[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available
Andrew Bartlett
abartlet at samba.org
Thu Sep 8 07:23:05 MDT 2011
On Thu, 2011-09-08 at 15:13 +0200, Martin Wilck wrote:
> On 09/08/2011 03:01 PM, Andrew Bartlett wrote:
>
> > Try
> > [libdefaults]
> > rdns = false
> >
> > in your krb5.conf
>
> Doesn't work, sorry. Actually, it doesn't seem to make any difference in
> my setup. In my scenario, cifs.upcall would be able to infer the correct
> SPN with the following algorithm:
>
> - get the IP address using DNS
> - get the "real" server FQDN using RDNS
> - use "cifs/<hostname portion of the "real" FQDN>" as SPN
>
> Thus RDNS might indeed be beneficial here (but "rdns = true" makes no
> difference, either).
>
> OTOH, from the security point of view, this algorithm might not be more
> secure than the server-provided SPN, because the attack scenario assumes
> that DNS and/or general network packet transmission is already hijacked.
>
> The question remains: what are the windows clients doing to overcome
> this situation?
They use only the name, as typed. Windows never uses reverse DNS, as it
is rare on Windows networks.
The AD KDC answers to short, long and alias names for a server, removing
the need for the client to 'guess' what the right name it. The SPN
should simply be cifs/<name as originally specified>.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list