Kerberos and Samba client tools

Stefan Metzmacher metze at samba.org
Mon May 27 06:35:20 UTC 2019


Am 26.05.19 um 20:26 schrieb Andreas Schneider via samba-technical:
> On Friday, 24 May 2019 19:30:33 CEST Steve French wrote:
>> A related question (to your "--user-kerberos=yes" (or auto) is "which
>> ticket will it use" and "can you get a ticket on the fly by specifying
>> this with userid and password" and can you override which users ticket
>> will be used in SMB3 session setup?
> 
> --use-kerberos=auto
> 
>   Check for a credential cache and try to authenticate. If it fails ask for a
>   password for the user who executed the client tool.
> 
>   -U check for a ticket of that user, if not available ask for a password
> 
> --use-kerberos=yes
> 
>   Use the credential cache
> 
>   -U use the credential cache and check for a ticket for that user

We also need to ask for password here too if there's not ticket.

> --use-kerberos=no
> 
>   ask for a password for the user who executed the client tool
> 
>   -U ask for a password for the given user or use the one supplied on the
>      commandline
> 
> 
> Makes sense?

We also need the --krb5-ccache option, which should allow "none" (as
default), which means we should use just a memory ccache instead of a
ccache in the system. And "system" which will select the default ccache
from the system.

If we use a system krb5 ccache we should only use kerberos
and adjust the username, principal, ... from that ccache.

I think we should also be able to use the winbindd ccache (currently
only used for ntlmssp) for kerberos.

The key thing is that we don't silently use something unexpected.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190527/26aacea9/signature.sig>


More information about the samba-technical mailing list