Phantom samba-tool option

Jeremy Allison jra at samba.org
Fri Aug 26 17:03:42 UTC 2022 

On Fri, Aug 26, 2022 at 09:19:58AM +0100, Rowland Penny wrote:
>Hi Jeremy, a user on the samba mailing list asked about the '-A' option
>for samba-tool, an option I had never heard of. It is shown in the
>samba-tool manpage:
>
>       -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
>           Sets the SMB username or username and password.
>
>           If %PASSWORD is not specified, the user will be prompted.
>The client will first check the USER environment
>           variable (which is also permitted to also contain the
>password seperated by a %), then the LOGNAME variable (which
>           is not permitted to contain a password) and if either
>exists, the value is used. If these environmental variables
>           are not found, the username found in a Kerberos Credentials
>cache may be used.
>
>           A third option is to use a credentials file which contains
>the plaintext of the username and password. This option
>           is mainly provided for scripts where the admin does not wish
>to pass the credentials on the command line or via
>           environment variables. If this method is used, make certain
>that the permissions on the file restrict access from
>           unwanted users. See the -A for more details.
>
>           Be cautious about including passwords in scripts or passing
>user-supplied values onto the command line. For
>           security it is better to let the Samba client tool ask for
>the password if needed, or obtain the password once
>           with kinit.
>
>           While Samba will attempt to scrub the password from the
>process title (as seen in ps), this is after startup and
>           so is subject to a race.
>
>The only problem is that the '-A' option does not exist for samba-tool,
>it is a smbclient option.
>
>I traced it down to it coming from docs-xml/build/DTD/samba.entities,
>but I cannot see how I stop the samba-tool manpage from using it
>without totally removing the relevant paragraph, which will (I presume)
>remove it from the smbclient manpage. Can you suggest how this can be
>done, or should I open a bug report ?

This comes from : cmdline.common.credentials.user
which is included in:

manpages/samba-tool.8.xml

'-A' is described in cmdline.common.credentials.authenticationfile

which isn't included in:

manpages/samba-tool.8.xml

So the problem is the '-A' text:

------------------------------------------------------------
"A third option is to use a credentials file which contains
the plaintext of the username and password. This option
is mainly provided for scripts where the admin does not wish
to pass the credentials on the command line or via
environment variables. If this method is used, make certain
that the permissions on the file restrict access from
unwanted users. See the -A for more details.

Be cautious about including passwords in scripts or passing
user-supplied values onto the command line. For
security it is better to let the Samba client tool ask for
the password if needed, or obtain the password once
with kinit.

While Samba will attempt to scrub the password from the
process title (as seen in ps), this is after startup and
so is subject to a race."
------------------------------------------------------------

So I think maybe we need to duplicate this section without
the -A text as a new ENTITY cmdline.samba-tool.credentials.user
and include that inside manpages/samba-tool.8.xml instead of
cmdline.common.credentials.user.

I'm CC:ing this to samba-technical for opinions from the
rest of the Team, and I also think you should log a bug
so we can track it.

Thanks ! Jeremy.

More information about the samba-technical mailing list