[linux-cifs-client] Re: [PATCH] Add support for using server
supplied principal (mic option)
Love Hörnquist Åstrand
lha at kth.se
Mon Aug 25 09:49:31 GMT 2008
>>
>> So what we will do?
>> Shall I make it disabled by default and add an option to
>> cifs.upcall to
>> enable it or we just stick to a secure behavior and forget about
>> servers
>> with several names in DNS and the only one in ADS?
>
> I suggest forget it, until someone complains really loudly and won't
> accept 'it is insecure' for an answer.
The problem is that the gss break it even if you know the right name
since gss-api does DNS canonization.
Using GSS_KRB5_NT_PRINCIPAL_NAME instead of GSS_NT_HOSTBASED_SERVICE
will avoid that.
so if the user gave you as input
"hostname", you import the name "host/hostname", by skipping the
realm, both Heimdal and MIT Kerberos and will use the default realm.
Both heimdal/MIT kerberos does some kind of referrals on the client
side, so this might even work for cross realm cases.
I'm really not sure how the current deployed code works, will do some
research on what care about.
Love
More information about the linux-cifs-client
mailing list