all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH pve-storage v2] cifs: use smbclient --use-kerberos for sec=krb5
@ 2025-12-18  9:32 Hannes Laimer
  2026-01-12 10:38 ` Hannes Laimer
  0 siblings, 1 reply; 2+ messages in thread
From: Hannes Laimer @ 2025-12-18  9:32 UTC (permalink / raw)
  To: pve-devel

With smbclient 4.22 (shipped with Debian trixie) `-U Guest -N` does
not fall back to `no username` anymore, so our connection check can
fail for Kerberos-authenticated shares. smbclient 4.17 (shipped with
Debian bookworm) did fall back to an anonymous session, which then
succeeded when Kerberos was used.

Passing `-U` is never correct for Kerberos. Detect Kerberos via
`sec=krb5...` in the CIFS options and, in that case, avoid adding
guest/username/domain mount options and run:

  smbclient --use-kerberos=required

instead of `-U Guest -N`.

The most recent smbclient changes to the fallback-to-no-user behavior
I could find are from 2016. The handling of `-U` also does not appear
to have changed between these versions, and a default SMB protocol
version change does not seem to be involved either (last one I could
find was from 2019). I did not find a conclusive answer for why this
stopped working, but since we should not use `-U Guest` with Kerberos
at all, this change makes sense regardless.

https://gitlab.com/samba-team/samba/-/commit/35051a860c75bc119e0ac7755bd69a9ea06695a1
https://gitlab.com/samba-team/samba/-/commit/3264b1f317d6c603cc72eb2a150fe244c47aa3ac

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
v2:
 - fix bug in v1, `-o` was added before checking if kbr, and since when
   kbr we didn't add any option this lead to an invalid mount command
 - improve commit message

 src/PVE/Storage/CIFSPlugin.pm | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/src/PVE/Storage/CIFSPlugin.pm b/src/PVE/Storage/CIFSPlugin.pm
index 5b35daf..54f0f4e 100644
--- a/src/PVE/Storage/CIFSPlugin.pm
+++ b/src/PVE/Storage/CIFSPlugin.pm
@@ -66,6 +66,17 @@ sub get_cred_file {
     return undef;
 }
 
+sub cifs_uses_kerberos : prototype($) {
+    my ($scfg) = @_;
+
+    my $options = $scfg->{options};
+    return 0 if !defined($options) || $options eq '';
+
+    $options =~ s/\s+//g;
+
+    return $options =~ m/(?:^|,)sec=krb5(?:i|p)?(?:,|$)/i;
+}
+
 sub cifs_mount : prototype($$$$$) {
     my ($scfg, $storeid, $smbver, $user, $domain) = @_;
 
@@ -75,13 +86,16 @@ sub cifs_mount : prototype($$$$$) {
     $server = "[$server]" if Net::IP::ip_is_ipv6($server);
     my $source = "//${server}/$share$subdir";
 
-    my $cmd = ['/bin/mount', '-t', 'cifs', $source, $mountpoint, '-o', 'soft', '-o'];
+    my $cmd = ['/bin/mount', '-t', 'cifs', $source, $mountpoint, '-o', 'soft'];
 
-    if (my $cred_file = get_cred_file($storeid)) {
-        push @$cmd, "username=$user", '-o', "credentials=$cred_file";
+    if (cifs_uses_kerberos($scfg)) {
+        # no options needed for kerberos, adding username= or domain= would only be informal
+        # adding the if-branch here to have it explicit, and not just by not adding guest
+    } elsif (my $cred_file = get_cred_file($storeid)) {
+        push @$cmd, '-o', "username=$user", '-o', "credentials=$cred_file";
         push @$cmd, '-o', "domain=$domain" if defined($domain);
     } else {
-        push @$cmd, 'guest,username=guest';
+        push @$cmd, '-o', 'guest,username=guest';
     }
 
     push @$cmd, '-o', defined($smbver) ? "vers=$smbver" : "vers=default";
@@ -280,7 +294,9 @@ sub check_connection {
         push @$cmd, '-m', "smb" . int($scfg->{smbversion});
     }
 
-    if (my $cred_file = get_cred_file($storeid)) {
+    if (cifs_uses_kerberos($scfg)) {
+        push @$cmd, '--use-kerberos=required';
+    } elsif (my $cred_file = get_cred_file($storeid)) {
         push @$cmd, '-U', $scfg->{username}, '-A', $cred_file;
         push @$cmd, '-W', $scfg->{domain} if $scfg->{domain};
     } else {
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [pve-devel] [PATCH pve-storage v2] cifs: use smbclient --use-kerberos for sec=krb5
  2025-12-18  9:32 [pve-devel] [PATCH pve-storage v2] cifs: use smbclient --use-kerberos for sec=krb5 Hannes Laimer
@ 2026-01-12 10:38 ` Hannes Laimer
  0 siblings, 0 replies; 2+ messages in thread
From: Hannes Laimer @ 2026-01-12 10:38 UTC (permalink / raw)
  To: pve-devel

ping, this was also tested by the user who reported the problem in 
support and it did fix the problem

other than this, there is no workaround for the problem with kerberos
authenticated smb shares (downgrading to the smb version shipped with
debian bookworm aside, cause that's both a PITA and I could not get that
to work properly either)


