[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available
Martin Wilck
martin.wilck at ts.fujitsu.com
Thu Sep 8 01:23:21 MDT 2011
Hi Andrew,
> Samba 3.5 (latest release) and Samba 3.6 now default to the
> server-provided SPN being untrusted and unused. Samba 3.6 also does not
> send it by default. No new software should start using this principal,
> and now all modern servers will not send it.
Please let me repeat my dumb question: Once a Windows user has logged in
to the AD Domain, she'll be able to access all shares in the domain
(which her account is allowed to use) without having to retype the
domain password. Am I wrong assuming this works through Kerberos somehow?
On Linux clients, users need to retype passwords all the time. That
makes Linux machines 2nd class network members, at least psychologically
for their users. The reason (in my environment) is that the samba tools
are unable to figure out the correct SPN. I understand your argument
that trying to do that via the server-provided name is insecure. That
means there must be some other way, as Windows clients are able to find
the SPN. What is it?
Regards
Martin
--
Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering
FUJITSU
Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone: ++49 5251 525 2796
Fax: ++49 5251 525 2820
Email: martin.wilck at ts.fujitsu.com
Internet: http://ts.fujitsu.com
Company Details: http://ts.fujitsu.com/imprint
More information about the samba-technical
mailing list