[linux-cifs-client] Re: SPNEGO OIDs and MIC
Steve French
smfrench at gmail.com
Thu Aug 21 19:28:38 GMT 2008
I think there is some value in passing the mechListMIC to userspace,
but it should not hold up us supporting krb5 in 2.6.27 (if there are
other bugs in 2.6.27 krb5 support we could leave experimental on
though).
On Thu, Aug 21, 2008 at 12:48 PM, Jeff Layton <jlayton at redhat.com> wrote:
> On Thu, 21 Aug 2008 10:55:58 -0500
> "Steve French" <smfrench at gmail.com> wrote:
>
>> https://lists.anl.gov/pipermail/ietf-krb-wg/2002-December/002168.html
>>
>> --
>> Thanks,
>>
>> Steve
>
> (cc'ing linux-cifs-client and Igor as well...)
>
> Thanks for that info, Steve. That makes a bit more sense. The first bug
> mentioned explains why we need to support 2 different OID's. The second
> one talks about the mechListMIC and why it has the server's principal
> rather than a real MIC.
>
> Appendix C of the current SPNEGO RFC has some info on working around
> MS bugs:
>
> http://tools.ietf.org/html/rfc4178
>
> ...and they make a bit more sense after reading the comments in this
> other post.
>
> It seems to me that parsing this info out and sending it to userspace
> is still reasonable. We could even have userspace do a sanity check of
> this info. See if it looks like a principal name rather than a real MIC.
>
> Maybe something like:
>
> if (strstr(mechlistmic, "$@")) then try to use the mechlistmic field as
> principal name.
>
> That said, given that this is a MS-specific quirk, it may make sense
> to only use this info for MSKRB5 after all.
>
> Thoughts?
> --
> Jeff Layton <jlayton at redhat.com>
>
--
Thanks,
Steve
More information about the linux-cifs-client
mailing list