From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 7EE7A1FF139 for ; Mon, 12 Jan 2026 11:38:14 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5CE121ABEE; Mon, 12 Jan 2026 11:38:14 +0100 (CET) Message-ID: <6d90778f-1f02-4940-a217-260b945ea2d9@proxmox.com> Date: Mon, 12 Jan 2026 11:38:09 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: pve-devel@lists.proxmox.com References: <20251218093243.1267-1-h.laimer@proxmox.com> Content-Language: en-US From: Hannes Laimer In-Reply-To: <20251218093243.1267-1-h.laimer@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1768214246618 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.056 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH pve-storage v2] cifs: use smbclient --use-kerberos for sec=krb5 X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" ping, this was also tested by the user who reported the problem in support and it did fix the problem other than this, there is no workaround for the problem with kerberos authenticated smb shares (downgrading to the smb version shipped with debian bookworm aside, cause that's both a PITA and I could not get that to work properly either) On 12/18/25 10:33, Hannes Laimer wrote: > With smbclient 4.22 (shipped with Debian trixie) `-U Guest -N` does > not fall back to `no username` anymore, so our connection check can > fail for Kerberos-authenticated shares. smbclient 4.17 (shipped with > Debian bookworm) did fall back to an anonymous session, which then > succeeded when Kerberos was used. > > Passing `-U` is never correct for Kerberos. Detect Kerberos via > `sec=krb5...` in the CIFS options and, in that case, avoid adding > guest/username/domain mount options and run: > > smbclient --use-kerberos=required > > instead of `-U Guest -N`. > > The most recent smbclient changes to the fallback-to-no-user behavior > I could find are from 2016. The handling of `-U` also does not appear > to have changed between these versions, and a default SMB protocol > version change does not seem to be involved either (last one I could > find was from 2019). I did not find a conclusive answer for why this > stopped working, but since we should not use `-U Guest` with Kerberos > at all, this change makes sense regardless. > > https://gitlab.com/samba-team/samba/-/commit/35051a860c75bc119e0ac7755bd69a9ea06695a1 > https://gitlab.com/samba-team/samba/-/commit/3264b1f317d6c603cc72eb2a150fe244c47aa3ac > > Signed-off-by: Hannes Laimer > --- > v2: > - fix bug in v1, `-o` was added before checking if kbr, and since when > kbr we didn't add any option this lead to an invalid mount command > - improve commit message > > src/PVE/Storage/CIFSPlugin.pm | 26 +++++++++++++++++++++----- > 1 file changed, 21 insertions(+), 5 deletions(-) > > diff --git a/src/PVE/Storage/CIFSPlugin.pm b/src/PVE/Storage/CIFSPlugin.pm > index 5b35daf..54f0f4e 100644 > --- a/src/PVE/Storage/CIFSPlugin.pm > +++ b/src/PVE/Storage/CIFSPlugin.pm > @@ -66,6 +66,17 @@ sub get_cred_file { > return undef; > } > > +sub cifs_uses_kerberos : prototype($) { > + my ($scfg) = @_; > + > + my $options = $scfg->{options}; > + return 0 if !defined($options) || $options eq ''; > + > + $options =~ s/\s+//g; > + > + return $options =~ m/(?:^|,)sec=krb5(?:i|p)?(?:,|$)/i; > +} > + > sub cifs_mount : prototype($$$$$) { > my ($scfg, $storeid, $smbver, $user, $domain) = @_; > > @@ -75,13 +86,16 @@ sub cifs_mount : prototype($$$$$) { > $server = "[$server]" if Net::IP::ip_is_ipv6($server); > my $source = "//${server}/$share$subdir"; > > - my $cmd = ['/bin/mount', '-t', 'cifs', $source, $mountpoint, '-o', 'soft', '-o']; > + my $cmd = ['/bin/mount', '-t', 'cifs', $source, $mountpoint, '-o', 'soft']; > > - if (my $cred_file = get_cred_file($storeid)) { > - push @$cmd, "username=$user", '-o', "credentials=$cred_file"; > + if (cifs_uses_kerberos($scfg)) { > + # no options needed for kerberos, adding username= or domain= would only be informal > + # adding the if-branch here to have it explicit, and not just by not adding guest > + } elsif (my $cred_file = get_cred_file($storeid)) { > + push @$cmd, '-o', "username=$user", '-o', "credentials=$cred_file"; > push @$cmd, '-o', "domain=$domain" if defined($domain); > } else { > - push @$cmd, 'guest,username=guest'; > + push @$cmd, '-o', 'guest,username=guest'; > } > > push @$cmd, '-o', defined($smbver) ? "vers=$smbver" : "vers=default"; > @@ -280,7 +294,9 @@ sub check_connection { > push @$cmd, '-m', "smb" . int($scfg->{smbversion}); > } > > - if (my $cred_file = get_cred_file($storeid)) { > + if (cifs_uses_kerberos($scfg)) { > + push @$cmd, '--use-kerberos=required'; > + } elsif (my $cred_file = get_cred_file($storeid)) { > push @$cmd, '-U', $scfg->{username}, '-A', $cred_file; > push @$cmd, '-W', $scfg->{domain} if $scfg->{domain}; > } else { _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel