"auto" for Kerberos, a history (was: Re: WIP: Samba's client command line UI)

Andrew Bartlett abartlet at samba.org
Wed Aug 19 22:10:52 UTC 2020

On Wed, 2020-08-19 at 22:13 +0100, Rowland penny via samba-technical
>      -k KERBEROS, --kerberos=KERBEROS
>                          Use Kerberos
> If you check the code, 'KERBEROS' is actually 'yes', 'auto' or 'no'
> What is 'auto' in this context ? surely using kerberos is binary,
> you 
> either want to use it, or you don't, 'yes' or 'no', so what does
> 'auto' 
> actually mean and do ?
> Do we really need 'auto', can we not decide what the parameter
> defaults 
> (for instance) should be and remove 'auto' ?

In this context, the current code behaviour is to try and obtain a
kerberos ticket, but to fall back to NTLM as 'good enough protection'
if this fails, for example if no KDC can be reached, or this is an IP
address, or if the server does not offer Kerberos as an authentication

The idea (when this was written) was to at least try Kerberos, rather
than continuing to default to NTLM only.  (And on the flip side, to
continue to work in the many - at the time - networks where AD was
functioning only with NTLM).

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba-technical mailing list