Even if a user has kerberos credentials, libsmbclient and our libsmb apps do not
use them, instead always using NTLM/NTLMSSP and always prompting.
We should detect the user having kerberos credentials, and the server supporting
Alex Larsson and Nate Nielsen developed some patches to enable kerberos in
libsmbclient, adding some flags that allow client application to set kerberos
authentication and disable problematic anonymous login fallback as 'smbclient'
does with '-k' option (see bug 2092).
Enabling kerberos is necessary if you want a Linux client to browse windows
shares in SSO mode in AD domain (for example using Nautilus browser).
Moreover, I think that the authentication callback mechanism in libsmb should be
revised in order to accomodate kerberos authentication, without adding
complexity to the application logic. For instance, in "find_server" function in
libsmbclient the "auth_fn" function is called as a side effect of a cache miss.
Maybe, the "auth_fn" call should be moved to main session setup flow in
Andrea, where are those patches. I've written code to fix the problem, but my
code doesn't disable the anonymous login fallback, or fix cli_full_connection().
Before I make a patch, I'd like to find patches by more experienced Samba
hackers on this problem.
Some changes were made a few versions ago, to allow use of kerberos. Enable
context->flags |= SMB_CTX_FLAG_USE_KERBEROS
If this does not resolve your issue, please re-open this bug with additional
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.