[linux-cifs-client] mount.cifs with sec=krb5 where kerberos principal is not the same as file server
Jeff Layton
jlayton at samba.org
Wed Oct 28 07:08:30 MDT 2009
On Wed, 28 Oct 2009 13:49:58 +0100
Andrew Baumann <andrewb at inf.ethz.ch> wrote:
> Hi Jeff,
>
> On Wednesday 28 October 2009 13.31:27 Jeff Layton wrote:
> > The reason is that while CIFS doesn't currently do mutual krb5
> > authentication, eventually it should. The problem with trusting the
> > mechListMIC is that it makes the client susceptible to
> > man-in-the-middle attacks. An attacker could redirect traffic to a
> > server of his choosing (perhaps by spoofing DNS) and the client would
> > be none the wiser.
>
> Hm, I see. Do you happen to know if smbclient does this? In the interim,
> perhaps it would be useful to have a mount option that could specify the
> service principal explicitly.
>
I think that would be unwise -- why use kerberos at all if you're going
to water it down?
> > Now...when you say that fs-srv1 is a different host from the file
> > server, what exactly do you mean?
>
> I mean that it is a valid host with a different IP from the host with the
> share, and it does not itself offer SMB service:
>
> $ host fs.systems
> fs.systems.inf.ethz.ch is an alias for fs-systems.inf.ethz.ch.
> fs-systems.inf.ethz.ch has address 129.132.19.42
> $ host fs-srv1
> fs-srv1.ethz.ch is an alias for fs-srv1.inf.ethz.ch.
> fs-srv1.inf.ethz.ch has address 129.132.19.5
> $ telnet fs-srv1 microsoft-ds
> Trying 129.132.19.5...
> telnet: Unable to connect to remote host: Connection refused
>
> (I don't know the exact details of the file service setup here, but I can find
> out more if it's helpful).
>
By "valid host" do you mean that it's a separate machine entirely? Or
are you playing around with floating addresses in a clustered setup?
Either way, this appears to be a server misconfiguration. A properly
configured server should accept principals for all possible hostname
aliases. The fact that it's expecting a service principal for a
completely different host and not accepting a service principal for one
of its names looks broken to me.
--
Jeff Layton <jlayton at samba.org>
More information about the linux-cifs-client
mailing list