[linux-cifs-client] Re: [PATCH] Add support for using server
supplied principal (mic option)
simo
idra at samba.org
Mon Aug 25 12:26:41 GMT 2008
On Mon, 2008-08-25 at 13:03 +0400, Igor Mammedov wrote:
> Love Hörnquist Åstrand wrote:
> > 25 aug 2008 kl. 02.25 skrev Jeff Layton:
> >
> >> So that I understand correctly, what exactly is the risk of using the
> >> server-provided principal?
> >
> > I'm not saying that you shouldn't commit the fix if you think i helps
> > interopability, but we should fix all the components so we get a
> > secure solution that works with msft client/server, at least some day.
> >
> > Love
>
> So what we will do?
> Shall I make it disabled by default and add an option to cifs.upcall to
> enable it or we just stick to a secure behavior and forget about servers
> with several names in DNS and the only one in ADS?
A correct configuration would use many CNAMEs all pointing to 1 A NAME,
the one used to join AD.
I would stick to a secure behavior and disable fetching a ticket using
the MIC information by default.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Senior Software Engineer at Red Hat Inc. <simo at redhat.com>
More information about the linux-cifs-client
mailing list