[Samba] knit and smbclient executed with different users but no error thrown

Paul Simon paulsimon.c at gmail.com
Tue Apr 5 08:29:15 UTC 2016 

hi ,

If I use without -k, smbclient asks for password and it uses ntlmv2 instead
of Kerberos.
So the answer is if we use Kerberos, username cannot be passed in command
line.

Thanks for helping me out.

Regards,
Paul




On Mon, Apr 4, 2016 at 3:23 PM, mathias dufresne <infractory at gmail.com>
wrote:

> Hi Paul,
>
> I think -U is just ignored when -k and a valid ticket is available.
>
> Here you have a valid ticket, you use -k to ask smbclient to use
> credentials from that ticket, and you add -U for another user.
>
> Please try same smbclient command without -k, it should ask you the
> password for test123 user.
>
> That's not a bug, for me it is a lack of documentation on how to use -k
> switches with almost all samba commands.
>
> 2016-04-01 21:30 GMT+02:00 Paul Simon <paulsimon.c at gmail.com>:
>
>> Hi,
>>
>> I am using different users while executing kinit and smbclient as shown
>> below, but I am not getting any error. How can a initial ticket granted to
>> one user can be used for another user. Can you give some clarification. I
>> am not an expert hence this doubt. I am using win 2003 AD.
>>
>> [root at 0050568B7DEB samba-4.3.4]# klist
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>>
>> [root at 0050568B7DEB samba-4.3.4]# kinit nagaraj
>> Password for nagaraj at TEST.LOCAL:
>>
>> [root at 0050568B7DEB samba-4.3.4]#  ./bin/smbclient -L ADIR -s
>> /etc/samba/smb.conf  -U test123 -k -d 5
>> INFO: Current debug levels:
>>   all: 5
>>   tdb: 5
>>   printdrivers: 5
>>   lanman: 5
>>   smb: 5
>>   rpc_parse: 5
>>   rpc_srv: 5
>>   rpc_cli: 5
>>   passdb: 5
>>   sam: 5
>>   auth: 5
>>   winbind: 5
>>   vfs: 5
>>   idmap: 5
>>   quota: 5
>>   acls: 5
>>   locking: 5
>>   msdfs: 5
>>   dmapi: 5
>>   registry: 5
>>   scavenger: 5
>>   dns: 5
>>   ldb: 5
>>   tevent: 5
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> INFO: Current debug levels:
>>   all: 5
>>   tdb: 5
>>   printdrivers: 5
>>   lanman: 5
>>   smb: 5
>>   rpc_parse: 5
>>   rpc_srv: 5
>>   rpc_cli: 5
>>   passdb: 5
>>   sam: 5
>>   auth: 5
>>   winbind: 5
>>   vfs: 5
>>   idmap: 5
>>   quota: 5
>>   acls: 5
>>   locking: 5
>>   msdfs: 5
>>   dmapi: 5
>>   registry: 5
>>   scavenger: 5
>>   dns: 5
>>   ldb: 5
>>   tevent: 5
>> Processing section "[global]"
>> doing parameter workgroup = TEST
>> doing parameter realm = test.local
>> doing parameter server string = Samba Server Version %v
>> doing parameter log file = /var/log/samba/log.%m
>> doing parameter max log size = 50
>> doing parameter security = user
>> doing parameter passdb backend = tdbsam
>> doing parameter load printers = yes
>> doing parameter cups options = raw
>> pm_process() returned Yes
>> added interface eth1 ip=172.16.220.2 bcast=172.16.220.255
>> netmask=255.255.255.0
>> added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255
>> netmask=255.255.255.0
>> added interface eth2 ip=10.10.220.2 bcast=10.10.220.255
>> netmask=255.255.255.0
>> added interface eth0 ip=10.133.133.13 bcast=10.133.133.255
>> netmask=255.255.255.0
>> Netbios name list:-
>> my_netbios_names[0]="0050568B7DEB"
>> Client started (version 4.3.4).
>> Opening cache file at /usr/local/samba/var/cache/gencache.tdb
>> Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb
>> sitename_fetch: No stored sitename for TEST.LOCAL
>> name ADIR#20 found.
>> Connecting to 10.133.140.66 at port 445
>> Socket options:
>>         SO_KEEPALIVE = 0