On 12/18/25 10:33, Hannes Laimer wrote:
> With smbclient 4.22 (shipped with Debian trixie) `-U Guest -N` does
> not fall back to `no username` anymore, so our connection check can
> fail for Kerberos-authenticated shares. smbclient 4.17 (shipped with
> Debian bookworm) did fall back to an anonymous session, which then
> succeeded when Kerberos was used.
> 
> Passing `-U` is never correct for Kerberos. Detect Kerberos via
> `sec=krb5...` in the CIFS options and, in that case, avoid adding
> guest/username/domain mount options and run:
> 
>    smbclient --use-kerberos=required
> 
> instead of `-U Guest -N`.
> 
> The most recent smbclient changes to the fallback-to-no-user behavior
> I could find are from 2016. The handling of `-U` also does not appear
> to have changed between these versions, and a default SMB protocol
> version change does not seem to be involved either (last one I could
> find was from 2019). I did not find a conclusive answer for why this
> stopped working, but since we should not use `-U Guest` with Kerberos
> at all, this change makes sense regardless.
> 
> https://gitlab.com/samba-team/samba/-/commit/35051a860c75bc119e0ac7755bd69a9ea06695a1
> https://gitlab.com/samba-team/samba/-/commit/3264b1f317d6c603cc72eb2a150fe244c47aa3ac
> 
> Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
> ---
> v2:
>   - fix bug in v1, `-o` was added before checking if kbr, and since when
>     kbr we didn't add any option this lead to an invalid mount command
>   - improve commit message
> 
>   src/PVE/Storage/CIFSPlugin.pm | 26 +++++++++++++++++++++-----
>   1 file changed, 21 insertions(+), 5 deletions(-)
> 
> diff --git a/src/PVE/Storage/CIFSPlugin.pm b/src/PVE/Storage/CIFSPlugin.pm
> index 5b35daf..54f0f4e 100644
> --- a/src/PVE/Storage/CIFSPlugin.pm
> +++ b/src/PVE/Storage/CIFSPlugin.pm
> @@ -66,6 +66,17 @@ sub get_cred_file {
>       return undef;
>   }
>   
> +sub cifs_uses_kerberos : prototype($) {
> +    my ($scfg) = @_;
> +
> +    my $options = $scfg->{options};
> +    return 0 if !defined($options) || $options eq '';
> +
> +    $options =~ s/\s+//g;
> +
> +    return $options =~ m/(?:^|,)sec=krb5(?:i|p)?(?:,|$)/i;
> +}
> +
>   sub cifs_mount : prototype($$$$$) {
>       my ($scfg, $storeid, $smbver, $user, $domain) = @_;
>   
> @@ -75,13 +86,16 @@ sub cifs_mount : prototype($$$$$) {
>       $server = "[$server]" if Net::IP::ip_is_ipv6($server);
>       my $source = "//${server}/$share$subdir";
>   
> -    my $cmd = ['/bin/mount', '-t', 'cifs', $source, $mountpoint, '-o', 'soft', '-o'];
> +    my $cmd = ['/bin/mount', '-t', 'cifs', $source, $mountpoint, '-o', 'soft'];
>   
> -    if (my $cred_file = get_cred_file($storeid)) {
> -        push @$cmd, "username=$user", '-o', "credentials=$cred_file";
> +    if (cifs_uses_kerberos($scfg)) {
> +        # no options needed for kerberos, adding username= or domain= would only be informal
> +        # adding the if-branch here to have it explicit, and not just by not adding guest
> +    } elsif (my $cred_file = get_cred_file($storeid)) {
> +        push @$cmd, '-o', "username=$user", '-o', "credentials=$cred_file";
>           push @$cmd, '-o', "domain=$domain" if defined($domain);
>       } else {
> -        push @$cmd, 'guest,username=guest';
> +        push @$cmd, '-o', 'guest,username=guest';
>       }
>   
>       push @$cmd, '-o', defined($smbver) ? "vers=$smbver" : "vers=default";
> @@ -280,7 +294,9 @@ sub check_connection {
>           push @$cmd, '-m', "smb" . int($scfg->{smbversion});
>       }
>   
> -    if (my $cred_file = get_cred_file($storeid)) {
> +    if (cifs_uses_kerberos($scfg)) {
> +        push @$cmd, '--use-kerberos=required';
> +    } elsif (my $cred_file = get_cred_file($storeid)) {
>           push @$cmd, '-U', $scfg->{username}, '-A', $cred_file;
>           push @$cmd, '-W', $scfg->{domain} if $scfg->{domain};
>       } else {



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-01-12 10:38 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-12-18  9:32 [pve-devel] [PATCH pve-storage v2] cifs: use smbclient --use-kerberos for sec=krb5 Hannes Laimer
2026-01-12 10:38 ` Hannes Laimer

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal