Forcing Kerberos in client tools works inconsistently
Jeremy Allison
jra at samba.org
Thu Oct 11 23:44:32 UTC 2018
On Fri, Oct 12, 2018 at 09:45:53AM +1300, Andrew Bartlett wrote:
> On Thu, 2018-10-11 at 10:26 -0700, Jeremy Allison via samba-technical
> wrote:
> > On Wed, Oct 10, 2018 at 09:27:33PM -0500, Steve French via samba-technical wrote:
> > > Noticed that I can do "smbclient -k //server/share -U username" to a
> > > server which only supports Kerberos and I see in the wireshark trace,
> > > as expected, the client negotiating spnego properly - but other tools
> > > such as smbacls e.g. "smbacls -k //server/share "" -U username" ignore
> > > the "-k" and wireshark shows that they are still doing NTLMv2/NTLMSSP
> > >
> > > As an experiment I tried setting "ntlm auth = disabled" in smb.conf
> > > (it didn't change anything).
> > >
> > > Ideas?
> > >
> > > Presumably just a bug in smbcacls, but wasn't obvious when I looked.
> > >
> > > I thought it was in common code ... so seemed weird to me:
> > >
> > > source3/lib/popt_common.c: { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k',
> >
> > That's strange. Can you log a bug with an easy reproducer ?
>
> It needs to be reworked like smbclient was to use
> cli_full_credentials_creds() not cli_full_credentials().
That doesn't look quite right. s3 smbclient uses:
cli_cm_open() -> cli_cm_connect() -> do_connect() ->
which then goes into the stack of requests:
cli_connect_nb()
smbXcli_negprot()
get_cmdline_auth_info_creds()
cli_session_setup_creds()
smbXcli_conn_dfs_supported()
cli_tree_connect_creds()
which comes out with an SMB1/2/3 tcon connection
to use.
smbcacls uses:
get_cmdline_auth_info_use_kerberos()
cli_full_connection()
cli_session_creds_init()
cli_full_connection_creds()
which uses a slightly different stack.
cli_full_connection_creds() ->
cli_connect_nb_send/recv() ->
smbXcli_negprot_send()/recv ->
etc..
It'd still be worth having a bug report
so we can track down the differences here.
Jeremy.
More information about the samba-technical
mailing list