>>         SO_REUSEADDR = 0
>>         SO_BROADCAST = 0
>>         TCP_NODELAY = 1
>>         TCP_KEEPCNT = 9
>>         TCP_KEEPIDLE = 7200
>>         TCP_KEEPINTVL = 75
>>         IPTOS_LOWDELAY = 0
>>         IPTOS_THROUGHPUT = 0
>>         SO_REUSEPORT = 0
>>         SO_SNDBUF = 19800
>>         SO_RCVBUF = 87380
>>         SO_SNDLOWAT = 1
>>         SO_RCVLOWAT = 1
>>         SO_SNDTIMEO = 0
>>         SO_RCVTIMEO = 0
>>         TCP_QUICKACK = 1
>>         TCP_DEFER_ACCEPT = 0
>>  session request ok
>> Doing spnego session setup (blob length=88)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.2.840.113554.1.2.2.3
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=adir$@TEST.LOCAL
>> cli_session_setup_spnego: using target hostname not SPNEGO principal
>> kerberos_get_default_realm_from_ccache: Trying to read krb5 cache:
>> FILE:/tmp/krb5cc_0
>> cli_session_setup_spnego: guessed server principal=cifs/ADIR at TEST.LOCAL
>> Doing kerberos session setup
>> ads_krb5_mk_req: Advancing clock by 67 seconds to cope with clock skew
>> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
>> Fri, 01 Apr 2016 22:28:49 IST
>> OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003
>> 5.2]
>>  session setup ok
>>  tconx ok
>>         Sharename       Type      Comment
>>         ---------       ----      -------
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> Bind RPC Pipe: host ADIR auth_type 0, auth_level 1
>> rpc_api_pipe: host ADIR
>> rpc_read_send: data_to_read: 52
>> check_bind_response: accepted!
>> rpc_api_pipe: host ADIR
>> rpc_read_send: data_to_read: 520
>>         IPC$            IPC       Remote IPC
>>         C$              Disk      Default share
>>         NETLOGON        Disk      Logon server share
>>         ADMIN$          Disk      Remote Admin
>>         Dashboard       Disk
>>         SYSVOL          Disk      Logon server share
>> sitename_fetch: No stored sitename for TEST.LOCAL
>> name ADIR#20 found.
>> Connecting to 10.133.140.66 at port 139
>> Socket options:
>>         SO_KEEPALIVE = 0
>>         SO_REUSEADDR = 0
>>         SO_BROADCAST = 0
>>         TCP_NODELAY = 1
>>         TCP_KEEPCNT = 9
>>         TCP_KEEPIDLE = 7200
>>         TCP_KEEPINTVL = 75
>>         IPTOS_LOWDELAY = 0
>>         IPTOS_THROUGHPUT = 0
>>         SO_REUSEPORT = 0
>>         SO_SNDBUF = 19800
>>         SO_RCVBUF = 87380
>>         SO_SNDLOWAT = 1
>>         SO_RCVLOWAT = 1
>>         SO_SNDTIMEO = 0
>>         SO_RCVTIMEO = 0
>>         TCP_QUICKACK = 1
>>         TCP_DEFER_ACCEPT = 0
>>  session request ok
>> Doing spnego session setup (blob length=88)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.2.840.113554.1.2.2.3
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=adir$@TEST.LOCAL
>> cli_session_setup_spnego: using target hostname not SPNEGO principal
>> kerberos_get_default_realm_from_ccache: Trying to read krb5 cache:
>> FILE:/tmp/krb5cc_0
>> cli_session_setup_spnego: guessed server principal=cifs/ADIR at TEST.LOCAL
>> Doing kerberos session setup
>> ads_krb5_mk_req: Advancing clock by 67 seconds to cope with clock skew
>> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
>> Fri, 01 Apr 2016 22:28:49 IST
>> OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003
>> 5.2]
>>  session setup ok
>>  tconx ok
>>         Server               Comment
>>         ---------            -------
>>         Workgroup            Master
>>         ---------            -------
>>
>>
>> Thanks,
>> Paul
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list