samba - Dec 2024 - ef205f6b52e "s3:gse: get an explicit ccache_name" breaks kerberos auth in smbclient

FWIW, samba 4.20 broke kerberos auth in smbclient.  Namely, this commit:

commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 14 15:23:13 2022 +0200

     s3:gse: get an explicit ccache_name from creds and kinit if required

     This means we may call kinit multiple times for now,
     but we'll remove the kinit from the callers soon.


Before this one (using kinit):

   $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt
   Try "help" to get a list of possible commands.
   smb: \>

After this commit:

   $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt -d5
   ...
   gensec_gse_client_prepare_ccache: No password for user principal[mjt at
TLS.MSK.RU]
   Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
   ...
   session setup failed: NT_STATUS_LOGON_FAILURE

This is still happening in current master.

I guess this wasn't an intended behavior :)

Thanks,

/mjt

On Tue, 31 Dec 2024 23:49:22 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> FWIW, samba 4.20 broke kerberos auth in smbclient.  Namely, this
> commit:
> 
> commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e
> Author: Stefan Metzmacher <metze at samba.org>
> Date:   Thu Apr 14 15:23:13 2022 +0200
> 
>      s3:gse: get an explicit ccache_name from creds and kinit if
> required
> 
>      This means we may call kinit multiple times for now,
>      but we'll remove the kinit from the callers soon.
> 
> 
> Before this one (using kinit):
> 
>    $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt
>    Try "help" to get a list of possible commands.
>    smb: \>
> 
> After this commit:
> 
>    $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt -d5
>    ...
>    gensec_gse_client_prepare_ccache: No password for user
> principal[mjt at TLS.MSK.RU] Failed to start GENSEC client mech
> gse_krb5: NT_STATUS_INVALID_PARAMETER ...
>    session setup failed: NT_STATUS_LOGON_FAILURE
> 
> This is still happening in current master.
> 
> I guess this wasn't an intended behavior :)
> 
I think it is, try removing the '-N' and then typing in the users
password.

From 'smbclient --help':

-N, --no-pass                                Don't ask for a password

It is:

--use-kerberos=desired|required|off      Use Kerberos authentication

for kerberos.

Rowland

Am 31.12.24 um 21:49 schrieb Michael Tokarev:
> FWIW, samba 4.20 broke kerberos auth in smbclient.? Namely, this commit:
> 
> commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e
> Author: Stefan Metzmacher <metze at samba.org>
> Date:?? Thu Apr 14 15:23:13 2022 +0200
> 
>  ??? s3:gse: get an explicit ccache_name from creds and kinit if required
> 
>  ??? This means we may call kinit multiple times for now,
>  ??? but we'll remove the kinit from the callers soon.
> 
> 
> Before this one (using kinit):
> 
>  ? $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt
>  ? Try "help" to get a list of possible commands.
>  ? smb: \>
> 
> After this commit:
> 
>  ? $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt -d5
>  ? ...
>  ? gensec_gse_client_prepare_ccache: No password for user principal[mjt at
TLS.MSK.RU]
>  ? Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
>  ? ...
>  ? session setup failed: NT_STATUS_LOGON_FAILURE
> 
> This is still happening in current master.
> 
> I guess this wasn't an intended behavior :)
No, this is wanted.

Currently this should work

smbclient //tsrv/mjt -k -d5

With a valid KRB5CCNAME envvar this would also work
smbclient //tsrv/mjt --use-krb5-ccache=$KRB5CCNAME -d5

We'll hopefully get a --use-default-krb5-ccache option in future,
which will replace the legacy -k option.

metze