On Mon, 2011-09-12 at 09:41 -0400, Jeff Layton wrote: > On Mon, 12 Sep 2011 11:01:58 +0200 > Martin Wilck <martin.wilck@xxxxxxxxxxxxxx> wrote: > > > > For the record, I'm not 100% opposed to adding something like this as a > > > workaround. What would probably be better would be a way for someone to > > > specify the SPN in the mount options. The kernel could then pass that > > > to the upcall and we wouldn't need to trust this string from the > > > server. Admins would of course need to know what SPN to put in there > > > however. Something like: > > > > > > -o spn=cifs/otherhostname.example.com > > > > Sounds good. In our AD environment, an admin can do > > > > ldapsearch "(cn=$COMPUTERNAME)" serviceprincipalname > > > > to get the supported principal name(s). > > > > If that's the standard mechanism that windows machines use to determine > this, we could consider doing something similar in cifs.upcall. Maybe > add a new command-line option that tells it to query a particular LDAP > server with krb5 auth to determine this? No Windows clients do not rely on that. It's a mixture of dscracknames RPC and the KDC doing canonicalization on its own IIRC. Simo. -- Simo Sorce Samba Team GPL Compliance Officer <simo@xxxxxxxxx> Principal Software Engineer at Red Hat, Inc. <simo@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
