[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available
Jeff Layton
jlayton at samba.org
Fri Sep 9 07:37:36 MDT 2011
On Thu, 08 Sep 2011 18:34:54 +0200
Martin Wilck <martin.wilck at ts.fujitsu.com> wrote:
> (I needed to remove linux-cifs from cc because of DNS troubles again -
> sorry)
>
> On 09/08/2011 03:23 PM, Andrew Bartlett wrote:
>
> >> The question remains: what are the windows clients doing to overcome
> >> this situation?
> >
> > They use only the name, as typed. Windows never uses reverse DNS, as it
> > is rare on Windows networks.
>
> It turns out that with the mentioned server, Kerberos doesn't work with
> Windows clients, either. Instead I can see (in wireshark) the Win
> clients falling back to NTLM authentication (or using it right away).
> That explains a lot. Sorry for the noise. (I'm currently looking for a
> switch in XP to force it to use Kerberos for testing purposes, but so
> far I found none).
>
Ok, good to know...thanks.
For now, we'll plan to table these patches.
For the record, I'm not 100% opposed to adding something like this as a
workaround. What would probably be better would be a way for someone to
specify the SPN in the mount options. The kernel could then pass that
to the upcall and we wouldn't need to trust this string from the
server. Admins would of course need to know what SPN to put in there
however. Something like:
-o spn=cifs/otherhostname.example.com
...for example.
--
Jeff Layton <jlayton at samba.org>
More information about the samba-technical
mailing list