[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available
Jeff Layton
jlayton at samba.org
Mon Sep 12 07:41:14 MDT 2011
On Mon, 12 Sep 2011 11:01:58 +0200
Martin Wilck <martin.wilck at ts.fujitsu.com> wrote:
> > For the record, I'm not 100% opposed to adding something like this as a
> > workaround. What would probably be better would be a way for someone to
> > specify the SPN in the mount options. The kernel could then pass that
> > to the upcall and we wouldn't need to trust this string from the
> > server. Admins would of course need to know what SPN to put in there
> > however. Something like:
> >
> > -o spn=cifs/otherhostname.example.com
>
> Sounds good. In our AD environment, an admin can do
>
> ldapsearch "(cn=$COMPUTERNAME)" serviceprincipalname
>
> to get the supported principal name(s).
>
If that's the standard mechanism that windows machines use to determine
this, we could consider doing something similar in cifs.upcall. Maybe
add a new command-line option that tells it to query a particular LDAP
server with krb5 auth to determine this?
--
Jeff Layton <jlayton at samba.org>
More information about the samba-technical
mailing list