Re: [RFC/PATCH] cifs.upcall: use kernel.provided principal name if available

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 08 Sep 2011 15:13:23 +0200
Martin Wilck <martin.wilck@xxxxxxxxxxxxxx> wrote:

> On 09/08/2011 03:01 PM, Andrew Bartlett wrote:
> 
> > Try 
> > [libdefaults]
> >  rdns = false
> > 
> > in your krb5.conf
> 
> Doesn't work, sorry. Actually, it doesn't seem to make any difference in
> my setup. In my scenario, cifs.upcall would be able to infer the correct
> SPN with the following algorithm:
> 
>  - get the IP address using DNS
>  - get the "real" server FQDN using RDNS
>  - use "cifs/<hostname portion of the "real" FQDN>" as SPN
> 

Another somewhat unsecure option for you then is to use the --trust-dns
option to cifs.upcall, which will do basically what you describe above.

Of course, the best solution would be to lobby your server admins to
either fix their DNS, or use setspn.exe to set up the necessary
principals in the KDC.

-- 
Jeff Layton <jlayton@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux