Fixing "-k" in S4 smbtorture.

Andrew Bartlett abartlet at samba.org
Thu May 20 16:37:38 MDT 2010 

On Thu, 2010-05-20 at 10:59 -0700, Jeremy Allison wrote:
> I just had to spend 10 minutes with a Microsoft
> engineer tracking down why the smbtorture command line
> options :
> 
> smbtorture -k ncacn_ip_tcp:<name>[options] RPC-NETLOGON
> 
> just said :
> 
> Error parsing "-k ncacn_ip_tcp:<name>[options]".
> 
> Of course, it needed :
> 
> smbtorture -k yes ncacn_ip_tcp:<name>[options] RPC-NETLOGON
> 
> instead :-(. I had to look in the source code for this
> to find out what "Error parsing XXX" meant for the -k
> option. Why does the -k option need to be followed
> by a bool ? Is there any case where someone would
> use "-k no" ?

Yes - in a case where you could use Kerberos against that host, but
wanted to force an NTLM login. 

> Given that, I'd like to push the following patch.

Please don't for now. 

> Comments ?

The change from Samba3 historical behaviour was quite deliberate,
because the internal use of Kerberos in Samba4 is quite different from
that which I helped develop in Samba3.

The difference is that Samba4 will use Kerberos by default - if no -k is
specified, and it is practical to use Kerberos to the target host, then
a kinit is done internally. 

When I first worked on Kerberos in Samba3, Kerberos was something to be
feared - a solution that would only sometimes work, to be hidden behind
options to ensure it wasn't let out on the unsuspecting user.  In Samba4
I took the approach that it was a vast improvement to network security
and something to be embraced if at all possible. 

That is why there is the tri-state - to allow the expression that I
must, or must not use Kerberos, or that I allow the system to try and
fall back.  

Now I realise there is a challenge as we try to harmonise command line
behaviours, but please realise this isn't some overlooked bug, but a
quite deliberate choice.  I suspect we will need to change to long
options, with -k an alias for --must-use-kerberos, '-k no' being
replaced by --dont-use-kerberos and '-k yes' being replaced by
--must-use-kerberos

Regarding the default, I strongly desire this to remain to try Kerberos
where possible. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100521/494e239e/attachment.pgp>

More information about the samba-technical mailing list