[linux-cifs-client] [PATCH 2/2] cifs.spnego helper in samba:
helper source code
Q (Igor Mammedov)
qwerty0987654321 at mail.ru
Wed Nov 14 16:54:00 GMT 2007
Jeff Layton wrote:
> On Mon, 12 Nov 2007 11:14:27 -0500
> simo <idra at samba.org> wrote:
>
>> On Mon, 2007-11-12 at 07:27 -0500, Jeff Layton wrote:
>>> On Mon, 12 Nov 2007 03:03:46 -0500
>>> simo <idra at samba.org> wrote:
>>>
>>>> On Wed, 2007-11-07 at 14:02 +0300, Q (Igor Mammedov) wrote:
>>>>> + // do mech specific authorization
>>>>> + switch(sectype){
>>>>> + case KRB5:{
>>>>> + char* princ;
>>>>> + size_t len;
>>>>> +
>>>>> + /* for "cifs/" service name +
>>>>> terminating 0*/
>>>>> + len = strlen(hostname)+6;
>>>>> + princ = malloc(len);
>>>>> + if ( !princ ) {
>>>>> + rc = 1;
>>>>> + break;
>>>>> + }
>>>>> + strncpy(princ,"cifs/",len);
>>>>> + strncpy(princ+5,hostname,len-5);
>>>>> +
>>>> Aren't we missing the REALM here ?
>>>>
>>>> And of course a good question is also .. how do we determine the
>>>> realm ? I am thinking of cases where the server is in another
>>>> realm and there is a trust between the server realm and the user
>>>> realm.
>>>>
>>>> Simo.
>>>>
>>> Perhaps we could coopt the 'domain=' mount option and have the
>>> kernel pass that to userspace in the description string?
>> That will work for Windows AD domains where realm == uppercase(domain)
>> But in unix you could have a kerberos Realm name != domain name.
>>
>> I guess in that case we can rely on the SRV records in DNS
>> _kerberos.<domain> etc... not sure if this would always work.
>>
>> Or maybe always consider domain to actually be the lowercase(REALM)
>> name... is actually the easiest thing indeed.
>>
>> Other ideas?
>>
>
> This might be a dumb question, but I still don't have all the
> windows/samba domain stuff straight in my head:
>
> In the situation where the domain != realm, is there any reason why the
> mount would need both pieces of info? If it's a unix server, does the
> client really care what the domain is if it has the realm?
>
> Certainly we could always just add a new mount option, but cifs
> already has a ton of those. I'd suggest that we avoid it unless it's
> truly necessary.
>
> It's easy to add mount options, but tougher to remove them once they're
> no longer really needed (users tend to get upset that they have to
> change their fstabs, etc).
Domain mapping to realm could be configured in krb5.conf file
(http://web.mit.edu/Kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Mapping-Hostnames-onto-Kerberos-Realms.html).
And it should work with the last cifs.spnego patch. (not tried though)
As for DNS TXT record _kerberos.<domain> I don't know whether it
supported by krb5 library or we should do in our code.
Theoretically we could add @REALM sufix to server name like:
//srv.test.foo at MY.REALM/sharename
an do necessary parsing in mount.cifs for possibility of explicit
REALM defining. But wouldn't we have to configure this realm in
krb5.conf anyway so that kerberos library would be happy?
--
Best regards,
-------------------------
Igor Mammedov,
niallain "at" gmail.com
More information about the linux-cifs-client
mailing list