[Samba] smbclient with kerberos

Rowland Penny rpenny at samba.org
Sat Nov 13 15:13:55 UTC 2021


On Sat, 2021-11-13 at 15:59 +0100, Stefan Kania via samba wrote:
> 	Error verifying signature: parse error
> --------------ms000306020208000107040604
> Content-Type: text/plain; charset=utf-8
> Content-Language: en-US
> Content-Transfer-Encoding: quoted-printable
> 
> 
> 
> Am 12.11.21 um 22:18 schrieb Christopher Cox via samba:
> > On 11/12/21 1:01 PM, Stefan Kania via samba wrote:
> > > Hi to all,
> > > 
> > > after some work at home and in the garden, I now have time to
> > > test
> > > 4.15 :-)
> > > I try the new smbtools with smbclient. In older versions I did a
> > > --------------
> > > kinit user
> > > smbclient -L addc01.example.net -k
> > > ---------------
> > > And I was not ask for my password again, like I expected. He it's
> > > kerberos it's single sign on.
> > > 
> > > With 4.15 I do
> > > -------------
> > > kinit user
> > > smbclient -L addc01.example.net -k
> > > -------------
> > > And I was asked for my password. I read in the releasenode that
> > > some
> > > parameters are removed, but not "-k". I then looked in the
> > > manpage of
> > > smb.conf an fond the parameter
> > > =C2=A0 client use kerberos
> > > The default is to use Kerberos if present. BUT how? I want single
> > > sign=
> > > on when a Kerberos-ticket exists.
> > > 
> > > If I set "client use kerberos =3D required" that works, without a
> > > Kerberos-ticket I can't uses smbclient anymore, but still need to
> > > type=
> > > my password.
> > > 
> > > So how can in ,again, use smbclient together with Kerberos and
> > > single
> > > sign on?
> > > 
> > > BTW. the Option "-k" is no longer mentioned in the manpage of
> > > "smbclient" but is not mentioned in the releasenode as "removed
> > > option=
> "
> > =20
> > Doesn't matter if you use new or old switches, I just add the -N
> > now.=C2=
> =A0
> > It asks for the password without the -N but ignores whatever you
> > put th=
> ere.
> 
> WOW, that make sense. So I do:
> kinit user
> smbclient -L hostname
> Password for [user at EXAMPLE.NET]: anything
> and it works
> 
> So why ask for the password at all? Security by obscurity!
> 
> And why is "-k" not in the list of removed options?

But it is, just not explicitly, if you look here:

https://wiki.samba.org/index.php/Samba_4.15_Features_added/changed

Under 'Common parser' there is:

Options renamed:

--kerberos       ->    --use-kerberos=required|desired|off

The short version of '--kerberos' is '-k'

Rowland





More information about the samba mailing list