On 09/08/2011 03:01 PM, Andrew Bartlett wrote: > Try > [libdefaults] > rdns = false > > in your krb5.conf Doesn't work, sorry. Actually, it doesn't seem to make any difference in my setup. In my scenario, cifs.upcall would be able to infer the correct SPN with the following algorithm: - get the IP address using DNS - get the "real" server FQDN using RDNS - use "cifs/<hostname portion of the "real" FQDN>" as SPN Thus RDNS might indeed be beneficial here (but "rdns = true" makes no difference, either). OTOH, from the security point of view, this algorithm might not be more secure than the server-provided SPN, because the attack scenario assumes that DNS and/or general network packet transmission is already hijacked. The question remains: what are the windows clients doing to overcome this situation? Martin > (The default value here isn't suitable for use in an AD environment). > > Andrew Bartlett -- Dr. Martin Wilck PRIMERGY System Software Engineer x86 Server Engineering FUJITSU Fujitsu Technology Solutions GmbH Heinz-Nixdorf-Ring 1 33106 Paderborn, Germany Phone: ++49 5251 525 2796 Fax: ++49 5251 525 2820 Email: martin.wilck@xxxxxxxxxxxxxx Internet: http://ts.fujitsu.com Company Details: http://ts.fujitsu.com/imprint -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
