Created attachment 18537 [details] A patch to fix this issue Regression in libsmbclient 4.21.* - "use-kerberos=desired" broken IMPACT: I believe there is a regression in libsmbclient 4.21.* that affects several clients: * smbclient --use-kerberos=desired * samba-4.21.../examples/libsmbclient/testbrowse.c * KDE dolphin/kioclient/kio-extras/kio_smb * pysmbc PROBLEM: When using the default options for Kerberos with NTLM fallback in libsmbclient, Kerberos is never even tried, effectively forcing NTLM. This may trigger a visible request for user credentials in Samba clients, even though klist shows a valid TGT or even a ticket for the target server. REPRODUCTION: Samba's smbclient behavior can be determined by a command line switch: # FAILS: smbclient -d10 --use-kerberos=desired -c 'dir' //SERVER/SHARE # WORKS: smbclient -d10 --use-kerberos=required -c 'dir' //SERVER/SHARE In Samba's 'testbrowse.c' [0], there is a combination of two options that affect authentication behavior: // FAILS: (like use-kerberos=desired, original) smbc_setOptionUseKerberos(context, 1); smbc_setOptionFallbackAfterKerberos(context, 1); // WORKS: (like use-kerberos=required, modified) smbc_setOptionUseKerberos(context, 1); smbc_setOptionFallbackAfterKerberos(context, 0); KIO [1] always fails, because there is no way to change the default settings: kwriteconfig6 --file kioslaverc --group SMB --key DebugLevel 10 # QT_FORCE_STDERR_LOGGING=1 # only to see QT side of things # QT_LOGGING_RULES="kf.kio.workers.smb=true;log_kio_smb=true" kioclient ls smb://USER%40REALM@SERVER/SHARE kwriteconfig6 --file kioslaverc --group SMB --key DebugLevel 0 ... which look like this [3]: smbc_setOptionUseKerberos(m_context.get(), 1) smbc_setOptionFallbackAfterKerberos(m_context.get(), 1) Python, with pysmbc [4]: // FAILS: import smbc ctx = smbc.Context(debug=10, use_kerberos=1) // defaults to these: // ctx.optionUseKerberos = True // ctx.optionFallbackAfterKerberos = True ctx.opendir("smb://USER%40REALM@SERVER/SHARE").getdents() // WORKS: import smbc ctx = smbc.Context(debug=10) ctx.optionUseKerberos = True ctx.optionFallbackAfterKerberos = False ctx.opendir("smb://USER%40REALM@SERVER/SHARE").getdents() FAILURE LOG: The log (from above) contains: "gensec_gse_client_start: Not using kerberos to cifs/SERVER as USER@REALM: NT_STATUS_INVALID_PARAMETER" ... and there are a lot of references to NTLMSSP SUCCESS LOG: The log (from above) contains: "gensec_gse_client_prepare_ccache: No kinit required for USER@REALM to access cifs/SERVER" NOTE: The Kerberos user prefix 'USER%40REALM@' isn't really necessary, because Samba is quite good at guessing those, but it clears up some confusion in the logs. WORKAROUND: Downgrade to libsmbclient 4.20.* and its dependencies. ANALYSIS: The following line in source3/libsmb/cliconnect.c [5] prevents the use of Kerberos (with fallback active): } else if (use_kerberos && !fallback_after_kerberos) { ... explicitly! The following line in auth/credentials/credentials.c [6] prevents the use of Kerberos (with fallback active): if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) { ... by omitting the case CRED_USE_KERBEROS_DESIRED. FIX: The attached patch fixes the issue for Samba 4.21.3 and all of the above use cases. ROOM FOR IMPROVEMENT: IMHO, ideally, users of libsmbclient shouldn't have to set any authentication-related options at all - apart from a callback function for password input. Instead "client use kerberos = required/desired/off" should be propagated from "smb.conf" to all users of libsmbclient by default. That does not seem to be possible currently. Or is it necessary to trigger processing of "smb.conf" in libsmbclient by calling some function first? Some guidance would be appreciated here. Maybe Samba's libsmbclient example (see above) could be amended to demonstrate proper usage. BUILD ENVIRONMENT: See [2], and [1] for a different environment. TEST ENVIRONMENT: Some linux client with $KRB5CCNAME pointing to a Kerberos ticket cache with at least a valid TGT in it. DISCLAIMER: This is my first deep dive into Samba and my first post to BSO, so please bear with me. REFERENCES: [0] https://git.samba.org/?p=samba.git;a=blob;f=examples/libsmbclient/testbrowse.c#l105 [1] https://bugs.kde.org/show_bug.cgi?id=494981 : "Kerberos auth doesn't work since libsmbclient 4.21" [2] https://build.opensuse.org/package/show/openSUSE%3AFactory/samba [3] https://lxr.kde.org/source/network/kio-extras/smb/smbcontext.cpp#0038 [4] https://pypi.org/project/pysmbc/ [5] https://git.samba.org/?p=samba.git;a=blob;f=source3/libsmb/cliconnect.c#l218 [6] https://git.samba.org/?p=samba.git;a=blob;f=auth/credentials/credentials.c#l493 THANK YOU for reading this far and considering this issue!