Hi, As posted on the list "potential samba bug with Kerberos -k => --use-kerberos" on January 27, 2022 Samba >= 4.15 now gives a deprecation warning when using -k: root@server:~# net ads join -k WARNING: The option -k|--kerberos is deprecated! Using short domain name -- DOMAIN Joined 'SERVER' to dns domain 'DOMAIN.COM' Using its replacement "--use-kerberos=required" will prompt for a password, even when a valid Kerberos ticket is present. We assume this should not be the case. root@server:~# net ads join --use-kerberos=required Password for [user@DOMAIN.COM]: According to man page there is also "--use-krb5-ccache=CCACHE" which will automatically set "--use-kerberos=required" as well. This works indeed and does not ask for a password: root@server:~# net ads join --use-krb5-ccache=/tmp/krb5cc_0 Using short domain name -- DOMAIN Joined 'SERVER' to dns domain 'DOMAIN.COM' Now the more interesting part, following also works: root@server:~# net ads join --use-krb5-ccache= Using short domain name -- DOMAIN Joined 'SERVER' to dns domain 'DOMAIN.COM' And this as well: root@server:~# net ads join --use-krb5-ccache=/this/does/not/exist Using short domain name -- DOMAIN Joined 'SERVER' to dns domain 'DOMAIN.COM'
(In reply to glorang from comment #0) This sounds like a duplicate of bug 14846, which was fixed in 4.15.3 So which version are you using ?
This is on Ubuntu 22.04 which ships with 2:4.15.5~dfsg-0ubuntu5. I've checked the Ubuntu source for package samba-common-bin and the patch of #14846 is applied.
(In reply to Rowland Penny from comment #1) The issue that your are still prompted for a password even though a ticket exists in the default credential cache still exists. The desired behavior is this: https://bugzilla.samba.org/show_bug.cgi?id=14846#c5 But what was fixed is this: https://bugzilla.samba.org/show_bug.cgi?id=14846#c6 But this is not related to the problem that was reported in this ticket. Andreas, can you please have a look at this again. It's really annoying that you enter to enter a password (again) even though a ticket already exists in the default credential cache. Unless -U is not used, --use-kerberos=required should implicitly use the ticket from the users default credential cache.