On Mon, 2011-09-12 at 11:01 +0200, Martin Wilck wrote: > > For the record, I'm not 100% opposed to adding something like this as a > > workaround. What would probably be better would be a way for someone to > > specify the SPN in the mount options. The kernel could then pass that > > to the upcall and we wouldn't need to trust this string from the > > server. Admins would of course need to know what SPN to put in there > > however. Something like: > > > > -o spn=cifs/otherhostname.example.com > > Sounds good. In our AD environment, an admin can do > > ldapsearch "(cn=$COMPUTERNAME)" serviceprincipalname > > to get the supported principal name(s). If they know the computer name, why don't they connect to it as $COMPUTERNAME? That's how this is meant to work - the DNS or netbios name the user resolves for the connection to is either the cn, dnsHostname or in the servicePrincipalNames of the record. If your users are connecting to names not in that list, why not just add them to the servicePrincipalNames list? We really should not be adding more and more hacks around this area, they will only bite us later. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
