Ubuntu
cifs-utils package

Bug #1611816
Comment #16

Comment 16 for bug 1611816

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2017-04-25:

#16

Verification for yakkety amd64:

package from proposed:
Version table:
*** 2:6.5-2ubuntu2 500
500 http://br.archive.ubuntu.com/ubuntu yakkety-proposed/main amd64 Packages

PAM module is installed:
root@15-89:~# ll /lib/x86_64-linux-gnu/security/pam_cifscreds.so
-rw-r--r-- 1 root root 14176 Feb 28 21:58 /lib/x86_64-linux-gnu/security/pam_cifscreds.so

/etc/pam.d/login file modified to include pam_keyinit and pam_cifscreds: http://pastebin.ubuntu.com/24455401/

Mounted a samba share as root and connecting user "andreas" with the multiuser option:
root@15-89:~# mount -t cifs //ds216.lowtech/downloads /downloads -o username=andreas,multiuser
Password for andreas@//ds216.lowtech/downloads: ************************
root@15-89:~# ll /downloads/
total 414032
drwxrwxrwx 1 root root 0 Apr 20 20:23 ./
drwxr-xr-x 25 root root 4096 Apr 25 17:33 ../
drwxr-xr-x 1 1026 users 0 Aug 14 2016 humblebundle/
drwxr-xr-x 1 1026 users 0 Aug 18 2016 isos/
-rw-r--r-- 1 1026 users 265777840 Sep 9 2014 KSP_demo_linux.zip
(...)

Verified user ubuntu cannot see that:
root@15-89:~# sudo -u ubuntu -H ls -l /downloads/
ls: cannot access '/downloads/': Permission denied

Switch to a terminal and login as ubuntu, using the same password that the ubuntu user has on the samba share:

15-89 login: ubuntu
Password:
Last login: Tue Apr 25 17:34:30 UTC 2017 from 10.0.5.1 on pts/1
Welcome to Ubuntu 16.10 (GNU/Linux 4.8.0-49-generic x86_64)
(...)

Verify we have a cifs logon key in the kernel keyring:
ubuntu@15-89:~$ keyctl show
Session Keyring
595619243 --alswrv 1000 1000 keyring: _ses
525246747 --alswrv 1000 65534 \_ keyring: _uid.1000
470618469 ----sw-v 0 0 \_ logon: cifs:a:10.10.222.255

And we can see the /downloads share now:
ubuntu@15-89:~$ ls -lah /downloads/
total 405M
dr-xr-xr-x 1 root root 0 Apr 20 20:23 .
drwxr-xr-x 25 root root 4.0K Apr 25 17:33 ..
drwxr-xr-x 1 1026 users 0 Aug 14 2016 humblebundle
drwxr-xr-x 1 1026 users 0 Aug 18 2016 isos
-rw-r--r-- 1 1026 users 254M Sep 9 2014 KSP_demo_linux.zip
(...)

Meanwhile, /var/log/syslog has this to say:
Apr 25 17:34:46 15-89 login[1237]: pam_cifscreds(login:auth): password stored
Apr 25 17:34:46 15-89 login[1237]: pam_keyinit(login:session): OPEN 1
Apr 25 17:34:46 15-89 login[1237]: pam_keyinit(login:session): UID:1000 [0] GID:1000 [0]
Apr 25 17:34:46 15-89 login[1237]: pam_keyinit(login:session): GET SESSION = 993549428
Apr 25 17:34:46 15-89 login[1237]: pam_keyinit(login:session): GET SESSION = 993549428
Apr 25 17:34:46 15-89 login[1237]: pam_keyinit(login:session): JOIN = 595619243

And /var/log/auth.log:
Apr 25 17:34:46 15-89 login[1237]: pam_cifscreds(login:session): credential key for \\10.10.222.255\ubuntu added

Verification for yakkety amd64:

package from proposed:
  Version table:
 *** 2:6.5-2ubuntu2 500
        500 http://br.archive.ubuntu.com/ubuntu yakkety-proposed/main amd64 Packages

PAM module is installed:
root@15-89:~# ll /lib/x86_64-linux-gnu/security/pam_cifscreds.so 
-rw-r--r-- 1 root root 14176 Feb 28 21:58 /lib/x86_64-linux-gnu/security/pam_cifscreds.so

/etc/pam.d/login file modified to include pam_keyinit and pam_cifscreds: http://pastebin.ubuntu.com/24455401/

Mounted a samba share as root and connecting user "andreas" with the multiuser option:
root@15-89:~# mount -t cifs //ds216.lowtech/downloads /downloads -o username=andreas,multiuser
Password for andreas@//ds216.lowtech/downloads:  ************************
root@15-89:~# ll /downloads/
total 414032
drwxrwxrwx  1 root root          0 Apr 20 20:23 ./
drwxr-xr-x 25 root root       4096 Apr 25 17:33 ../
drwxr-xr-x  1 1026 users         0 Aug 14  2016 humblebundle/
drwxr-xr-x  1 1026 users         0 Aug 18  2016 isos/
-rw-r--r--  1 1026 users 265777840 Sep  9  2014 KSP_demo_linux.zip
(...)

Verified user ubuntu cannot see that:
root@15-89:~# sudo -u ubuntu -H ls -l /downloads/
ls: cannot access '/downloads/': Permission denied

Switch to a terminal and login as ubuntu, using the same password that the ubuntu user has on the samba share:

15-89 login: ubuntu
Password:
Last login: Tue Apr 25 17:34:30 UTC 2017 from 10.0.5.1 on pts/1
Welcome to Ubuntu 16.10 (GNU/Linux 4.8.0-49-generic x86_64)
(...)

Verify we have a cifs logon key in the kernel keyring:
ubuntu@15-89:~$ keyctl show
Session Keyring
 595619243 --alswrv   1000  1000  keyring: _ses
 525246747 --alswrv   1000 65534   \_ keyring: _uid.1000
 470618469 ----sw-v      0     0   \_ logon: cifs:a:10.10.222.255

And we can see the /downloads share now:
ubuntu@15-89:~$ ls -lah /downloads/
total 405M
dr-xr-xr-x  1 root root     0 Apr 20 20:23 .
drwxr-xr-x 25 root root  4.0K Apr 25 17:33 ..
drwxr-xr-x  1 1026 users    0 Aug 14  2016 humblebundle
drwxr-xr-x  1 1026 users    0 Aug 18  2016 isos
-rw-r--r--  1 1026 users 254M Sep  9  2014 KSP_demo_linux.zip
(...)

Meanwhile, /var/log/syslog has this to say:
Apr 25 17:34:46 15-89 login[1237]: pam_cifscreds(login:auth): password stored
Apr 25 17:34:46 15-89 login[1237]: pam_keyinit(login:session): OPEN 1
Apr 25 17:34:46 15-89 login[1237]: pam_keyinit(login:session): UID:1000 [0]  GID:1000 [0]
Apr 25 17:34:46 15-89 login[1237]: pam_keyinit(login:session): GET SESSION = 993549428
Apr 25 17:34:46 15-89 login[1237]: pam_keyinit(login:session): GET SESSION = 993549428
Apr 25 17:34:46 15-89 login[1237]: pam_keyinit(login:session): JOIN = 595619243

And /var/log/auth.log:
Apr 25 17:34:46 15-89 login[1237]: pam_cifscreds(login:session): credential key for \\10.10.222.255\ubuntu added

Ubuntucifs-utils package

Comment 16 for bug 1611816

Ubuntu
cifs-utils package