[Samba] smbclient with kerberos

Stefan Kania stefan at kania-online.de
Sat Nov 13 15:43:56 UTC 2021 


Am 13.11.21 um 16:32 schrieb Rowland Penny via samba:
> On Sat, 2021-11-13 at 16:25 +0100, Stefan Kania via samba wrote:
>> 	Error verifying signature: parse error
>> --------------ms070005030707000005080303
>> Content-Type: text/plain; charset=utf-8
>> Content-Language: en-US
>> Content-Transfer-Encoding: quoted-printable
>>
>> I just tested the following:
>> smb.conf
>> =2E..
>> client use kerberos =3D required
>> =2E..
>>
>> root at addc01:~# klist
>> klist: No ticket file: /tmp/krb5cc_0
>>
>> root at addc01:~# smbclient -L addc01 -U administrator
>> Password for [EXAMPLE\administrator]:
>>
>>         Sharename       Type      Comment
>>         ---------       ----      -------
>>         sysvol          Disk
>>         netlogon        Disk
>>         IPC$            IPC       IPC Service (Samba 4.15.1-Debian)
>> SMB1 disabled -- no workgroup available
>>
>> root at addc01:~# klist
>> klist: No ticket file: /tmp/krb5cc_0
>>
>> So using smbclient without Kerberos is still possible if "client use
>> kerberos =3D required" is set. As I understand the manpage, it should
>> not=
>>
>> be possible to authenticate via password (NTLM).
>>
>> Only an anonymous use of smbclient is not working:
>> root at addc01:~# smbclient -L addc01
>> Password for [EXAMPLE\root]:RETURN
>> gensec_spnego_client_negTokenInit_step: Could not find a suitable
>> mechtype in NEG_TOKEN_INIT
>> session setup failed: NT_STATUS_INVALID_PARAMETER
>>
>> What did I miss?
> 
> A big 'N' :-)
> 
> smbclient -NL addc01

The result is the same:
---------------------
root at addc01:~# smbclient -NL addc01
gensec_spnego_client_negTokenInit_step: Could not find a suitable
mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER

---------------------
This is exactly what I expected. BUT I also expected when doing a:
smbclient -L addc01 -U administrator

and there is no ticket for the administrator and "client use kerbers =
required" is set, that no result is shown, only a an errormessage
pointing to no Ticket. That how I understand "client use kerberos =
required"


> 
> Rowland
> 
> 
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html

More information about the samba mailing list