[Samba] ef205f6b52e "s3:gse: get an explicit ccache_name" breaks kerberos auth in smbclient
Stefan Metzmacher
metze at samba.org
Wed Jan 1 07:43:48 UTC 2025
Am 31.12.24 um 21:49 schrieb Michael Tokarev:
> FWIW, samba 4.20 broke kerberos auth in smbclient. Namely, this commit:
>
> commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Thu Apr 14 15:23:13 2022 +0200
>
> s3:gse: get an explicit ccache_name from creds and kinit if required
>
> This means we may call kinit multiple times for now,
> but we'll remove the kinit from the callers soon.
>
>
> Before this one (using kinit):
>
> $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt
> Try "help" to get a list of possible commands.
> smb: \>
>
> After this commit:
>
> $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt -d5
> ...
> gensec_gse_client_prepare_ccache: No password for user principal[mjt at TLS.MSK.RU]
> Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
> ...
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> This is still happening in current master.
>
> I guess this wasn't an intended behavior :)
No, this is wanted.
Currently this should work
smbclient //tsrv/mjt -k -d5
With a valid KRB5CCNAME envvar this would also work
smbclient //tsrv/mjt --use-krb5-ccache=$KRB5CCNAME -d5
We'll hopefully get a --use-default-krb5-ccache option in future,
which will replace the legacy -k option.
metze
More information about the samba
mailing list