[linux-cifs-client] [PATCH 3/5] [CIFS] change
cifs_setup_session to take a unc string arg
Simo Sorce
ssorce at redhat.com
Tue Oct 30 17:28:11 GMT 2007
On Tue, 2007-10-30 at 12:45 -0400, Jeff Layton wrote:
> On Tue, 30 Oct 2007 19:30:18 +0300
> "Q (Igor Mammedov)" <qwerty0987654321 at mail.ru> wrote:
>
> > Jeff Layton wrote:
> > > +
> > > int cifs_setup_session(unsigned int xid, struct cifsSesInfo
> > > *pSesInfo,
> > > - struct nls_table
> > > *nls_info)
> > > + struct nls_table *nls_info, const char
> > > *unc) {
> > > int rc = 0;
> > > char ntlm_session_key[CIFS_SESS_KEY_SIZE];
> > > int ntlmv2_flag = FALSE;
> > > int first_time = 0;
> > > + char *hostname;
> > > +
> > > + hostname = extract_hostname_from_unc(unc);
> >
> > We already have server's IP and userspace helper could easily do
> > reverse lookup to find out server name.
> > Benefits:
> > 1. readability, simplicity: no need in adding additional argument
> > and function (less changes)
> > 2. security: force administrators to do correct dns
> > configuration. ( FQDN -> IP -> FQDN )
> >
>
> That was my thought too, but Simo seems to believe that that won't be
> reliable enough and that admins may not have control of their
> in-addr.arpa domains.
>
> Simo, care to comment?
Yes, unfortunately in many cases, even in enterprise controlled
environments, DNSs are not necessarily well configured, and when AD is
involved even more so (I have no real numbers so take this with a grain
of salt). In these environments making changes to the DNS sometimes may
require a lot of time/effort.
In these cases it would be nice to be able to still function as much as
we can.
Keep in mind that FQDN is indispensable to acquire the ticket, so
requiring IP->FQDN means some people would not be able to make Kerberos
authentication work except by using tricks like setting fixed entries
in /etc/hosts
In any case if we want to force this we need to document it prominently
IMO.
Simo.
More information about the linux-cifs-client
mailing list