[PATCH] Add support for using server supplied principal (mic option)

Love Hörnquist Åstrand lha at kth.se
Sun Aug 24 23:11:13 GMT 2008


24 aug 2008 kl. 23.38 skrev Andrew Bartlett:

> On Sun, 2008-08-24 at 19:40 +0400, Q (Igor Mammedov) wrote:
>> Add support for using server supplied principal (mic option)
>
> As this is a non-standard extension, and has nasty security properties
> (connect to one server name, but get a ticket to a completely  
> different
> name), shouldn't we be trying to use the server-supplied principal  
> less,
> rather than more?  (Windows clients have never used it)

You should avoid using the hostname in mic.

And you should force the gssapi library to avoid doing host  
canonization. I think the only way to do this is to use the name-type  
GSS_KRB5_NT_PRINCIPAL_NAME,

Love




More information about the samba-technical mailing list