[linux-cifs-client] Re: [PATCH] Add support for using server
supplied principal (mic option)
jlayton at redhat.com
Mon Aug 25 11:01:04 GMT 2008
On Mon, 25 Aug 2008 19:08:00 +1000
Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2008-08-25 at 13:03 +0400, Igor Mammedov wrote:
> > Love Hörnquist Åstrand wrote:
> > > 25 aug 2008 kl. 02.25 skrev Jeff Layton:
> > >
> > >> So that I understand correctly, what exactly is the risk of using the
> > >> server-provided principal?
> > >
> > > I'm not saying that you shouldn't commit the fix if you think i helps
> > > interopability, but we should fix all the components so we get a
> > > secure solution that works with msft client/server, at least some day.
> > >
> > > Love
> > So what we will do?
> > Shall I make it disabled by default and add an option to cifs.upcall to
> > enable it or we just stick to a secure behavior and forget about servers
> > with several names in DNS and the only one in ADS?
> I suggest forget it, until someone complains really loudly and won't
> accept 'it is insecure' for an answer.
Thanks for the explanation -- the danger is clear to me now.
If the current implementation isn't sufficient, it might be best to
just ignore what's in the MIC and allow people to force the server's
principal with a mount option or something. Maybe something like:
mount -t cifs -o
'sec=krb5i,srvprinc=foo.bar.baz$@EXAMPLE.COM' //alias.bar.baz/share /mnt/cifs
That's probably more flexible and less subject to DNS poisoning since
the selection of the server principal would be a conscious decision.
It would be less "automatic" though.
Jeff Layton <jlayton at redhat.com>
More information about the samba-technical