Phantom samba-tool option

Rowland Penny rpenny at samba.org
Sun Aug 28 13:57:24 UTC 2022


On Fri, 2022-08-26 at 10:03 -0700, Jeremy Allison wrote:
> On Fri, Aug 26, 2022 at 09:19:58AM +0100, Rowland Penny wrote:
> > Hi Jeremy, a user on the samba mailing list asked about the '-A'
> > option
> > for samba-tool, an option I had never heard of. It is shown in the
> > samba-tool manpage:
> > 
> >       -U|--user=[DOMAIN\]USERNAME[%PASSWORD]
> >           Sets the SMB username or username and password.
> > 
> >           If %PASSWORD is not specified, the user will be prompted.
> > The client will first check the USER environment
> >           variable (which is also permitted to also contain the
> > password seperated by a %), then the LOGNAME variable (which
> >           is not permitted to contain a password) and if either
> > exists, the value is used. If these environmental variables
> >           are not found, the username found in a Kerberos
> > Credentials
> > cache may be used.
> > 
> >           A third option is to use a credentials file which
> > contains
> > the plaintext of the username and password. This option
> >           is mainly provided for scripts where the admin does not
> > wish
> > to pass the credentials on the command line or via
> >           environment variables. If this method is used, make
> > certain
> > that the permissions on the file restrict access from
> >           unwanted users. See the -A for more details.
> > 
> >           Be cautious about including passwords in scripts or
> > passing
> > user-supplied values onto the command line. For
> >           security it is better to let the Samba client tool ask
> > for
> > the password if needed, or obtain the password once
> >           with kinit.
> > 
> >           While Samba will attempt to scrub the password from the
> > process title (as seen in ps), this is after startup and
> >           so is subject to a race.
> > 
> > The only problem is that the '-A' option does not exist for samba-
> > tool,
> > it is a smbclient option.
> > 
> > I traced it down to it coming from docs-
> > xml/build/DTD/samba.entities,
> > but I cannot see how I stop the samba-tool manpage from using it
> > without totally removing the relevant paragraph, which will (I
> > presume)
> > remove it from the smbclient manpage. Can you suggest how this can
> > be
> > done, or should I open a bug report ?
> 
> This comes from : cmdline.common.credentials.user
> which is included in:
> 
> manpages/samba-tool.8.xml
> 
> '-A' is described in cmdline.common.credentials.authenticationfile
> 
> which isn't included in:
> 
> manpages/samba-tool.8.xml
> 
> So the problem is the '-A' text:
> 
> ------------------------------------------------------------
> "A third option is to use a credentials file which contains
> the plaintext of the username and password. This option
> is mainly provided for scripts where the admin does not wish
> to pass the credentials on the command line or via
> environment variables. If this method is used, make certain
> that the permissions on the file restrict access from
> unwanted users. See the -A for more details.
> 
> Be cautious about including passwords in scripts or passing
> user-supplied values onto the command line. For
> security it is better to let the Samba client tool ask for
> the password if needed, or obtain the password once
> with kinit.
> 
> While Samba will attempt to scrub the password from the
> process title (as seen in ps), this is after startup and
> so is subject to a race."
> ------------------------------------------------------------
> 
> So I think maybe we need to duplicate this section without
> the -A text as a new ENTITY cmdline.samba-tool.credentials.user
> and include that inside manpages/samba-tool.8.xml instead of
> cmdline.common.credentials.user.
> 
> I'm CC:ing this to samba-technical for opinions from the
> rest of the Team, and I also think you should log a bug
> so we can track it.
> 
> Thanks ! Jeremy.

So after Ralph posted his latest post about gitlab, I browsed the open
MR's on the Samba gitlab and found this:
https://gitlab.com/samba-team/samba/-/merge_requests/2468

Now this would give samba-tool the missing '-A', but I do not see the
need for it. It seems to be meant to stop entering the password on the
command line during a domain join and sending it over the wire. This is
something that can be done by running kinit and then 'net ads join --
use-kerberos=required'. Using kerberos would mean that the plaintext
password would never leave the computer, which I believe is better than
using a credentials file.

Rowland





More information about the samba-technical mailing list