Kerberos and Samba client tools

[Steve French]

A related question (to your "--user-kerberos=yes" (or auto) is "which
ticket will it use" and "can you get a ticket on the fly by specifying
this with userid and password" and can you override which users ticket
will be used in SMB3 session setup?

On Thu, May 23, 2019 at 12:42 AM Andreas Schneider <asn at samba.org> wrote:
>
> On Wednesday, 22 May 2019 16:52:16 CEST Steve French via samba-technical
> wrote:
> > I was noticing that the username and/or password seems to be ignored
> > in different (and possibly confusing to users) ways on various client
> > tools (smbcacls and smbclient for example) when you specify -k (for
> > Kerberos authentication).
>
> Hi Steve!
>
> > We probably need to figure out what behavior is expected - probably that
> > either 1) warn if you specify -U and -k together (since smbcacls ignores it
> > apparently) or
> > 2) actually use the -U when -k is specified to look for that specific
> > user in the kerberos credential cache, and if not found to prompt the
> > user for the kerberos password so we can authenticate (kinit or
> > equivalent) to Active Directory
>
> this is a known issue and is also an issue with FIPS support I'm working on. I
> will rewrite the code to offer a new option.
>
>         --use-kerberos=auto|yes|no
>
> Auto will be the default which means we try kerberos by default and fallback
> to NTLM. YES means there will be no fallback and no means use NTLM.
>
> -k will mostly be working as before to not break any scripts.
>
> So I have a lot of work ahead and hope that makes sense.
>
>
> Best regards,
>
>
>    Andreas
>
>


-- 
Thanks,

Steve