[PATCH] Add support for using server supplied principal (mic
option)
Love Hörnquist Åstrand
lha at kth.se
Sun Aug 24 23:11:13 GMT 2008
24 aug 2008 kl. 23.38 skrev Andrew Bartlett:
> On Sun, 2008-08-24 at 19:40 +0400, Q (Igor Mammedov) wrote:
>> Add support for using server supplied principal (mic option)
>
> As this is a non-standard extension, and has nasty security properties
> (connect to one server name, but get a ticket to a completely
> different
> name), shouldn't we be trying to use the server-supplied principal
> less,
> rather than more? (Windows clients have never used it)
You should avoid using the hostname in mic.
And you should force the gssapi library to avoid doing host
canonization. I think the only way to do this is to use the name-type
GSS_KRB5_NT_PRINCIPAL_NAME,
Love
More information about the samba-technical
mailing list