[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available

Jeff Layton jlayton at samba.org
Mon Sep 12 07:41:14 MDT 2011

On Mon, 12 Sep 2011 11:01:58 +0200
Martin Wilck <martin.wilck at ts.fujitsu.com> wrote:

> > For the record, I'm not 100% opposed to adding something like this as a
> > workaround. What would probably be better would be a way for someone to
> > specify the SPN in the mount options. The kernel could then pass that
> > to the upcall and we wouldn't need to trust this string from the
> > server. Admins would of course need to know what SPN to put in there
> > however. Something like:
> > 
> >     -o spn=cifs/otherhostname.example.com
> Sounds good. In our AD environment, an admin can do
> ldapsearch "(cn=$COMPUTERNAME)" serviceprincipalname
> to get the supported principal name(s).

If that's the standard mechanism that windows machines use to determine
this, we could consider doing something similar in cifs.upcall. Maybe
add a new command-line option that tells it to query a particular LDAP
server with krb5 auth to determine this?

Jeff Layton <jlayton at samba.org>

More information about the samba-technical mailing list