Deprecate net -k?

Isaac Boukris iboukris at
Tue Jul 7 10:47:30 UTC 2020


I think it has been discussed, but I just want to share some tests I
did in the context of MR 1402 work.

The man page of the net command says:
Try to authenticate with kerberos. Only useful in an Active Directory

In practice it means that some net-ads commands use ntlm by default,
e.g. net-ads-join force the use of ntlm for the CIFS connection if -k
is not specified, even though it uses krb5 for the LDAP connection.

Fails due to the CIFS failure:
net ads join -UAdministrator at ACME.COM%pwd --option=gensec:ntlmssp=no
Succeeds both krb5:
net ads join -k  -UAdministrator at ACME.COM%pwd --option=gensec:ntlmssp=no

Succeeds both NTLM (although AS-REQs are still being performed):
net ads join -UAdministrator at ACME.COM%pwd --option=gensec:gse_krb5=no
net ads join -k -UAdministrator at ACME.COM%pwd --option=gensec:gse_krb5=no

Other commands such as net-ads-search on the other hand don't seem to
care about the -k flag and only use krb5 (thus fail with

I think perhaps we can deprecate the -k option and just do it by default.

More information about the samba-technical mailing list