Forcing Kerberos in client tools works inconsistently

Thu Oct 11 23:44:32 UTC 2018

On Fri, Oct 12, 2018 at 09:45:53AM +1300, Andrew Bartlett wrote:
> On Thu, 2018-10-11 at 10:26 -0700, Jeremy Allison via samba-technical
> wrote:
> > On Wed, Oct 10, 2018 at 09:27:33PM -0500, Steve French via samba-technical wrote:
> > > Noticed that I can do "smbclient -k //server/share -U username" to a
> > > server which only supports Kerberos and I see in the wireshark trace,
> > > as expected, the client negotiating spnego properly - but other tools
> > > such as smbacls e.g. "smbacls -k //server/share "" -U username" ignore
> > > the "-k" and wireshark shows that they are still doing NTLMv2/NTLMSSP
> > > 
> > > As an experiment I tried setting "ntlm auth = disabled" in smb.conf
> > > (it didn't change anything).
> > > 
> > > Ideas?
> > > 
> > > Presumably just a bug in smbcacls, but wasn't obvious when I looked.
> > > 
> > > I thought it was in common code ... so seemed weird to me:
> > > 
> > > source3/lib/popt_common.c:      { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k',
> > 
> > That's strange. Can you log a bug with an easy reproducer ?
> 
> It needs to be reworked like smbclient was to use
> cli_full_credentials_creds() not cli_full_credentials().

That doesn't look quite right. s3 smbclient uses:

cli_cm_open() -> cli_cm_connect() -> do_connect() ->

which then goes into the stack of requests:

cli_connect_nb()
smbXcli_negprot()
get_cmdline_auth_info_creds()
cli_session_setup_creds()
smbXcli_conn_dfs_supported()
cli_tree_connect_creds()

which comes out with an SMB1/2/3 tcon connection
to use.

smbcacls uses:

get_cmdline_auth_info_use_kerberos()
cli_full_connection()
	cli_session_creds_init()
	cli_full_connection_creds()

which uses a slightly different stack.

cli_full_connection_creds() ->
	cli_connect_nb_send/recv() ->
		smbXcli_negprot_send()/recv ->
			etc..

It'd still be worth having a bug report
so we can track down the differences here.

Jeremy.