[Samba] ef205f6b52e "s3:gse: get an explicit ccache_name" breaks kerberos auth in smbclient

Rowland Penny rpenny at samba.org
Tue Dec 31 22:06:55 UTC 2024


On Tue, 31 Dec 2024 23:49:22 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:

> FWIW, samba 4.20 broke kerberos auth in smbclient.  Namely, this
> commit:
> 
> commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Thu Apr 14 15:23:13 2022 +0200
> 
>      s3:gse: get an explicit ccache_name from creds and kinit if
> required
> 
>      This means we may call kinit multiple times for now,
>      but we'll remove the kinit from the callers soon.
> 
> 
> Before this one (using kinit):
> 
>    $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt
>    Try "help" to get a list of possible commands.
>    smb: \>
> 
> After this commit:
> 
>    $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt -d5
>    ...
>    gensec_gse_client_prepare_ccache: No password for user
> principal[mjt at TLS.MSK.RU] Failed to start GENSEC client mech
> gse_krb5: NT_STATUS_INVALID_PARAMETER ...
>    session setup failed: NT_STATUS_LOGON_FAILURE
> 
> This is still happening in current master.
> 
> I guess this wasn't an intended behavior :)
> 

I think it is, try removing the '-N' and then typing in the users
password.

From 'smbclient --help':

-N, --no-pass                                Don't ask for a password

It is:

--use-kerberos=desired|required|off      Use Kerberos authentication

for kerberos.

Rowland



More information about the samba mailing list