[RFC/PATCH] cifs.upcall: use kernel.provided principal name if available

Martin Wilck martin.wilck at ts.fujitsu.com
Tue Sep 13 05:01:21 MDT 2011

On 09/13/2011 01:23 AM, Andrew Bartlett wrote:

> If they know the computer name, why don't they connect to it as
> $COMPUTERNAME?  That's how this is meant to work - the DNS or netbios
> name the user resolves for the connection to is either the cn,
> dnsHostname or in the servicePrincipalNames of the record.  

As I said earlier, that's what the Win clients do, and when it fails,
they fall back to NTLM which won't bother with SPNs. The user never gets
to know the difference.

> If your users are connecting to names not in that list, why not just add
> them to the servicePrincipalNames list?  We really should not be adding
> more and more hacks around this area, they will only bite us later.

I have requested that from our sysadmin.

When I first discovered that Win clients could connect to the service in
question while the Linux cifs client couldn't, I suspected a problem
with the cifs client (especially because smbclient was able to connect
with kerberos, too). I do understand now that this conclusion was wrong.


Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering

Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone:			++49 5251 525 2796
Fax:			++49 5251 525 2820
Email:			martin.wilck at ts.fujitsu.com
Internet:		http://ts.fujitsu.com
Company Details:	http://ts.fujitsu.com/imprint

More information about the samba-technical mailing list