[SCM] Samba Shared Repository - branch master updated

Noel Power Tue, 17 Feb 2026 08:07:40 -0800

The branch, master has been updated
       via  bc868800276 s3/libsmb: block anon authentication fallback is 
use-kerberos = desired
       via  1c485991057 s3/libsmb: cli_session_creds_init fails when kerberos 
is desired
       via  88f42eb222f auth/credentials: Fix regression with 
--use-kerberos=desired for smbclient
       via  a22af942096 selftest: Update tests to use 
--use-kereros=desired|required no creds
      from  c0e5ffdc16b vfs_ceph: Handle absolute paths with dirfd = ‑1 in 
openat


https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit bc868800276fe09cbcb206ebe4cb4da32af7599f
Author: Noel Power <[email protected]>
Date:   Mon Jan 19 16:18:02 2026 +0000

    s3/libsmb: block anon authentication fallback is use-kerberos = desired
    
    When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED
    libsmbclient method SMBC_server_internal will still try to fallback to
    anon NTLM. This patch prevents that.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
    Signed-off-by: Noel Power <[email protected]>
    Reviewed-by: Andreas Schneider <[email protected]>
    
    Autobuild-User(master): Noel Power <[email protected]>
    Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224

commit 1c48599105736499d18aa1f647bce9e1f8dbdcca
Author: Noel Power <[email protected]>
Date:   Mon Jan 19 16:10:10 2026 +0000

    s3/libsmb: cli_session_creds_init fails when kerberos is desired
    
    There is a regression with code using cli_session_creds_init when
    cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
    
    Authentication succeeds when boolean fallback_after_kerberos is false
    and fails when true.
    There doesn't seem to be a good reason why the value of
    fallback_after_kerberos should initialise the krb5 ccache or not.
    It would seems that krb5 cache should be setup for creds
    for *any* kerberos auth (whether fallback is enabled or not)
    
    Partial patch from <[email protected]> (see bug referenced below)
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
    Signed-off-by: Noel Power <[email protected]>
    Reviewed-by: Andreas Schneider <[email protected]>

commit 88f42eb222f299189d5f5f8204ae353e63a50970
Author: Noel Power <[email protected]>
Date:   Mon Jan 19 15:46:59 2026 +0000

    auth/credentials: Fix regression with --use-kerberos=desired for smbclient
    
    As part of the gse_krb5 processing the following call chain
    
    gensec_gse_client_start()
      ---> gensec_kerberos_possible()
             ---> cli_credentials_authentication_requested()
    
    gensec_kerberos_possible()  will always fail when
    cli_credentials_get_kerberos_state() returns CRED_USE_KERBEROS_DESIRED
    
    It seems since use kerberos == desired is the default that it isn't
    necessary to see if credentials were modified to indicated authentication
    was requested. gensec_kerberos_possible() should afaics return true
    if kerberos is desired OR required (regardless of whether credentials
    were requested)
    
    This commit removes the knownfail associated with this bug.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
    Signed-off-by: <[email protected]>
    Reviewed-by: Andreas Schneider <[email protected]>

commit a22af9420965083b99b956477d1833000b7f2414
Author: Noel Power <[email protected]>
Date:   Fri Feb 13 11:54:46 2026 +0000

    selftest: Update tests to use --use-kereros=desired|required no creds
    
    Add tests to call smbclient without passing credentials to
    demonstrate failure with --use-kereros=desired
    
    Also add knownfail
    
    Signed-off-by: Noel Power <[email protected]>
    Reviewed-by: Andreas Schneider <[email protected]>

-----------------------------------------------------------------------

Summary of changes:
 auth/gensec/gensec_util.c                       |  5 -----
 source3/libsmb/cliconnect.c                     |  2 +-
 source3/libsmb/libsmb_server.c                  |  2 ++
 source3/script/tests/test_smbclient_kerberos.sh | 12 ++++++++++++
 4 files changed, 15 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index 0c7688d33d2..af6d198d48f 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -362,7 +362,6 @@ char *gensec_get_unparsed_target_principal(struct 
gensec_security *gensec_securi
 NTSTATUS gensec_kerberos_possible(struct gensec_security *gensec_security)
 {
        struct cli_credentials *creds = gensec_get_credentials(gensec_security);
-       bool auth_requested = cli_credentials_authentication_requested(creds);
        enum credentials_use_kerberos krb5_state =
                cli_credentials_get_kerberos_state(creds);
        char *user_principal = NULL;
@@ -370,10 +369,6 @@ NTSTATUS gensec_kerberos_possible(struct gensec_security 
*gensec_security)
        const char *target_principal = 
gensec_get_target_principal(gensec_security);
        const char *hostname = gensec_get_target_hostname(gensec_security);
 
-       if (!auth_requested) {
-               return NT_STATUS_INVALID_PARAMETER;
-       }
-
        if (krb5_state == CRED_USE_KERBEROS_DISABLED) {
                return NT_STATUS_INVALID_PARAMETER;
        }
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index c7c22c18810..0bcbf532873 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -218,7 +218,7 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX 
*mem_ctx,
                                goto fail;
                        }
                }
-       } else if (use_kerberos && !fallback_after_kerberos) {
+       } else if (use_kerberos) {
                const char *error_string = NULL;
                int rc;
 
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index 7b1def05f0b..46887d9d33e 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -617,6 +617,8 @@ SMBC_server_internal(TALLOC_CTX *ctx,
                password_used = "";
 
                 if (smbc_getOptionNoAutoAnonymousLogin(context) ||
+                   cli_credentials_get_kerberos_state(creds) ==
+                           CRED_USE_KERBEROS_REQUIRED ||
                    !NT_STATUS_IS_OK(cli_session_setup_anon(c))) {
 
                         cli_shutdown(c);
diff --git a/source3/script/tests/test_smbclient_kerberos.sh 
b/source3/script/tests/test_smbclient_kerberos.sh
index 31678d17e28..1139efd70d7 100755
--- a/source3/script/tests/test_smbclient_kerberos.sh
+++ b/source3/script/tests/test_smbclient_kerberos.sh
@@ -73,6 +73,18 @@ test_smbclient 
"smbclient.smb3.kerberos.desired[//${SERVER}/tmp]" \
        --use-kerberos=desired -U${USERNAME}%${PASSWORD} -mSMB3 ||
        failed=$(expr $failed + 1)
 
+test_smbclient "smbclient.smb3.kerberos.desired (no user/pass) 
[//${SERVER}/tmp]" \
+       "ls; quit" //${SERVER}/tmp \
+       --use-kerberos=desired -mSMB3 ||
+       failed=$(expr $failed + 1)
+
+test_smbclient "smbclient.smb3.kerberos.required (no user/pass) 
[//${SERVER}/tmp]" \
+       "ls; quit" //${SERVER}/tmp \
+       --use-kerberos=required -mSMB3 ||
+       failed=$(expr $failed + 1)
+
+
+
 $samba_kdestroy
 
 rm -rf $KRB5CCNAME_PATH


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to