samba - Nov 2021 - smbclient with kerberos

I just tested the following:
smb.conf
...
client use kerberos = required
...

root at addc01:~# klist
klist: No ticket file: /tmp/krb5cc_0

root at addc01:~# smbclient -L addc01 -U administrator
Password for [EXAMPLE\administrator]:

        Sharename       Type      Comment
        ---------       ----      -------
        sysvol          Disk
        netlogon        Disk
        IPC$            IPC       IPC Service (Samba 4.15.1-Debian)
SMB1 disabled -- no workgroup available

root at addc01:~# klist
klist: No ticket file: /tmp/krb5cc_0

So using smbclient without Kerberos is still possible if "client use
kerberos = required" is set. As I understand the manpage, it should not
be possible to authenticate via password (NTLM).

Only an anonymous use of smbclient is not working:
root at addc01:~# smbclient -L addc01
Password for [EXAMPLE\root]:RETURN
gensec_spnego_client_negTokenInit_step: Could not find a suitable
mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER

What did I miss?


Am 12.11.21 um 20:01 schrieb Stefan Kania via samba:
> Hi to all,
> 
> after some work at home and in the garden, I now have time to test 4.15 :-)
> I try the new smbtools with smbclient. In older versions I did a
> --------------
> kinit user
> smbclient -L addc01.example.net -k
> ---------------
> And I was not ask for my password again, like I expected. He it's
> kerberos it's single sign on.
> 
> With 4.15 I do
> -------------
> kinit user
> smbclient -L addc01.example.net -k
> -------------
> And I was asked for my password. I read in the releasenode that some
> parameters are removed, but not "-k". I then looked in the
manpage of
> smb.conf an fond the parameter
>  client use kerberos
> The default is to use Kerberos if present. BUT how? I want single sign
> on when a Kerberos-ticket exists.
> 
> If I set "client use kerberos = required" that works, without a
> Kerberos-ticket I can't uses smbclient anymore, but still need to type
> my password.
> 
> So how can in ,again, use smbclient together with Kerberos and single
> sign on?
> 
> BTW. the Option "-k" is no longer mentioned in the manpage of
> "smbclient" but is not mentioned in the releasenode as
"removed option"
> 
> 
> 
> Stefan
> 
> 
> 
> 
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre
Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html

On Sat, 2021-11-13 at 16:25 +0100, Stefan Kania via samba
wrote:
> 	Error verifying signature: parse error
> --------------ms070005030707000005080303
> Content-Type: text/plain; charset=utf-8
> Content-Language: en-US
> Content-Transfer-Encoding: quoted-printable
> 
> I just tested the following:
> smb.conf
> =2E..
> client use kerberos =3D required
> =2E..
> 
> root at addc01:~# klist
> klist: No ticket file: /tmp/krb5cc_0
> 
> root at addc01:~# smbclient -L addc01 -U administrator
> Password for [EXAMPLE\administrator]:
> 
>         Sharename       Type      Comment
>         ---------       ----      -------
>         sysvol          Disk
>         netlogon        Disk
>         IPC$            IPC       IPC Service (Samba 4.15.1-Debian)
> SMB1 disabled -- no workgroup available
> 
> root at addc01:~# klist
> klist: No ticket file: /tmp/krb5cc_0
> 
> So using smbclient without Kerberos is still possible if "client use
> kerberos =3D required" is set. As I understand the manpage, it should
> not> 
> be possible to authenticate via password (NTLM).
> 
> Only an anonymous use of smbclient is not working:
> root at addc01:~# smbclient -L addc01
> Password for [EXAMPLE\root]:RETURN
> gensec_spnego_client_negTokenInit_step: Could not find a suitable
> mechtype in NEG_TOKEN_INIT
> session setup failed: NT_STATUS_INVALID_PARAMETER
> 
> What did I miss?
A big 'N' :-)

smbclient -NL addc01

Rowland

On Sat, 2021-11-13 at 16:25 +0100, Stefan Kania via samba
wrote:
> 	Error verifying signature: parse error
> --------------ms070005030707000005080303
> Content-Type: text/plain; charset=utf-8
> Content-Language: en-US
> Content-Transfer-Encoding: quoted-printable
> 
> I just tested the following:
> smb.conf
> =2E..
> client use kerberos =3D required
> =2E..
> 
> root at addc01:~# klist
> klist: No ticket file: /tmp/krb5cc_0
> 
> root at addc01:~# smbclient -L addc01 -U administrator
> Password for [EXAMPLE\administrator]:
> 
>         Sharename       Type      Comment
>         ---------       ----      -------
>         sysvol          Disk
>         netlogon        Disk
>         IPC$            IPC       IPC Service (Samba 4.15.1-Debian)
> SMB1 disabled -- no workgroup available
> 
> root at addc01:~# klist
> klist: No ticket file: /tmp/krb5cc_0
> 
> So using smbclient without Kerberos is still possible if "client use
> kerberos =3D required" is set. As I understand the manpage, it should
> not> 
> be possible to authenticate via password (NTLM).
> 
> Only an anonymous use of smbclient is not working:
> root at addc01:~# smbclient -L addc01
> Password for [EXAMPLE\root]:RETURN
> gensec_spnego_client_negTokenInit_step: Could not find a suitable
> mechtype in NEG_TOKEN_INIT
> session setup failed: NT_STATUS_INVALID_PARAMETER
Of course, now I peer very closely at the above, I notice something,
why is 'EXAMPLE\root' being asked for a password ? root should not be
in your domain, it should be mapped to the domain Administrator. I get
this:

smbclient -L rpidc1
Password for [Administrator at SAMDOM.EXAMPLE.COM]:
Anonymous login successful

Rowland