Previous versions of SAMBA from 4.10-4.13 allowed smbclient -k //HOST/USER -c pwd which uses the cached principal. As does SAMBA 4.16.11, but with the deprecation notice: # smbclient -k //cute103.hs/dewayne -c pwd WARNING: The option -k|--kerberos is deprecated! <<<=== Issue Using smbclient //cute103.hs/dewayne -c pwd prompts for the principal password, as does smbclient --use-kerberos=required //cute103.hs/dewayne -c pwd Similarly, when adding to smb4.conf the following line client use kerberos = required Throughout this testing I have a Issued Expires Principal Apr 22 07:26:32 2024 Apr 22 17:26:39 2024 krbtgt/HS@HS Apr 22 07:26:43 2024 Apr 22 17:26:39 2024 cifs/cute103.hs@HS Is this an implementation issue or is this a SAMBA peculiarity - that being: even though a user has the user and service principal in their cache to either: prompt for the password; or be told that they're using deprecated functionality? Please note I have a group of SAMBA standalone servers using heimdal kdc and openldap (since 4.10.11) on FreeBSD 12.4S, 13.2S and 14.0-p5.