Deprecate net -k?
metze at samba.org
Tue Jul 7 11:08:26 UTC 2020
> I think it has been discussed, but I just want to share some tests I
> did in the context of MR 1402 work.
I also hit this in my preparations for S4U2Self (I'll post more about
> The man page of the net command says:
> Try to authenticate with kerberos. Only useful in an Active Directory
> In practice it means that some net-ads commands use ntlm by default,
> e.g. net-ads-join force the use of ntlm for the CIFS connection if -k
> is not specified, even though it uses krb5 for the LDAP connection.
> Fails due to the CIFS failure:
> net ads join -UAdministrator at ACME.COM%pwd --option=gensec:ntlmssp=no
> Succeeds both krb5:
> net ads join -k -UAdministrator at ACME.COM%pwd --option=gensec:ntlmssp=no
> Succeeds both NTLM (although AS-REQs are still being performed):
> net ads join -UAdministrator at ACME.COM%pwd --option=gensec:gse_krb5=no
> net ads join -k -UAdministrator at ACME.COM%pwd --option=gensec:gse_krb5=no
> Other commands such as net-ads-search on the other hand don't seem to
> care about the -k flag and only use krb5 (thus fail with
> I think perhaps we can deprecate the -k option and just do it by default.
The bad thing is that -k is implemented different than in smbclient.
The key part is the behavior without -U.
smbclient only uses the users global ccache if -k is given,
but (at least some) net commands ignore -k completely.
Andreas and I were working on a plan to unify the cmdline arguments
for client authentication across all our commands (including python
scripts). We should always get a cli_crendential structure out of
the cmdline parsing and base all other code just on that.
Andreas, can you post our current plan?
I guess the only thing is to try to break as less as possible,
but at the some point just make sure we have a sane behavior for the
future and announce that in WHATSNEW.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the samba-technical