[Samba] knit and smbclient executed with different users but no error thrown

mathias dufresne infractory at gmail.com
Mon Apr 4 09:53:24 UTC 2016 

Hi Paul,

I think -U is just ignored when -k and a valid ticket is available.

Here you have a valid ticket, you use -k to ask smbclient to use
credentials from that ticket, and you add -U for another user.

Please try same smbclient command without -k, it should ask you the
password for test123 user.

That's not a bug, for me it is a lack of documentation on how to use -k
switches with almost all samba commands.

2016-04-01 21:30 GMT+02:00 Paul Simon <paulsimon.c at gmail.com>:

> Hi,
>
> I am using different users while executing kinit and smbclient as shown
> below, but I am not getting any error. How can a initial ticket granted to
> one user can be used for another user. Can you give some clarification. I
> am not an expert hence this doubt. I am using win 2003 AD.
>
> [root at 0050568B7DEB samba-4.3.4]# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>
> [root at 0050568B7DEB samba-4.3.4]# kinit nagaraj
> Password for nagaraj at TEST.LOCAL:
>
> [root at 0050568B7DEB samba-4.3.4]#  ./bin/smbclient -L ADIR -s
> /etc/samba/smb.conf  -U test123 -k -d 5
> INFO: Current debug levels:
>   all: 5
>   tdb: 5
>   printdrivers: 5
>   lanman: 5
>   smb: 5
>   rpc_parse: 5
>   rpc_srv: 5
>   rpc_cli: 5
>   passdb: 5
>   sam: 5
>   auth: 5
>   winbind: 5
>   vfs: 5
>   idmap: 5
>   quota: 5
>   acls: 5
>   locking: 5
>   msdfs: 5
>   dmapi: 5
>   registry: 5
>   scavenger: 5
>   dns: 5
>   ldb: 5
>   tevent: 5
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> INFO: Current debug levels:
>   all: 5
>   tdb: 5
>   printdrivers: 5
>   lanman: 5
>   smb: 5
>   rpc_parse: 5
>   rpc_srv: 5
>   rpc_cli: 5
>   passdb: 5
>   sam: 5
>   auth: 5
>   winbind: 5
>   vfs: 5
>   idmap: 5
>   quota: 5
>   acls: 5
>   locking: 5
>   msdfs: 5
>   dmapi: 5
>   registry: 5
>   scavenger: 5
>   dns: 5
>   ldb: 5
>   tevent: 5
> Processing section "[global]"
> doing parameter workgroup = TEST
> doing parameter realm = test.local
> doing parameter server string = Samba Server Version %v
> doing parameter log file = /var/log/samba/log.%m
> doing parameter max log size = 50
> doing parameter security = user
> doing parameter passdb backend = tdbsam
> doing parameter load printers = yes
> doing parameter cups options = raw
> pm_process() returned Yes
> added interface eth1 ip=172.16.220.2 bcast=172.16.220.255
> netmask=255.255.255.0
> added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255
> netmask=255.255.255.0
> added interface eth2 ip=10.10.220.2 bcast=10.10.220.255
> netmask=255.255.255.0
> added interface eth0 ip=10.133.133.13 bcast=10.133.133.255
> netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="0050568B7DEB"
> Client started (version 4.3.4).
> Opening cache file at /usr/local/samba/var/cache/gencache.tdb
> Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb
> sitename_fetch: No stored sitename for TEST.LOCAL
> name ADIR#20 found.
> Connecting to 10.133.140.66 at port 445
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 19800
>         SO_RCVBUF = 87380
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
>  session request ok
> Doing spnego session setup (blob length=88)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.2.840.113554.1.2.2.3
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=adir$@TEST.LOCAL
> cli_session_setup_spnego: using target hostname not SPNEGO principal
> kerberos_get_default_realm_from_ccache: Trying to read krb5 cache:
> FILE:/tmp/krb5cc_0
> cli_session_setup_spnego: guessed server principal=cifs/ADIR at TEST.LOCAL
> Doing kerberos session setup
> ads_krb5_mk_req: Advancing clock by 67 seconds to cope with clock skew
> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
> Fri, 01 Apr 2016 22:28:49 IST
> OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003
> 5.2]
>  session setup ok
>  tconx ok
>         Sharename       Type      Comment
>         ---------       ----      -------
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Bind RPC Pipe: host ADIR auth_type 0, auth_level 1
> rpc_api_pipe: host ADIR
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc_api_pipe: host ADIR
> rpc_read_send: data_to_read: 520
>         IPC$            IPC       Remote IPC
>         C$              Disk      Default share
>         NETLOGON        Disk      Logon server share
>         ADMIN$          Disk      Remote Admin
>         Dashboard       Disk
>         SYSVOL          Disk      Logon server share
> sitename_fetch: No stored sitename for TEST.LOCAL
> name ADIR#20 found.
> Connecting to 10.133.140.66 at port 139
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 19800
>         SO_RCVBUF = 87380
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
>  session request ok
> Doing spnego session setup (blob length=88)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.2.840.113554.1.2.2.3
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=adir$@TEST.LOCAL
> cli_session_setup_spnego: using target hostname not SPNEGO principal
> kerberos_get_default_realm_from_ccache: Trying to read krb5 cache:
> FILE:/tmp/krb5cc_0
> cli_session_setup_spnego: guessed server principal=cifs/ADIR at TEST.LOCAL
> Doing kerberos session setup
> ads_krb5_mk_req: Advancing clock by 67 seconds to cope with clock skew
> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
> Fri, 01 Apr 2016 22:28:49 IST
> OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003
> 5.2]
>  session setup ok
>  tconx ok
>         Server               Comment
>         ---------            -------
>         Workgroup            Master
>         ---------            -------
>
>
> Thanks,
> Paul
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list