Re: specifying password when using krb5

[Frank Loeffler <frank.loeffler@uni-jena.de>]

[-- Attachment #1: Type: text/plain, Size: 1692 bytes --]

Hi,

On Mon, Mar 29, 2021 at 06:25:49PM +0200, Aurélien Aptel wrote:
>When you use a password you're actually not using krb5 (even in
>smbclient), you're using NTLMSSP authentication.

As far as I understand, you (can) use a password to obtain a krb5-token, 
which is then used for sec=krb5. From a users point of view, you enter 
username and password and get access. Whether this is using krb5 and a 
token or some other mechanism is usually something a user doesn't even 
want to know about. What they know is a username/password combination 
and a share name on some remote machine.
If the mechanism happens to be krb5 (isn't that even the default on 
Windows shares?), you might need a temporary token, but I wonder if  
that "technicality" couldn't be made transparent to the user by default. 
This would make mounting Windows shares a lot less 'messy' to users.

>> 4. Currently, trying sec=krb5 without token cache files results in 
>> the
>> rather obscure error "mount error(2): No such file or directory". Could
>> this me changed into something that points users to the actual cause of
>> the error?
>
>Sadly we don't have much to work with. Mounting is done with a single
>system call mount() which can only return 1 error code from the list of errno
>codes https://man7.org/linux/man-pages/man3/errno.3.html

That is unfortunate. However, not even verbose mounting gave me any 
indication of what it was that is actually failing. Maybe, before 
returning ENOENT, cifs you print something else, possibly at least with
high verbosity/debugging enabled.

>I think you are :) thanks for reporting.

Thanks for your time responding. :)

Frank


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]