Deprecate net -k?
Isaac Boukris
iboukris at gmail.com
Tue Jul 7 10:47:30 UTC 2020
Hi,
I think it has been discussed, but I just want to share some tests I
did in the context of MR 1402 work.
The man page of the net command says:
-k|--kerberos
Try to authenticate with kerberos. Only useful in an Active Directory
environment.
In practice it means that some net-ads commands use ntlm by default,
e.g. net-ads-join force the use of ntlm for the CIFS connection if -k
is not specified, even though it uses krb5 for the LDAP connection.
Fails due to the CIFS failure:
net ads join -UAdministrator at ACME.COM%pwd --option=gensec:ntlmssp=no
Succeeds both krb5:
net ads join -k -UAdministrator at ACME.COM%pwd --option=gensec:ntlmssp=no
Succeeds both NTLM (although AS-REQs are still being performed):
net ads join -UAdministrator at ACME.COM%pwd --option=gensec:gse_krb5=no
net ads join -k -UAdministrator at ACME.COM%pwd --option=gensec:gse_krb5=no
Other commands such as net-ads-search on the other hand don't seem to
care about the -k flag and only use krb5 (thus fail with
gensec:gse_krb5=no).
I think perhaps we can deprecate the -k option and just do it by default.
More information about the samba-technical
mailing list