Package: smbclient
Version: 2:4.16.6+dfsg-5~bpo11+1
Severity: normal
Hi,
I'm trying to use smbclient with kerberos login, for example to
get the list of shares with somthing like:
smbclient -N --use-kerberos=required -gL samba-server.example.org
If using the FILE: ccache, it works.
If using a KEYRING: ccache, it does not work.
And the --use-krb5-ccache option does not seems to be taken into account
$ export KRB5CCNAME=FILE:/tmp/ccache_file
$ rm $KRB5CCNAME
rm: cannot remove 'FILE:/tmp/ccache_file': No such file or directory
$ kinit
Password for XXX@XXX:
$ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/tmp/ccache_file
-gL samba-server.example.org
[... list of shares ...]
$ smbclient -N --use-kerberos=required -gL samba-server.example.org
[... list of shares ...]
$ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/non-existant -gL
samba-server.example.org
[... list of shares ...] <- probably a fail-back to KRB5CCNAME
$ export KRB5CCNAME=FILE:/non-existant
$ smbclient -N --use-kerberos=required -gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient -N --use-kerberos=required --use-krb5-ccache=FILE:/tmp/ccache_file
-gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient -N --use-kerberos=required --use-krb5-ccache=/tmp/ccache_file -gL
samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ export KRB5CCNAME=KEYRING:persistent:`id -u`:krb_ccache
$ kinit
Password for XXX@XXX:
$ smbclient -N --use-kerberos=required -gL samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient -N --use-kerberos=required --use-krb5-ccache=$KRB5CCNAME -gL
samba-server.example.org
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
klist and other kerberos-enabled tools (such as ssh) work correctly
when KRB5CCNAME is set to FILE:... but also to KEYRING:...
So, from my experiments, it seems:
- the --use-krb5-ccache is never used (at least when KRB5CCNAME is set)
[it was not the goal of this bug report, but I see it when trying my commands]
- smbclient does not handle ccache using the kernel keyring
Perhaps this is due to samba using heimdal kerberos implementation?
Regards,
Vincent
-- System Information:
Debian Release: 11.5
APT prefers stable-security
APT policy: (990, 'stable-security'), (990, 'stable'), (500,
'stable-updates'), (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.0-0.bpo.3-amd64 (SMP w/6 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages smbclient depends on:
ii libarchive13 3.4.3-2+deb11u1
ii libbsd0 0.11.3-1
ii libc6 2.31-13+deb11u4
ii libgnutls30 3.7.1-5+deb11u2
ii libpopt0 1.18-2
ii libreadline8 8.1-1
ii libsmbclient 2:4.16.6+dfsg-5~bpo11+1
ii libtalloc2 2.3.3-4~bpo11+1
ii libtevent0 0.11.0-1~bpo11+1
ii samba-common 2:4.16.6+dfsg-5~bpo11+1
ii samba-libs 2:4.16.6+dfsg-5~bpo11+1
smbclient recommends no packages.
Versions of packages smbclient suggests:
ii cifs-utils 2:7.0-2~bpo11+1
pn heimdal-clients <none>
-- no debconf information
