[linux-cifs-client] Re: [PATCH] Add support for using server supplied principal (mic option)

Jeff Layton jlayton at redhat.com
Mon Aug 25 12:45:55 GMT 2008

On Mon, 25 Aug 2008 13:31:35 +0100
Love Hörnquist Åstrand <lha at kth.se> wrote:

> >
> > A correct configuration would use many CNAMEs all pointing to 1 A  
> > NAME,
> > the one used to join AD.
> > I would stick to a secure behavior and disable fetching a ticket using
> > the MIC information by default.
> Use "setspn -a host/alias computername" to add the aliases to the SPNs  
> and it doesn't matter what name the client uses.
> The gssapi library does dns canon, its wrong, but there is no good way  
> to stop doing since that breaks stuff :(

I'm not that familiar with setspn, but I assume it's a server side
tool. Sometimes it turns out that people are using Linux in
environments with windows admins that aren't cooperative, or it's just
too much hassle to do the paperwork to get them to do anything
server-side. We'd like to allow users to still use krb5 in these
environments. Anything we can do on the client-side to make this
possible without compromising security is probably something we want to

Allowing the user to explicitly specify the server principal seems like
it might also help the canonization problem, though I also haven't
tested this. Does anyone forsee an issue with that approach?

Jeff Layton <jlayton at redhat.com>

More information about the samba-technical mailing list