[Samba] ef205f6b52e "s3:gse: get an explicit ccache_name" breaks kerberos auth in smbclient

Stefan Metzmacher metze at samba.org
Wed Jan 1 07:43:48 UTC 2025


Am 31.12.24 um 21:49 schrieb Michael Tokarev:
> FWIW, samba 4.20 broke kerberos auth in smbclient.  Namely, this commit:
> 
> commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Thu Apr 14 15:23:13 2022 +0200
> 
>      s3:gse: get an explicit ccache_name from creds and kinit if required
> 
>      This means we may call kinit multiple times for now,
>      but we'll remove the kinit from the callers soon.
> 
> 
> Before this one (using kinit):
> 
>    $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt
>    Try "help" to get a list of possible commands.
>    smb: \>
> 
> After this commit:
> 
>    $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt -d5
>    ...
>    gensec_gse_client_prepare_ccache: No password for user principal[mjt at TLS.MSK.RU]
>    Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
>    ...
>    session setup failed: NT_STATUS_LOGON_FAILURE
> 
> This is still happening in current master.
> 
> I guess this wasn't an intended behavior :)

No, this is wanted.

Currently this should work

smbclient //tsrv/mjt -k -d5

With a valid KRB5CCNAME envvar this would also work
smbclient //tsrv/mjt --use-krb5-ccache=$KRB5CCNAME -d5

We'll hopefully get a --use-default-krb5-ccache option in future,
which will replace the legacy -k option.

metze




More information about the samba mailing list