[linux-cifs-client] [PATCH 2/2] cifs.spnego helper in samba: helper source code

Tue Nov 13 12:04:40 GMT 2007

On Mon, 12 Nov 2007 11:14:27 -0500
simo <idra at samba.org> wrote:

> 
> On Mon, 2007-11-12 at 07:27 -0500, Jeff Layton wrote:
> > On Mon, 12 Nov 2007 03:03:46 -0500
> > simo <idra at samba.org> wrote:
> > 
> > > 
> > > On Wed, 2007-11-07 at 14:02 +0300, Q (Igor Mammedov) wrote:
> > > > +       // do mech specific authorization
> > > > +       switch(sectype){
> > > > +               case KRB5:{
> > > > +                       char* princ;
> > > > +                       size_t len;
> > > > +
> > > > +                       /* for "cifs/" service name +
> > > > terminating 0*/
> > > > +                       len = strlen(hostname)+6;
> > > > +                       princ = malloc(len);
> > > > +                       if ( !princ ) {
> > > > +                               rc = 1;
> > > > +                               break;
> > > > +                       }
> > > > +                       strncpy(princ,"cifs/",len);
> > > > +                       strncpy(princ+5,hostname,len-5);
> > > > +
> > > 
> > > Aren't we missing the REALM here ?
> > > 
> > > And of course a good question is also .. how do we determine the
> > > realm ? I am thinking of cases where the server is in another
> > > realm and there is a trust between the server realm and the user
> > > realm.
> > > 
> > > Simo.
> > > 
> > 
> > Perhaps we could coopt the 'domain=' mount option and have the
> > kernel pass that to userspace in the description string?
> 
> That will work for Windows AD domains where realm == uppercase(domain)
> But in unix you could have a kerberos Realm name != domain name.
> 
> I guess in that case we can rely on the SRV records in DNS
> _kerberos.<domain> etc... not sure if this would always work.
> 
> Or maybe always consider domain to actually be the lowercase(REALM)
> name... is actually the easiest thing indeed.
> 
> Other ideas?
> 

This might be a dumb question, but I still don't have all the
windows/samba domain stuff straight in my head:

In the situation where the domain != realm, is there any reason why the
mount would need both pieces of info? If it's a unix server, does the
client really care what the domain is if it has the realm? 

Certainly we could always just add a new mount option, but cifs
already has a ton of those. I'd suggest that we avoid it unless it's
truly necessary.

It's easy to add mount options, but tougher to remove them once they're
no longer really needed (users tend to get upset that they have to
change their fstabs, etc).

-- 
Jeff Layton <jlayton at redhat.com>