[linux-cifs-client] Re: [PATCH] Add support for using server supplied principal (mic option)

Igor Mammedov niallain at gmail.com
Mon Aug 25 14:02:04 GMT 2008

Jeff Layton wrote:
> On Mon, 25 Aug 2008 13:31:35 +0100
> Love Hörnquist Åstrand <lha at kth.se> wrote:
>>> A correct configuration would use many CNAMEs all pointing to 1 A  
>>> NAME,
>>> the one used to join AD.
>>> I would stick to a secure behavior and disable fetching a ticket using
>>> the MIC information by default.
>> Use "setspn -a host/alias computername" to add the aliases to the SPNs  
>> and it doesn't matter what name the client uses.
>> The gssapi library does dns canon, its wrong, but there is no good way  
>> to stop doing since that breaks stuff :(
> I'm not that familiar with setspn, but I assume it's a server side
> tool.

> Sometimes it turns out that people are using Linux in
> environments with windows admins that aren't cooperative, or it's just
> too much hassle to do the paperwork to get them to do anything
> server-side. 

That's exactly what happens at my work place, complicated by wrong
hostnames used as DFS refferals (i.e. all submounts are automatic).
Server supplied name solves this problem.

> We'd like to allow users to still use krb5 in these
> environments. Anything we can do on the client-side to make this
> possible without compromising security is probably something we want to
> pursue.
> Allowing the user to explicitly specify the server principal seems like
> it might also help the canonization problem, though I also haven't
> tested this. Does anyone forsee an issue with that approach?

I do not see why supplying principal explicitly can help?
Specifying a principal or hostname explicitly implies that we know a valid 
(registered in KDC) principal or hostname. So we may use just a valid
hostname and don't bother with an additional option for a principal.


Best regards,

Igor Mammedov,
niallain "at" gmail.com

More information about the linux-cifs-client mailing list