Kerberos and Samba client tools
Steve French
smfrench at gmail.com
Wed May 22 14:52:16 UTC 2019
I was noticing that the username and/or password seems to be ignored
in different (and possibly confusing to users) ways on various client
tools (smbcacls and smbclient for example) when you specify -k (for
Kerberos authentication).
For example if you do:
kinit gooduser
then
a) smbclient //server/share -k (works)
b) smbclient //server/share -k -U gooduser (works)
c) smbclient //server/share -k -U gooduser%password (fails with
"Preauthentication failed", ignores the -k for kerberos presumably and
tries to authenticate)
d) smbclient //server/share -k -U baduser (surprisingly works - probably bug)
e) smbclient //server/share -k -U baduser%password (fails with "client
not found in Kerberos database" - this is probably confusing given
that the example without the password worked)
And to make it more confusing smbcacls behavior is different:
a) smbcacls //server/share file -k
b) smbcacls //server/share file -k -U baduser
c) smbcacls //server/share file -k U baduser%password
All work (unlike the equivalent cases in smbclient)
We probably need to figure out what behavior is expected - probably that either
1) warn if you specify -U and -k together (since smbcacls ignores it apparently)
or
2) actually use the -U when -k is specified to look for that specific
user in the kerberos credential cache, and if not found to prompt the
user for the kerberos password so we can authenticate (kinit or
equivalent) to Active Directory
--
Thanks,
Steve
More information about the samba-technical
mailing list