[Samba] smbclient with kerberos

Stefan Kania stefan at kania-online.de
Sat Nov 13 14:59:21 UTC 2021

Am 12.11.21 um 22:18 schrieb Christopher Cox via samba:
> On 11/12/21 1:01 PM, Stefan Kania via samba wrote:
>> Hi to all,
>> after some work at home and in the garden, I now have time to test
>> 4.15 :-)
>> I try the new smbtools with smbclient. In older versions I did a
>> --------------
>> kinit user
>> smbclient -L addc01.example.net -k
>> ---------------
>> And I was not ask for my password again, like I expected. He it's
>> kerberos it's single sign on.
>> With 4.15 I do
>> -------------
>> kinit user
>> smbclient -L addc01.example.net -k
>> -------------
>> And I was asked for my password. I read in the releasenode that some
>> parameters are removed, but not "-k". I then looked in the manpage of
>> smb.conf an fond the parameter
>>   client use kerberos
>> The default is to use Kerberos if present. BUT how? I want single sign
>> on when a Kerberos-ticket exists.
>> If I set "client use kerberos = required" that works, without a
>> Kerberos-ticket I can't uses smbclient anymore, but still need to type
>> my password.
>> So how can in ,again, use smbclient together with Kerberos and single
>> sign on?
>> BTW. the Option "-k" is no longer mentioned in the manpage of
>> "smbclient" but is not mentioned in the releasenode as "removed option"
> Doesn't matter if you use new or old switches, I just add the -N now. 
> It asks for the password without the -N but ignores whatever you put there.

WOW, that make sense. So I do:
kinit user
smbclient -L hostname
Password for [user at EXAMPLE.NET]: anything
and it works

So why ask for the password at all? Security by obscurity!

And why is "-k" not in the list of removed options?

More information about the samba mailing list