[Samba] smbclient with kerberos

Sat Nov 13 15:44:00 UTC 2021

On Sat, 2021-11-13 at 16:25 +0100, Stefan Kania via samba wrote:
> 	Error verifying signature: parse error
> --------------ms070005030707000005080303
> Content-Type: text/plain; charset=utf-8
> Content-Language: en-US
> Content-Transfer-Encoding: quoted-printable
> 
> I just tested the following:
> smb.conf
> =2E..
> client use kerberos =3D required
> =2E..
> 
> root at addc01:~# klist
> klist: No ticket file: /tmp/krb5cc_0
> 
> root at addc01:~# smbclient -L addc01 -U administrator
> Password for [EXAMPLE\administrator]:
> 
>         Sharename       Type      Comment
>         ---------       ----      -------
>         sysvol          Disk
>         netlogon        Disk
>         IPC$            IPC       IPC Service (Samba 4.15.1-Debian)
> SMB1 disabled -- no workgroup available
> 
> root at addc01:~# klist
> klist: No ticket file: /tmp/krb5cc_0
> 
> So using smbclient without Kerberos is still possible if "client use
> kerberos =3D required" is set. As I understand the manpage, it should
> not=
> 
> be possible to authenticate via password (NTLM).
> 
> Only an anonymous use of smbclient is not working:
> root at addc01:~# smbclient -L addc01
> Password for [EXAMPLE\root]:RETURN
> gensec_spnego_client_negTokenInit_step: Could not find a suitable
> mechtype in NEG_TOKEN_INIT
> session setup failed: NT_STATUS_INVALID_PARAMETER

Of course, now I peer very closely at the above, I notice something,
why is 'EXAMPLE\root' being asked for a password ? root should not be
in your domain, it should be mapped to the domain Administrator. I get
this:

smbclient -L rpidc1
Password for [Administrator at SAMDOM.EXAMPLE.COM]:
Anonymous login successful

Rowland