[linux-cifs-client] Re: [PATCH] Add support for using server
supplied principal (mic option)
Andrew Bartlett
abartlet at samba.org
Mon Aug 25 11:12:25 GMT 2008
On Mon, 2008-08-25 at 07:01 -0400, Jeff Layton wrote:
> On Mon, 25 Aug 2008 19:08:00 +1000
> Andrew Bartlett <abartlet at samba.org> wrote:
>
> > On Mon, 2008-08-25 at 13:03 +0400, Igor Mammedov wrote:
> > > Love Hörnquist Åstrand wrote:
> > > > 25 aug 2008 kl. 02.25 skrev Jeff Layton:
> > > >
> > > >> So that I understand correctly, what exactly is the risk of using the
> > > >> server-provided principal?
> > > >
> > > > I'm not saying that you shouldn't commit the fix if you think i helps
> > > > interopability, but we should fix all the components so we get a
> > > > secure solution that works with msft client/server, at least some day.
> > > >
> > > > Love
> > >
> > > So what we will do?
> > > Shall I make it disabled by default and add an option to cifs.upcall to
> > > enable it or we just stick to a secure behavior and forget about servers
> > > with several names in DNS and the only one in ADS?
> >
> > I suggest forget it, until someone complains really loudly and won't
> > accept 'it is insecure' for an answer.
> >
>
> Thanks for the explanation -- the danger is clear to me now.
>
> If the current implementation isn't sufficient, it might be best to
> just ignore what's in the MIC and allow people to force the server's
> principal with a mount option or something. Maybe something like:
>
> mount -t cifs -o
> 'sec=krb5i,srvprinc=foo.bar.baz$@EXAMPLE.COM' //alias.bar.baz/share /mnt/cifs
>
> That's probably more flexible and less subject to DNS poisoning since
> the selection of the server principal would be a conscious decision.
> It would be less "automatic" though.
Looks like a far better solution to me.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/linux-cifs-client/attachments/20080825/515844a5/attachment.bin
More information about the linux-cifs-client
mailing list