bugpublic2021-05-26 23:59
Reporterbugreporter4us Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0007188: cifs-utils version 2:6.11-3 breaks krb5 mounts
DescriptionThis morning after updating against the kali.download mirror, cifs-utils was upgraded from 2:6.11-1 to 2:6.11-3. Following this upgrade, my mount for a SMB3 share using krb5i authentication failed. This was reproduced by one other person after updating.

I enabled debuging in my krb5 conf and these are the following results:
```
key description: cifs.spnego;0;0;39010000;ver=0x2;host=REDACTED;ip4=REDACTED;sec=krb5;uid=0x3e8;creduid=0x0;user=REDACTED;pid=0x2778
May 12 09:23:47 [HOSTNAME] cifs.upcall: ver=2
May 12 09:23:47 [HOSTNAME] cifs.upcall: host=REDACTED
May 12 09:23:47 [HOSTNAME] cifs.upcall: ip=REDACTED
May 12 09:23:47 [HOSTNAME] cifs.upcall: sec=1
May 12 09:23:47 [HOSTNAME] cifs.upcall: uid=1000
May 12 09:23:47 [HOSTNAME] cifs.upcall: creduid=0
May 12 09:23:47 [HOSTNAME] cifs.upcall: user=REDACTED
May 12 09:23:47 [HOSTNAME] cifs.upcall: pid=10104
May 12 09:23:47 [HOSTNAME] cifs.upcall: get_cachename_from_process_env: pid == 0
May 12 09:23:47 [HOSTNAME] cifs.upcall: switch_to_process_ns: setns() failed for cgroup
May 12 09:23:47 [HOSTNAME] cifs.upcall: Exit status 1
```

This is verified as a problem with cifs-utils vs krb5 by a successful service ticket request using kvno. The mount just does not work.
Steps To ReproduceRequest a TGT against a KDC
`kinit USER@SOMEREALM.COM`
Attempt to mount a CIFS share referencing that TGT with krb5i authentication
`mount --verbose -t smb3 //FILESHARE/Folder /mnt/fileshare -o user='USER',sec=krb5i,uid=1000,gid=1000`
Observe failure.
To localize the fault, attempt to request a service ticket directly with krb5 and observe the success.
`kvno cifs/FILESHARE@SOMEREALM.COM`
Additional InformationIt appears that this package has not yet hit the berkeley repo. I updated from kali.download.

Activities

bugreporter4us

2021-05-12 17:26

reporter   ~0014545

I was wrong about the berkeley repo. Package appears everywhere.

bugreporter4us

2021-05-14 23:50

reporter   ~0014548

I think likely this is the same issue reported on a newer version on Arch. I imagine the same patch was applied to mitigate CVE 2021-20208
See here for details: https://bugs.archlinux.org/task/70521

rhertzog

2021-05-17 16:27

administrator   ~0014561

This should really be reported to Debian since we are integrating the package straight from Debian. I don't see any report yet in https://bugs.debian.org/cgi-bin/pkgreport.cgi?archive=0;dist=unstable;ordering=normal;repeatmerged=0;src=cifs-utils so the report would certainly help. In particular since you pinpointed the regression to a security update.

bugreporter4us

2021-05-26 23:59

reporter   ~0014590

The relevant Debian bug report is:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989080

Issue History

Date Modified Username Field Change
2021-05-12 16:34 bugreporter4us New Issue
2021-05-12 17:26 bugreporter4us Note Added: 0014545
2021-05-14 23:50 bugreporter4us Note Added: 0014548
2021-05-17 16:27 rhertzog Note Added: 0014561
2021-05-26 23:59 bugreporter4us Note Added: 0014590