Forcing Kerberos in client tools works inconsistently

Jeremy Allison jra at
Thu Oct 11 17:26:32 UTC 2018

On Wed, Oct 10, 2018 at 09:27:33PM -0500, Steve French via samba-technical wrote:
> Noticed that I can do "smbclient -k //server/share -U username" to a
> server which only supports Kerberos and I see in the wireshark trace,
> as expected, the client negotiating spnego properly - but other tools
> such as smbacls e.g. "smbacls -k //server/share "" -U username" ignore
> the "-k" and wireshark shows that they are still doing NTLMv2/NTLMSSP
> As an experiment I tried setting "ntlm auth = disabled" in smb.conf
> (it didn't change anything).
> Ideas?
> Presumably just a bug in smbcacls, but wasn't obvious when I looked.
> I thought it was in common code ... so seemed weird to me:
> source3/lib/popt_common.c:      { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k',

That's strange. Can you log a bug with an easy reproducer ?

More information about the samba-technical mailing list