[PATCH 0/3] cifs.upcall: attempt to use AD-style service principals

[simo]

On Wed, 2011-11-16 at 08:37 +1100, Andrew Bartlett wrote: 
> On Tue, 2011-11-15 at 09:15 -0500, Jeff Layton wrote:
> 
> > Ok, based on the comments so far, how does this sound for a potential
> > scheme:
> > 
> > 	INPUT: foo
> > 	TRY:
> > 	    FOO$
> > 	    cifs/foo.[guessed domain]
> > 
> >	INPUT: foo.example.com
> > 	TRY:
> > 	    cifs/foo.example.com
> > 
> > To summarize, for shortnames, we'd try SHORTNAME$ first. If that fails,
> > then guess a domain name, append the value to the hostname, and prepend
> > it with "cifs/".
> 
> No, we should never use FOO$ (this is AD only, and equivalent to
> cifs/foo), so we should instead simply do:
> 
> INPUT: foo
> TRY:
>     cifs/foo

This ^^^^ is also AD-only, so what's the point of objecting to one or
another ?
At least when you see FOO$@REALM, admins know it is an AD only thing.

> cifs/foo.[guessed domain]
> 
> INPUT: foo.example.com
> TRY:
>     cifs/foo.example.com
> 
> I would prefer that the kerberos client library actually did this (as
> then it would 'just work' for all other kerberos applications), but
> sadly the behaviour here is not always what you expect, and can use
> reverse DNS (which is an even worse fate).  See the rdns option in
> krb5.conf (which I typically turn off). 
> 
> Andrew Bartlett


-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>