Deprecate net -k?

Andreas Schneider asn at
Tue Jul 7 15:55:26 UTC 2020

On Tuesday, 7 July 2020 13:08:26 CEST Stefan Metzmacher via samba-technical 
> Hi Issac,

Hi Isaac :-)

> Andreas and I were working on a plan to unify the cmdline arguments
> for client authentication across all our commands (including python
> scripts). We should always get a cli_crendential structure out of
> the cmdline parsing and base all other code just on that.
> Andreas, can you post our current plan?

Below is my current TODO list, it is a bit cryptic but should work for now.

WIP branch:



echo locDCpass1 | bin/rpcclient ncacn_np:$SERVER -UAdministrator -c 

echo locDCpass1 | USER=administrator bin/rpcclient ncacn_np:$SERVER -c 

Migrate s3 client code to cli_credentials


Create one function translating signing state string to enum
see set_cmdline_auth_info_signing_state and enum_smb_signing_vals

Add 'server smb encrypt' (done)
  -> smb encrypt as alias
Add 'client smb encrypt' (done)

Add cli_credentials_set_smb_singing(),
cli_credentials_set_smb_encryption(). - DONE

Use cli_creds smb encryption:
tig -7 b06e7ea5cbc0e46c0c42d6cdeb3a14f3cf21f1c6 - DONE

Add smb encrytpion for source4/libcli - WIP

Check do_connect() in client.c


-> parse popts

-> set password callback, if not --use-krb5-ccache and not
   --use-ccache and not --no-pass and not auth-file

   default only if we add 'client use kerberos' as smb.conf option

  imply --use-kerberos=yes

'-U... -k' =>
'-k' without -U =>

--use-krb5-ccache and --use-ccache
=> not supported,
   TODO: --use-winbind-ccache that provides
         generic support for krb5 and ntlm
Rename --use-ccache to --use-winbind-ccache (removes --use-ccache?)

Add --smb-signing=$SMB_SIGNING_VALS
 also set GENSEC_FEATURE_SIGN for desired/required
 --signing=$SMB_SIGNING_VALS (as legacy)
 '-S $SMB_SIGNING_VALS' ??? (only smbclient?)
 '-S' check what smbtorture is actually using
Remove -S for signing and use only long option

Add --smb-encryption=$SMB_SIGNING_VALS
-e => --smb-encryption=required
      also set GENSEC_FEATURE_SEAL??? => defer to --gensec-protection
Remove -e and use only long option

TODO: what about 'net'...
break it and use options as above?

Add the following???
=> see also "ldap client sasl wrapping"
=> default from "gensec client protection"

Andreas Schneider                      asn at
Samba Team                   
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list