[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available
Jeff Layton
jlayton at samba.org
Thu Sep 8 07:31:57 MDT 2011
On Thu, 08 Sep 2011 15:13:23 +0200
Martin Wilck <martin.wilck at ts.fujitsu.com> wrote:
> On 09/08/2011 03:01 PM, Andrew Bartlett wrote:
>
> > Try
> > [libdefaults]
> > rdns = false
> >
> > in your krb5.conf
>
> Doesn't work, sorry. Actually, it doesn't seem to make any difference in
> my setup. In my scenario, cifs.upcall would be able to infer the correct
> SPN with the following algorithm:
>
> - get the IP address using DNS
> - get the "real" server FQDN using RDNS
> - use "cifs/<hostname portion of the "real" FQDN>" as SPN
>
Another somewhat unsecure option for you then is to use the --trust-dns
option to cifs.upcall, which will do basically what you describe above.
Of course, the best solution would be to lobby your server admins to
either fix their DNS, or use setspn.exe to set up the necessary
principals in the KDC.
--
Jeff Layton <jlayton at samba.org>
More information about the samba-technical
mailing list