Re: [PATCH 0/3] cifs.upcall: attempt to use AD-style service principals

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2011-11-14 at 13:28 +1100, Andrew Bartlett wrote: 
> On Sun, 2011-11-13 at 20:17 -0500, Jeff Layton wrote:
> > We've had a request recently to allow cifs.upcall to use AD-style
> > service principals. While trying to nail down what they need, I asked
> > Simo his opinion on how best to pick a service principal for a given
> > hostname. His suggestion was:
> > 
> > 	INPUT: fooo
> > 	TRY in order:
> >   		FOOO$@REALM
> > 		cifs/fooo.<guessed domain ?>@REALM
> >   		host/fooo.<guessed domain ?>@REALM
> > 
> > 	INPUT: bar.example.com
> > 	TRY in order:
> > 		cifs/bar.example.com@REALM
> > 		BAR$@REALM
> > 		host/bar.example.com@REALM
> > 
> > This patchset attempts to embody that logic.
> > 
> > Suggestions welcome. Those reviewing it, please pay particular attention
> > to the scheme for guessing a domain name. I want to make certain that
> > we're not opening up any security holes with that scheme.
> 
> Perhaps I'm missing some background, but this looks wrong to me, at
> least for the pure AD case.  
> 
> First, in AD cifs/ is an alias of host/, so looking for both will not
> help.  Secondly, looking for bar$ is an outright guess, as there is no
> reliable mapping between a long name in DNS and the short
> samAccountName.
> 
> If we map wrongly, we might luck out and get a KDC error indicating no
> such host, or we might fail at session setup time, with logon failure. 
> 
> What is wrong with simply requesting a principal of cifs/INPUT@REALM?
> In AD, the KDC does all the canonicalisation work (perhaps I should have
> clarified this in the previous thread).

What is wrong is that it works only with AD. The above heuristics should
allow more flexibility against both AD and samba servers configured to
use other KDCs.

Simo.


-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@xxxxxxxxx>
Principal Software Engineer at Red Hat, Inc. <simo@xxxxxxxxxx>

--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux