Bug 14846 - new Kerberos options of client tools behave quite weird
Summary: new Kerberos options of client tools behave quite weird
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.15.0
Hardware: All All
: P5 critical (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
Depends on:
Blocks: 14842
  Show dependency treegraph
Reported: 2021-09-28 13:34 UTC by Björn Jacke
Modified: 2021-12-08 14:39 UTC (History)
4 users (show)

See Also:

patch for 4.15 (3.86 KB, patch)
2021-10-28 15:37 UTC, Andreas Schneider
slow: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Jacke 2021-09-28 13:34:09 UTC
In 4.15 the new kerberos defaults behave quite unexpected and will probably break some user setups also:

# kinit bjacke

# smbclient //server.example.com/bjacke -k
Password for [bjacke@EXAMPLE.COM]:
(I can enter anything here, it will succeed with the krb5 auth. But being asked for a password looks quite wrong here)

The new style options --use-kerberos=required/desired will, just like -k, also make smbclient ask for a password (whose value is also being ignored then)

# smbclient //server.example.com/data -k blablub
will connect using krb5 WITHOUT asking for password, which is also interesting.
Comment 1 Andreas Schneider 2021-10-25 08:55:02 UTC
I'm sorry but is is not clear to me what the issue is.

> The new style options --use-kerberos=required/desired will, just like -k, also
> make smbclient ask for a password (whose value is also being ignored then)

Which value is ignored? The best would be steps how to reproduce this in `make testenv`.
Comment 2 Björn Jacke 2021-10-25 08:58:09 UTC
the simple steps to reproduce are in comment 0. See the kinit and smbclient commands and the output of it and my comments on that.
Comment 3 Björn Jacke 2021-10-26 06:57:48 UTC
as probably soon many people will move to 4.15 it would be good if the kerberos client tool  regression issue would be fixed in an upcoming 4.15 release.
Comment 4 Andreas Schneider 2021-10-26 13:23:11 UTC
I think it is just smbclient behaviour as normally you need to use --use-krb5-ccache if you want a ccache.
Comment 5 Stefan Metzmacher 2021-10-26 15:11:21 UTC
(In reply to Andreas Schneider from comment #4)

just -k worked fine before, so it has to work as before.

I think this needs to check if -U is also present or not,
- if -U is not given, we should assume the default ccache or
  the value from --use-krb5-ccache and don't prompt for
  a password
- if -U is given should not use the default ccache,
  it should also conflict with --use-krb5-ccache
Comment 6 Andreas Schneider 2021-10-27 10:55:11 UTC
Metze, the problem is that source3/librpc/crypto/gse.c is not using cli_credentials_get_cache(), it just opens the default ccache.
Comment 7 Stefan Metzmacher 2021-10-27 11:02:23 UTC
(In reply to Andreas Schneider from comment #6)

Yes, that should be fixed someday and for now we could
let gensec_gse_client_start() pass a non NULL ccache
if it finds one on the credentials.

But I don't see how that related to the password prompting.

Björn can you provide the output of selftest/gdb_backtrace on
smbclient waiting in the prompt?
Comment 8 Andreas Schneider 2021-10-27 11:33:48 UTC
-k sets `skip_password_callback = true` I guess this doesn't work.
Comment 9 Andreas Schneider 2021-10-27 11:51:03 UTC
-k is set to POPT_ARG_STRING instead of POP_ARG_NONE.
Comment 10 Samba QA Contact 2021-10-28 13:24:03 UTC
This bug was referenced in samba master:

Comment 11 Andreas Schneider 2021-10-28 15:37:53 UTC
Created attachment 16884 [details]
patch for 4.15
Comment 12 Ralph Böhme 2021-10-28 15:42:18 UTC
Reassigning to Jule for inclusion in 4.15.
Comment 13 Jule Anger 2021-11-10 14:23:47 UTC
Pushed to autobuild-v4-15-test.
Comment 14 Samba QA Contact 2021-11-10 17:08:32 UTC
This bug was referenced in samba v4-15-test:

Comment 15 Jule Anger 2021-11-10 18:03:24 UTC
Closing out bug report.

Comment 16 Samba QA Contact 2021-12-08 14:39:51 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.3):