Kerberos and Samba client tools

[Uri Simchoni]

On 5/26/19 9:26 PM, Andreas Schneider via samba-technical wrote:
> On Friday, 24 May 2019 19:30:33 CEST Steve French wrote:
>> A related question (to your "--user-kerberos=yes" (or auto) is "which
>> ticket will it use" and "can you get a ticket on the fly by specifying
>> this with userid and password" and can you override which users ticket
>> will be used in SMB3 session setup?
> 
> --use-kerberos=auto
> 
>   Check for a credential cache and try to authenticate. If it fails ask for a
>   password for the user who executed the client tool.
> 
>   -U check for a ticket of that user, if not available ask for a password
> 
> --use-kerberos=yes
> 
>   Use the credential cache
> 
>   -U use the credential cache and check for a ticket for that user
> 
> --use-kerberos=no
> 
>   ask for a password for the user who executed the client tool
> 
>   -U ask for a password for the given user or use the one supplied on the
>      commandline
> 
> 
> Makes sense?
> 
> Comments welcome.
> 
> 
> 	Andreas
> 
> 
> 

I like the idea that it's clear how tickets are being searched and that
there are options that cause the search not to be "everywhere".

How does that interact with -k switch?

Specifically, when we ask for a password, what do we do with it? Do we
only use NTLMSSP (as --use-kerberos=no implies)?

If the --use-kerberos param mainly decides how Kerberos finds its
tickets, then perhaps it's a misnomer (--use-krb-ccache ?). If OTOH
--use-kerberos=no really means "do not use Kerberos", then we seem to
lose the ability to use Kerberos to obtain credentials into a memory
ccache, based on the username and password, and authenticate with those
credentials.

Thanks,
Uri.