Kerberos and Samba client tools
Andreas Schneider
asn at samba.org
Thu May 23 05:42:57 UTC 2019
On Wednesday, 22 May 2019 16:52:16 CEST Steve French via samba-technical
wrote:
> I was noticing that the username and/or password seems to be ignored
> in different (and possibly confusing to users) ways on various client
> tools (smbcacls and smbclient for example) when you specify -k (for
> Kerberos authentication).
Hi Steve!
> We probably need to figure out what behavior is expected - probably that
> either 1) warn if you specify -U and -k together (since smbcacls ignores it
> apparently) or
> 2) actually use the -U when -k is specified to look for that specific
> user in the kerberos credential cache, and if not found to prompt the
> user for the kerberos password so we can authenticate (kinit or
> equivalent) to Active Directory
this is a known issue and is also an issue with FIPS support I'm working on. I
will rewrite the code to offer a new option.
--use-kerberos=auto|yes|no
Auto will be the default which means we try kerberos by default and fallback
to NTLM. YES means there will be no fallback and no means use NTLM.
-k will mostly be working as before to not break any scripts.
So I have a lot of work ahead and hope that makes sense.
Best regards,
Andreas
More information about the samba-technical
mailing list