Forcing Kerberos in client tools works inconsistently

Steve French smfrench at
Thu Oct 11 02:27:33 UTC 2018

Noticed that I can do "smbclient -k //server/share -U username" to a
server which only supports Kerberos and I see in the wireshark trace,
as expected, the client negotiating spnego properly - but other tools
such as smbacls e.g. "smbacls -k //server/share "" -U username" ignore
the "-k" and wireshark shows that they are still doing NTLMv2/NTLMSSP

As an experiment I tried setting "ntlm auth = disabled" in smb.conf
(it didn't change anything).


Presumably just a bug in smbcacls, but wasn't obvious when I looked.

I thought it was in common code ... so seemed weird to me:

source3/lib/popt_common.c:      { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k',



More information about the samba-technical mailing list