Kerberos and Samba client tools
Uri Simchoni
uri at samba.org
Mon May 27 06:58:39 UTC 2019
On 5/26/19 9:26 PM, Andreas Schneider via samba-technical wrote:
> On Friday, 24 May 2019 19:30:33 CEST Steve French wrote:
>> A related question (to your "--user-kerberos=yes" (or auto) is "which
>> ticket will it use" and "can you get a ticket on the fly by specifying
>> this with userid and password" and can you override which users ticket
>> will be used in SMB3 session setup?
>
> --use-kerberos=auto
>
> Check for a credential cache and try to authenticate. If it fails ask for a
> password for the user who executed the client tool.
>
> -U check for a ticket of that user, if not available ask for a password
>
> --use-kerberos=yes
>
> Use the credential cache
>
> -U use the credential cache and check for a ticket for that user
>
> --use-kerberos=no
>
> ask for a password for the user who executed the client tool
>
> -U ask for a password for the given user or use the one supplied on the
> commandline
>
>
> Makes sense?
>
> Comments welcome.
>
>
> Andreas
>
>
>
I like the idea that it's clear how tickets are being searched and that
there are options that cause the search not to be "everywhere".
How does that interact with -k switch?
Specifically, when we ask for a password, what do we do with it? Do we
only use NTLMSSP (as --use-kerberos=no implies)?
If the --use-kerberos param mainly decides how Kerberos finds its
tickets, then perhaps it's a misnomer (--use-krb-ccache ?). If OTOH
--use-kerberos=no really means "do not use Kerberos", then we seem to
lose the ability to use Kerberos to obtain credentials into a memory
ccache, based on the username and password, and authenticate with those
credentials.
Thanks,
Uri.
More information about the samba-technical
mailing list