samba - Jan 2025 - ef205f6b52e "s3:gse: get an explicit ccache_name" breaks kerberos auth in smbclient

Am 31.12.24 um 21:49 schrieb Michael Tokarev:
> FWIW, samba 4.20 broke kerberos auth in smbclient.? Namely, this commit:
> 
> commit ef205f6b52ea1fec13e647e15e4f3edf536fd93e
> Author: Stefan Metzmacher <metze at samba.org>
> Date:?? Thu Apr 14 15:23:13 2022 +0200
> 
>  ??? s3:gse: get an explicit ccache_name from creds and kinit if required
> 
>  ??? This means we may call kinit multiple times for now,
>  ??? but we'll remove the kinit from the callers soon.
> 
> 
> Before this one (using kinit):
> 
>  ? $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt
>  ? Try "help" to get a list of possible commands.
>  ? smb: \>
> 
> After this commit:
> 
>  ? $ smbclient -U mjt at TLS.MSK.RU -N //tsrv/mjt -d5
>  ? ...
>  ? gensec_gse_client_prepare_ccache: No password for user principal[mjt at
TLS.MSK.RU]
>  ? Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
>  ? ...
>  ? session setup failed: NT_STATUS_LOGON_FAILURE
> 
> This is still happening in current master.
> 
> I guess this wasn't an intended behavior :)
No, this is wanted.

Currently this should work

smbclient //tsrv/mjt -k -d5

With a valid KRB5CCNAME envvar this would also work
smbclient //tsrv/mjt --use-krb5-ccache=$KRB5CCNAME -d5

We'll hopefully get a --use-default-krb5-ccache option in future,
which will replace the legacy -k option.

metze

01.01.2025 10:43, Stefan Metzmacher via samba wrote:
..
>> This is still happening in current master.
>>
>> I guess this wasn't an intended behavior :)
> 
> No, this is wanted.
> 
> Currently this should work
> 
> smbclient //tsrv/mjt -k -d5
Aha. This works indeed.  Thank you!
> We'll hopefully get a --use-default-krb5-ccache option in future,
> which will replace the legacy -k option.
Why -k is being deprecated anyway?  Can't it become a synonym
for --use-kerberos=required (and --use-default-krb5-ccache in the
future) for example?  Or else it's just too long and too awkward.

Thanks!

/mjt