[Samba] smbclient with kerberos

Rowland Penny rpenny at samba.org
Sat Nov 13 15:57:02 UTC 2021 

On Sat, 2021-11-13 at 15:44 +0000, Rowland Penny via samba wrote:
> On Sat, 2021-11-13 at 16:25 +0100, Stefan Kania via samba wrote:
> > 	Error verifying signature: parse error
> > --------------ms070005030707000005080303
> > Content-Type: text/plain; charset=utf-8
> > Content-Language: en-US
> > Content-Transfer-Encoding: quoted-printable
> > 
> > I just tested the following:
> > smb.conf
> > =2E..
> > client use kerberos =3D required
> > =2E..
> > 
> > root at addc01:~# klist
> > klist: No ticket file: /tmp/krb5cc_0
> > 
> > root at addc01:~# smbclient -L addc01 -U administrator
> > Password for [EXAMPLE\administrator]:
> > 
> >         Sharename       Type      Comment
> >         ---------       ----      -------
> >         sysvol          Disk
> >         netlogon        Disk
> >         IPC$            IPC       IPC Service (Samba 4.15.1-Debian)
> > SMB1 disabled -- no workgroup available
> > 
> > root at addc01:~# klist
> > klist: No ticket file: /tmp/krb5cc_0
> > 
> > So using smbclient without Kerberos is still possible if "client
> > use
> > kerberos =3D required" is set. As I understand the manpage, it
> > should
> > not=
> > 
> > be possible to authenticate via password (NTLM).
> > 
> > Only an anonymous use of smbclient is not working:
> > root at addc01:~# smbclient -L addc01
> > Password for [EXAMPLE\root]:RETURN
> > gensec_spnego_client_negTokenInit_step: Could not find a suitable
> > mechtype in NEG_TOKEN_INIT
> > session setup failed: NT_STATUS_INVALID_PARAMETER
> 
> Of course, now I peer very closely at the above, I notice something,
> why is 'EXAMPLE\root' being asked for a password ? root should not be
> in your domain, it should be mapped to the domain Administrator. I
> get
> this:
> 
> smbclient -L rpidc1
> Password for [Administrator at SAMDOM.EXAMPLE.COM]:
> Anonymous login successful
> 
> Rowland

I realised that I was carrying out these tests on systems running pre
the latest releases and when I tried the tests on the my only system
running the latest release, it doesn't work and I get DOMAIN\root. I
think that the fix for CVE-2020-25717 (A user in an AD Domain could
become root on domain members), has broken usermaps.

Did someone forget that it might be an idea to allow Administrator to
be mapped to root ?

Rowland

More information about the samba mailing list