Deprecate net -k?

Stefan Metzmacher metze at
Tue Jul 7 11:08:26 UTC 2020

Hi Issac,

> I think it has been discussed, but I just want to share some tests I
> did in the context of MR 1402 work.

I also hit this in my preparations for S4U2Self (I'll post more about
that later).

> The man page of the net command says:
> -k|--kerberos
> Try to authenticate with kerberos. Only useful in an Active Directory
> environment.
> In practice it means that some net-ads commands use ntlm by default,
> e.g. net-ads-join force the use of ntlm for the CIFS connection if -k
> is not specified, even though it uses krb5 for the LDAP connection.
> Fails due to the CIFS failure:
> net ads join -UAdministrator at ACME.COM%pwd --option=gensec:ntlmssp=no
> Succeeds both krb5:
> net ads join -k  -UAdministrator at ACME.COM%pwd --option=gensec:ntlmssp=no
> Succeeds both NTLM (although AS-REQs are still being performed):
> net ads join -UAdministrator at ACME.COM%pwd --option=gensec:gse_krb5=no
> net ads join -k -UAdministrator at ACME.COM%pwd --option=gensec:gse_krb5=no
> Other commands such as net-ads-search on the other hand don't seem to
> care about the -k flag and only use krb5 (thus fail with
> gensec:gse_krb5=no).
> I think perhaps we can deprecate the -k option and just do it by default.

The bad thing is that -k is implemented different than in smbclient.
The key part is the behavior without -U.

smbclient only uses the users global ccache if -k is given,
but (at least some) net commands ignore -k completely.

Andreas and I were working on a plan to unify the cmdline arguments
for client authentication across all our commands (including python
scripts). We should always get a cli_crendential structure out of
the cmdline parsing and base all other code just on that.

Andreas, can you post our current plan?

I guess the only thing is to try to break as less as possible,
but at the some point just make sure we have a sane behavior for the
future and announce that in WHATSNEW.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list