[linux-cifs-client] Re: [PATCH] Add support for using server
supplied principal (mic option)
niallain at gmail.com
Mon Aug 25 14:02:04 GMT 2008
Jeff Layton wrote:
> On Mon, 25 Aug 2008 13:31:35 +0100
> Love Hörnquist Åstrand <lha at kth.se> wrote:
>>> A correct configuration would use many CNAMEs all pointing to 1 A
>>> the one used to join AD.
>>> I would stick to a secure behavior and disable fetching a ticket using
>>> the MIC information by default.
>> Use "setspn -a host/alias computername" to add the aliases to the SPNs
>> and it doesn't matter what name the client uses.
>> The gssapi library does dns canon, its wrong, but there is no good way
>> to stop doing since that breaks stuff :(
> I'm not that familiar with setspn, but I assume it's a server side
> Sometimes it turns out that people are using Linux in
> environments with windows admins that aren't cooperative, or it's just
> too much hassle to do the paperwork to get them to do anything
That's exactly what happens at my work place, complicated by wrong
hostnames used as DFS refferals (i.e. all submounts are automatic).
Server supplied name solves this problem.
> We'd like to allow users to still use krb5 in these
> environments. Anything we can do on the client-side to make this
> possible without compromising security is probably something we want to
> Allowing the user to explicitly specify the server principal seems like
> it might also help the canonization problem, though I also haven't
> tested this. Does anyone forsee an issue with that approach?
I do not see why supplying principal explicitly can help?
Specifying a principal or hostname explicitly implies that we know a valid
(registered in KDC) principal or hostname. So we may use just a valid
hostname and don't bother with an additional option for a principal.
niallain "at" gmail.com
More information about the samba-technical