[linux-cifs-client] [PATCH 2/2] cifs.spnego helper in samba:
helper source code
simo
idra at samba.org
Mon Nov 12 16:14:27 GMT 2007
On Mon, 2007-11-12 at 07:27 -0500, Jeff Layton wrote:
> On Mon, 12 Nov 2007 03:03:46 -0500
> simo <idra at samba.org> wrote:
>
> >
> > On Wed, 2007-11-07 at 14:02 +0300, Q (Igor Mammedov) wrote:
> > > + // do mech specific authorization
> > > + switch(sectype){
> > > + case KRB5:{
> > > + char* princ;
> > > + size_t len;
> > > +
> > > + /* for "cifs/" service name + terminating
> > > 0*/
> > > + len = strlen(hostname)+6;
> > > + princ = malloc(len);
> > > + if ( !princ ) {
> > > + rc = 1;
> > > + break;
> > > + }
> > > + strncpy(princ,"cifs/",len);
> > > + strncpy(princ+5,hostname,len-5);
> > > +
> >
> > Aren't we missing the REALM here ?
> >
> > And of course a good question is also .. how do we determine the
> > realm ? I am thinking of cases where the server is in another realm
> > and there is a trust between the server realm and the user realm.
> >
> > Simo.
> >
>
> Perhaps we could coopt the 'domain=' mount option and have the kernel
> pass that to userspace in the description string?
That will work for Windows AD domains where realm == uppercase(domain)
But in unix you could have a kerberos Realm name != domain name.
I guess in that case we can rely on the SRV records in DNS
_kerberos.<domain> etc... not sure if this would always work.
Or maybe always consider domain to actually be the lowercase(REALM)
name... is actually the easiest thing indeed.
Other ideas?
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce at redhat.com>
More information about the linux-cifs-client
mailing list