"auto" for Kerberos, a history (was: Re: WIP: Samba's client command line UI)
Andrew Bartlett
abartlet at samba.org
Wed Aug 19 22:10:52 UTC 2020
On Wed, 2020-08-19 at 22:13 +0100, Rowland penny via samba-technical
wrote:
> -k KERBEROS, --kerberos=KERBEROS
> Use Kerberos
>
> If you check the code, 'KERBEROS' is actually 'yes', 'auto' or 'no'
>
> What is 'auto' in this context ? surely using kerberos is binary,
> you
> either want to use it, or you don't, 'yes' or 'no', so what does
> 'auto'
> actually mean and do ?
>
> Do we really need 'auto', can we not decide what the parameter
> defaults
> (for instance) should be and remove 'auto' ?
In this context, the current code behaviour is to try and obtain a
kerberos ticket, but to fall back to NTLM as 'good enough protection'
if this fails, for example if no KDC can be reached, or this is an IP
address, or if the server does not offer Kerberos as an authentication
type.
The idea (when this was written) was to at least try Kerberos, rather
than continuing to default to NTLM only. (And on the flip side, to
continue to work in the many - at the time - networks where AD was
functioning only with NTLM).
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list