Forcing Kerberos in client tools works inconsistently
Andrew Bartlett
abartlet at samba.org
Thu Oct 11 20:45:53 UTC 2018
On Thu, 2018-10-11 at 10:26 -0700, Jeremy Allison via samba-technical
wrote:
> On Wed, Oct 10, 2018 at 09:27:33PM -0500, Steve French via samba-technical wrote:
> > Noticed that I can do "smbclient -k //server/share -U username" to a
> > server which only supports Kerberos and I see in the wireshark trace,
> > as expected, the client negotiating spnego properly - but other tools
> > such as smbacls e.g. "smbacls -k //server/share "" -U username" ignore
> > the "-k" and wireshark shows that they are still doing NTLMv2/NTLMSSP
> >
> > As an experiment I tried setting "ntlm auth = disabled" in smb.conf
> > (it didn't change anything).
> >
> > Ideas?
> >
> > Presumably just a bug in smbcacls, but wasn't obvious when I looked.
> >
> > I thought it was in common code ... so seemed weird to me:
> >
> > source3/lib/popt_common.c: { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k',
>
> That's strange. Can you log a bug with an easy reproducer ?
It needs to be reworked like smbclient was to use
cli_full_credentials_creds() not cli_full_credentials().
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list