Kerberos and Samba client tools
Rowland penny
rpenny at samba.org
Wed May 22 15:11:07 UTC 2019
On 22/05/2019 15:52, Steve French via samba-technical wrote:
> I was noticing that the username and/or password seems to be ignored
> in different (and possibly confusing to users) ways on various client
> tools (smbcacls and smbclient for example) when you specify -k (for
> Kerberos authentication).
>
> For example if you do:
>
> kinit gooduser
> then
> a) smbclient //server/share -k (works)
> b) smbclient //server/share -k -U gooduser (works)
> c) smbclient //server/share -k -U gooduser%password (fails with
> "Preauthentication failed", ignores the -k for kerberos presumably and
> tries to authenticate)
> d) smbclient //server/share -k -U baduser (surprisingly works - probably bug)
> e) smbclient //server/share -k -U baduser%password (fails with "client
> not found in Kerberos database" - this is probably confusing given
> that the example without the password worked)
>
> And to make it more confusing smbcacls behavior is different:
> a) smbcacls //server/share file -k
> b) smbcacls //server/share file -k -U baduser
> c) smbcacls //server/share file -k U baduser%password
>
> All work (unlike the equivalent cases in smbclient)
>
> We probably need to figure out what behavior is expected - probably that either
> 1) warn if you specify -U and -k together (since smbcacls ignores it apparently)
> or
> 2) actually use the -U when -k is specified to look for that specific
> user in the kerberos credential cache, and if not found to prompt the
> user for the kerberos password so we can authenticate (kinit or
> equivalent) to Active Directory
>
You forgot 'samba-tool' and the ldb tools (ldbsearch etc) where it is
'-k yes'
Rowland
More information about the samba-technical
mailing list