In 4.15 the new kerberos defaults behave quite unexpected and will probably break some user setups also: # kinit bjacke # smbclient //server.example.com/bjacke -k Password for [bjacke@EXAMPLE.COM]: (I can enter anything here, it will succeed with the krb5 auth. But being asked for a password looks quite wrong here) The new style options --use-kerberos=required/desired will, just like -k, also make smbclient ask for a password (whose value is also being ignored then) # smbclient //server.example.com/data -k blablub will connect using krb5 WITHOUT asking for password, which is also interesting.
I'm sorry but is is not clear to me what the issue is. > The new style options --use-kerberos=required/desired will, just like -k, also > make smbclient ask for a password (whose value is also being ignored then) Which value is ignored? The best would be steps how to reproduce this in `make testenv`.
the simple steps to reproduce are in comment 0. See the kinit and smbclient commands and the output of it and my comments on that.
as probably soon many people will move to 4.15 it would be good if the kerberos client tool regression issue would be fixed in an upcoming 4.15 release.
I think it is just smbclient behaviour as normally you need to use --use-krb5-ccache if you want a ccache.
(In reply to Andreas Schneider from comment #4) just -k worked fine before, so it has to work as before. I think this needs to check if -U is also present or not, - if -U is not given, we should assume the default ccache or the value from --use-krb5-ccache and don't prompt for a password - if -U is given should not use the default ccache, it should also conflict with --use-krb5-ccache
Metze, the problem is that source3/librpc/crypto/gse.c is not using cli_credentials_get_cache(), it just opens the default ccache.
(In reply to Andreas Schneider from comment #6) Yes, that should be fixed someday and for now we could let gensec_gse_client_start() pass a non NULL ccache if it finds one on the credentials. But I don't see how that related to the password prompting. Björn can you provide the output of selftest/gdb_backtrace on smbclient waiting in the prompt?
-k sets `skip_password_callback = true` I guess this doesn't work.
-k is set to POPT_ARG_STRING instead of POP_ARG_NONE.
This bug was referenced in samba master: 5c6640470aa845780fbf17961e67b0d9302c2fbc 16d43ccfddf0e67a0ae87e3f13b3114c858d64ac
Created attachment 16884 [details] patch for 4.15
Reassigning to Jule for inclusion in 4.15.
Pushed to autobuild-v4-15-test.
This bug was referenced in samba v4-15-test: d700a676cad09e23d55aac294b47cd5d227b8664 651d79f109bb7774962f0e0db0b8206e2e0a93e5
Closing out bug report. Thanks!
This bug was referenced in samba v4-15-stable (Release samba-4.15.3): d700a676cad09e23d55aac294b47cd5d227b8664 651d79f109bb7774962f0e0db0b8206e2e0a93e5