Kerberos and Samba client tools

Uri Simchoni uri at
Fri May 24 18:41:29 UTC 2019

On 5/24/19 8:30 PM, Steve French via samba-technical wrote:
> A related question (to your "--user-kerberos=yes" (or auto) is "which
> ticket will it use" and "can you get a ticket on the fly by specifying
> this with userid and password" and can you override which users ticket
> will be used in SMB3 session setup?

I know we can have (on smbclient and on "net ads join" at least) a
combination of -k and -U which means "do a kinit, store the TGT in a
memory credentials cache and use that to obtain a service ticket". I'm
also familiar with -P which takes the "user" and password from the
machine account secrets store.

I have less experience with the other modes (using "my" credentials, or
some user's credentials, from a system-provided credentials cache,
there's also the option of winbindd-cached credentials), and how the
various command-line parameters decide which method to use. Presumably
-k alone takes "my" credentials, but does -kU allow searching for a TGT
for <user> in "my" the system-provided credentials cache?


More information about the samba-technical mailing list