Kerberos and Samba client tools
Stefan Metzmacher
metze at samba.org
Mon May 27 06:35:20 UTC 2019
Am 26.05.19 um 20:26 schrieb Andreas Schneider via samba-technical:
> On Friday, 24 May 2019 19:30:33 CEST Steve French wrote:
>> A related question (to your "--user-kerberos=yes" (or auto) is "which
>> ticket will it use" and "can you get a ticket on the fly by specifying
>> this with userid and password" and can you override which users ticket
>> will be used in SMB3 session setup?
>
> --use-kerberos=auto
>
> Check for a credential cache and try to authenticate. If it fails ask for a
> password for the user who executed the client tool.
>
> -U check for a ticket of that user, if not available ask for a password
>
> --use-kerberos=yes
>
> Use the credential cache
>
> -U use the credential cache and check for a ticket for that user
We also need to ask for password here too if there's not ticket.
> --use-kerberos=no
>
> ask for a password for the user who executed the client tool
>
> -U ask for a password for the given user or use the one supplied on the
> commandline
>
>
> Makes sense?
We also need the --krb5-ccache option, which should allow "none" (as
default), which means we should use just a memory ccache instead of a
ccache in the system. And "system" which will select the default ccache
from the system.
If we use a system krb5 ccache we should only use kerberos
and adjust the username, principal, ... from that ccache.
I think we should also be able to use the winbindd ccache (currently
only used for ntlmssp) for kerberos.
The key thing is that we don't silently use something unexpected.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190527/26aacea9/signature.sig>
More information about the samba-technical
mailing list