samba - Nov 2021 - smbclient with kerberos

Hi to all,

after some work at home and in the garden, I now have time to test 4.15 :-)
I try the new smbtools with smbclient. In older versions I did a
--------------
kinit user
smbclient -L addc01.example.net -k
---------------
And I was not ask for my password again, like I expected. He it's
kerberos it's single sign on.

With 4.15 I do
-------------
kinit user
smbclient -L addc01.example.net -k
-------------
And I was asked for my password. I read in the releasenode that some
parameters are removed, but not "-k". I then looked in the manpage of
smb.conf an fond the parameter
 client use kerberos
The default is to use Kerberos if present. BUT how? I want single sign
on when a Kerberos-ticket exists.

If I set "client use kerberos = required" that works, without a
Kerberos-ticket I can't uses smbclient anymore, but still need to type
my password.

So how can in ,again, use smbclient together with Kerberos and single
sign on?

BTW. the Option "-k" is no longer mentioned in the manpage of
"smbclient" but is not mentioned in the releasenode as "removed
option"



Stefan

On 11/12/21 1:01 PM, Stefan Kania via samba wrote:
> Hi to all,
> 
> after some work at home and in the garden, I now have time to test 4.15 :-)
> I try the new smbtools with smbclient. In older versions I did a
> --------------
> kinit user
> smbclient -L addc01.example.net -k
> ---------------
> And I was not ask for my password again, like I expected. He it's
> kerberos it's single sign on.
> 
> With 4.15 I do
> -------------
> kinit user
> smbclient -L addc01.example.net -k
> -------------
> And I was asked for my password. I read in the releasenode that some
> parameters are removed, but not "-k". I then looked in the
manpage of
> smb.conf an fond the parameter
>   client use kerberos
> The default is to use Kerberos if present. BUT how? I want single sign
> on when a Kerberos-ticket exists.
> 
> If I set "client use kerberos = required" that works, without a
> Kerberos-ticket I can't uses smbclient anymore, but still need to type
> my password.
> 
> So how can in ,again, use smbclient together with Kerberos and single
> sign on?
> 
> BTW. the Option "-k" is no longer mentioned in the manpage of
> "smbclient" but is not mentioned in the releasenode as
"removed option"
Doesn't matter if you use new or old switches, I just add the -N now.  It
asks
for the password without the -N but ignores whatever you put there.

I just tested the following:
smb.conf
...
client use kerberos = required
...

root at addc01:~# klist
klist: No ticket file: /tmp/krb5cc_0

root at addc01:~# smbclient -L addc01 -U administrator
Password for [EXAMPLE\administrator]:

        Sharename       Type      Comment
        ---------       ----      -------
        sysvol          Disk
        netlogon        Disk
        IPC$            IPC       IPC Service (Samba 4.15.1-Debian)
SMB1 disabled -- no workgroup available

root at addc01:~# klist
klist: No ticket file: /tmp/krb5cc_0

So using smbclient without Kerberos is still possible if "client use
kerberos = required" is set. As I understand the manpage, it should not
be possible to authenticate via password (NTLM).

Only an anonymous use of smbclient is not working:
root at addc01:~# smbclient -L addc01
Password for [EXAMPLE\root]:RETURN
gensec_spnego_client_negTokenInit_step: Could not find a suitable
mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER

What did I miss?


Am 12.11.21 um 20:01 schrieb Stefan Kania via samba:
> Hi to all,
> 
> after some work at home and in the garden, I now have time to test 4.15 :-)
> I try the new smbtools with smbclient. In older versions I did a
> --------------
> kinit user
> smbclient -L addc01.example.net -k
> ---------------
> And I was not ask for my password again, like I expected. He it's
> kerberos it's single sign on.
> 
> With 4.15 I do
> -------------
> kinit user
> smbclient -L addc01.example.net -k
> -------------
> And I was asked for my password. I read in the releasenode that some
> parameters are removed, but not "-k". I then looked in the
manpage of
> smb.conf an fond the parameter
>  client use kerberos
> The default is to use Kerberos if present. BUT how? I want single sign
> on when a Kerberos-ticket exists.
> 
> If I set "client use kerberos = required" that works, without a
> Kerberos-ticket I can't uses smbclient anymore, but still need to type
> my password.
> 
> So how can in ,again, use smbclient together with Kerberos and single
> sign on?
> 
> BTW. the Option "-k" is no longer mentioned in the manpage of
> "smbclient" but is not mentioned in the releasenode as
"removed option"
> 
> 
> 
> Stefan
> 
> 
> 
> 
-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre
Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html