[Samba] ef205f6b52e "s3:gse: get an explicit ccache_name" breaks kerberos auth in smbclient
Rowland Penny
rpenny at samba.org
Tue Dec 31 22:06:55 UTC 2024
On Tue, 31 Dec 2024 23:49:22 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> FWIW, samba 4.20 broke kerberos auth in smbclient. Namely, this
> commit:
>
> commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Thu Apr 14 15:23:13 2022 +0200
>
> s3:gse: get an explicit ccache_name from creds and kinit if
> required
>
> This means we may call kinit multiple times for now,
> but we'll remove the kinit from the callers soon.
>
>
> Before this one (using kinit):
>
> $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt
> Try "help" to get a list of possible commands.
> smb: \>
>
> After this commit:
>
> $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt -d5
> ...
> gensec_gse_client_prepare_ccache: No password for user
> principal[mjt at TLS.MSK.RU] Failed to start GENSEC client mech
> gse_krb5: NT_STATUS_INVALID_PARAMETER ...
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> This is still happening in current master.
>
> I guess this wasn't an intended behavior :)
>
I think it is, try removing the '-N' and then typing in the users
password.
From 'smbclient --help':
-N, --no-pass Don't ask for a password
It is:
--use-kerberos=desired|required|off Use Kerberos authentication
for kerberos.
Rowland
More information about the samba
mailing list