Bug 742 - libsmbclient etc does not use kerberos credentials by default
Summary: libsmbclient etc does not use kerberos credentials by default
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 3.0.0
Hardware: All other
: P3 enhancement
Target Milestone: none
Assignee: Derrell Lipman
QA Contact: Samba QA Contact
Depends on:
Reported: 2003-11-08 14:41 UTC by Andrew Bartlett
Modified: 2005-08-24 10:23 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2003-11-08 14:41:14 UTC
Even if a user has kerberos credentials, libsmbclient and our libsmb apps do not
use them, instead always using NTLM/NTLMSSP and always prompting.

We should detect the user having kerberos credentials, and the server supporting
Comment 1 Andrea Corona 2005-01-14 12:41:46 UTC
Alex Larsson and Nate Nielsen developed some patches to enable kerberos in
libsmbclient, adding some flags that allow client application to set kerberos
authentication and disable problematic anonymous login fallback as 'smbclient'
does with '-k' option (see bug 2092).
Enabling kerberos is necessary if you want a Linux client to browse windows
shares in SSO mode in AD domain (for example using Nautilus browser).
Moreover, I think that the authentication callback mechanism in libsmb should be
revised in order to accomodate kerberos authentication, without adding
complexity to the application logic. For instance, in "find_server" function in
libsmbclient the "auth_fn" function is called as a side effect of a cache miss.
Maybe, the "auth_fn" call should be moved to main session setup flow in
"smb_server" function. 
Comment 2 Dan Davis 2005-03-09 14:24:35 UTC
Andrea, where are those patches.   I've written code to fix the problem, but my
code doesn't disable the anonymous login fallback, or fix cli_full_connection().
  Before I make a patch, I'd like to find patches by more experienced Samba
hackers on this problem.
Comment 3 Derrell Lipman 2005-04-01 07:42:07 UTC
Some changes were made a few versions ago, to allow use of kerberos.  Enable
kerberos with

  context->flags |= SMB_CTX_FLAG_USE_KERBEROS

If this does not resolve your issue, please re-open this bug with additional
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:23:24 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.