[Samba] smbclient and Kerberos authentication

Rowland Penny rpenny at samba.org
Fri Dec 20 19:44:50 UTC 2024 

On Fri, 20 Dec 2024 20:16:21 +0100
Stefan Kania via samba <samba at lists.samba.org> wrote:

> Hi to all,
> 
> I''m just writing the next version of the german Samba-book and I'm
> just testing smbclient so when I'm do:
> ---------------------
> root at dc01:~# smbclient -L cluster
> Password for [EXAMPLE\root]:
> Anonymous login successful
> 
>          Sharename       Type      Comment
>          ---------       ----      -------
>          IPC$            IPC       IPC Service (Samba 
> 4.21.2-Debian-4.21.2+dfsg-3~bpo12+1)
>          admin-share     Disk      admin share auf dem Cluster
>          daten1          Disk      Mit glusterfs_fuse
> SMB1 disabled -- no workgroup available
> -------------------
> I'm getting the result with anonymous access. That's ok. Then I do:
> ------------------
> root at dc01:~# kinit administrator
> administrator at EXAMPLE.NET's Password:
> 
> root at dc01:~# smbclient -L cluster -N
> Anonymous login successful
> 
>          Sharename       Type      Comment
>          ---------       ----      -------
>          IPC$            IPC       IPC Service (Samba 
> 4.21.2-Debian-4.21.2+dfsg-3~bpo12+1)
>          admin-share     Disk      admin share auf dem Cluster
>          daten1          Disk      Mit glusterfs_fuse
> SMB1 disabled -- no workgroup available
> ---------------
> smbclient is telling my it's still an anonymous access. So I try
> giving the wrong password
> 
> ----------------
> root at dc01:~# smbclient -L cluster
> Password for [administrator at EXAMPLE.NET]:
> Anonymous login successful
> 
>          Sharename       Type      Comment
>          ---------       ----      -------
>          IPC$            IPC       IPC Service (Samba 
> 4.21.2-Debian-4.21.2+dfsg-3~bpo12+1)
>          admin-share     Disk      admin share auf dem Cluster
>          daten1          Disk      Mit glusterfs_fuse
> SMB1 disabled -- no workgroup available
> 
> ----------------
> 
> Giving the right password I got:
> ----------------
> root at dc01:~# smbclient -L cluster
> Password for [administrator at EXAMPLE.NET]:
> 
>          Sharename       Type      Comment
>          ---------       ----      -------
>          IPC$            IPC       IPC Service (Samba 
> 4.21.2-Debian-4.21.2+dfsg-3~bpo12+1)
>          admin-share     Disk      admin share auf dem Cluster
>          daten1          Disk      Mit glusterfs_fuse
> SMB1 disabled -- no workgroup available
> 
> ----------------
> That should work with the Kerberos-ticket. But it's not and I don't
> get an CIFS-Ticket either.
> 
> With the next text I do
> ----------------
> root at dc01:~# smbclient -L cluster -k
> WARNING: The option -k|--kerberos is deprecated!
> 
>          Sharename       Type      Comment
>          ---------       ----      -------
>          IPC$            IPC       IPC Service (Samba 
> 4.21.2-Debian-4.21.2+dfsg-3~bpo12+1)
>          admin-share     Disk      admin share auf dem Cluster
>          daten1          Disk      Mit glusterfs_fuse
> SMB1 disabled -- no workgroup available
> 
> ----------------
> Yes Kerberos-authentication is working "klist" is showing a
> CIFS-ticket. "-k" is deprecated, but without "-k" no
> Kerberos-Authentication is used. Did I miss something? Or another bug?
> 

Did you miss the output of 'smbclient --help' ?

'-k' is now '--use-kerberos=required'.

You have to tell smbclient to use kerberos before it will use kerberos.

Rowland

More information about the samba mailing list