[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available

Martin Wilck martin.wilck at ts.fujitsu.com
Thu Sep 8 07:13:23 MDT 2011

On 09/08/2011 03:01 PM, Andrew Bartlett wrote:

> Try 
> [libdefaults]
>  rdns = false
> in your krb5.conf

Doesn't work, sorry. Actually, it doesn't seem to make any difference in
my setup. In my scenario, cifs.upcall would be able to infer the correct
SPN with the following algorithm:

 - get the IP address using DNS
 - get the "real" server FQDN using RDNS
 - use "cifs/<hostname portion of the "real" FQDN>" as SPN

Thus RDNS might indeed be beneficial here (but "rdns = true" makes no
difference, either).

OTOH, from the security point of view, this algorithm might not be more
secure than the server-provided SPN, because the attack scenario assumes
that DNS and/or general network packet transmission is already hijacked.

The question remains: what are the windows clients doing to overcome
this situation?


> (The default value here isn't suitable for use in an AD environment). 
> Andrew Bartlett

Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering

Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone:			++49 5251 525 2796
Fax:			++49 5251 525 2820
Email:			martin.wilck at ts.fujitsu.com
Internet:		http://ts.fujitsu.com
Company Details:	http://ts.fujitsu.com/imprint

More information about the samba-technical mailing list