[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available
Martin Wilck
martin.wilck at ts.fujitsu.com
Thu Sep 8 07:13:23 MDT 2011
On 09/08/2011 03:01 PM, Andrew Bartlett wrote:
> Try
> [libdefaults]
> rdns = false
>
> in your krb5.conf
Doesn't work, sorry. Actually, it doesn't seem to make any difference in
my setup. In my scenario, cifs.upcall would be able to infer the correct
SPN with the following algorithm:
- get the IP address using DNS
- get the "real" server FQDN using RDNS
- use "cifs/<hostname portion of the "real" FQDN>" as SPN
Thus RDNS might indeed be beneficial here (but "rdns = true" makes no
difference, either).
OTOH, from the security point of view, this algorithm might not be more
secure than the server-provided SPN, because the attack scenario assumes
that DNS and/or general network packet transmission is already hijacked.
The question remains: what are the windows clients doing to overcome
this situation?
Martin
> (The default value here isn't suitable for use in an AD environment).
>
> Andrew Bartlett
--
Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering
FUJITSU
Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone: ++49 5251 525 2796
Fax: ++49 5251 525 2820
Email: martin.wilck at ts.fujitsu.com
Internet: http://ts.fujitsu.com
Company Details: http://ts.fujitsu.com/imprint
More information about the samba-technical
mailing list