[Samba] ef205f6b52e "s3:gse: get an explicit ccache_name" breaks kerberos auth in smbclient

Michael Tokarev mjt at tls.msk.ru
Tue Dec 31 20:49:22 UTC 2024


FWIW, samba 4.20 broke kerberos auth in smbclient.  Namely, this commit:

commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 14 15:23:13 2022 +0200

     s3:gse: get an explicit ccache_name from creds and kinit if required

     This means we may call kinit multiple times for now,
     but we'll remove the kinit from the callers soon.


Before this one (using kinit):

   $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt
   Try "help" to get a list of possible commands.
   smb: \>

After this commit:

   $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt -d5
   ...
   gensec_gse_client_prepare_ccache: No password for user principal[mjt at TLS.MSK.RU]
   Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
   ...
   session setup failed: NT_STATUS_LOGON_FAILURE

This is still happening in current master.

I guess this wasn't an intended behavior :)

Thanks,

/mjt



More information about the samba mailing list