[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available

Martin Wilck martin.wilck at ts.fujitsu.com
Thu Sep 8 01:23:21 MDT 2011

Hi Andrew,

> Samba 3.5 (latest release) and Samba 3.6 now default to the
> server-provided SPN being untrusted and unused.  Samba 3.6 also does not
> send it by default.  No new software should start using this principal,
> and now all modern servers will not send it.

Please let me repeat my dumb question: Once a Windows user has logged in
to the AD Domain, she'll be able to access all shares in the domain
(which her account is allowed to use) without having to retype the
domain password. Am  I wrong assuming this works through Kerberos somehow?

On Linux clients, users need to retype passwords all the time. That
makes Linux machines 2nd class network members, at least psychologically
for their users. The reason (in my environment) is that the samba tools
 are unable to figure out the correct SPN. I understand your argument
that trying to do that via the server-provided name is insecure. That
means there must be some other way, as Windows clients are able to find
the SPN. What is it?


Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering

Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone:			++49 5251 525 2796
Fax:			++49 5251 525 2820
Email:			martin.wilck at ts.fujitsu.com
Internet:		http://ts.fujitsu.com
Company Details:	http://ts.fujitsu.com/imprint

More information about the samba-technical mailing list