In 4.15 the new kerberos defaults behave quite unexpected and will probably break some user setups also:
# kinit bjacke
# smbclient //server.example.com/bjacke -k
Password for [bjacke@EXAMPLE.COM]:
(I can enter anything here, it will succeed with the krb5 auth. But being asked for a password looks quite wrong here)
The new style options --use-kerberos=required/desired will, just like -k, also make smbclient ask for a password (whose value is also being ignored then)
# smbclient //server.example.com/data -k blablub
will connect using krb5 WITHOUT asking for password, which is also interesting.
I'm sorry but is is not clear to me what the issue is.
> The new style options --use-kerberos=required/desired will, just like -k, also
> make smbclient ask for a password (whose value is also being ignored then)
Which value is ignored? The best would be steps how to reproduce this in `make testenv`.
the simple steps to reproduce are in comment 0. See the kinit and smbclient commands and the output of it and my comments on that.
as probably soon many people will move to 4.15 it would be good if the kerberos client tool regression issue would be fixed in an upcoming 4.15 release.
I think it is just smbclient behaviour as normally you need to use --use-krb5-ccache if you want a ccache.
(In reply to Andreas Schneider from comment #4)
just -k worked fine before, so it has to work as before.
I think this needs to check if -U is also present or not,
- if -U is not given, we should assume the default ccache or
the value from --use-krb5-ccache and don't prompt for
- if -U is given should not use the default ccache,
it should also conflict with --use-krb5-ccache
Metze, the problem is that source3/librpc/crypto/gse.c is not using cli_credentials_get_cache(), it just opens the default ccache.
(In reply to Andreas Schneider from comment #6)
Yes, that should be fixed someday and for now we could
let gensec_gse_client_start() pass a non NULL ccache
if it finds one on the credentials.
But I don't see how that related to the password prompting.
Björn can you provide the output of selftest/gdb_backtrace on
smbclient waiting in the prompt?
-k sets `skip_password_callback = true` I guess this doesn't work.
-k is set to POPT_ARG_STRING instead of POP_ARG_NONE.
This bug was referenced in samba master:
Created attachment 16884 [details]
patch for 4.15
Reassigning to Jule for inclusion in 4.15.
Pushed to autobuild-v4-15-test.
This bug was referenced in samba v4-15-test:
Closing out bug report.
This bug was referenced in samba v4-15-stable (Release samba-4.15.3):