On Mon, 2011-11-14 at 09:44 -0500, Jeff Layton wrote: > The above scheme isn't perfect, but in many cases it will happen to > work. It's true that there's no reliable mapping between DNS and > samAccountName, but in a lot of cases the samAccountName *is* the > capitalized host portion of the DNS name. Does it hurt anything to > attempt to get a ticket with that name if "cifs/fqdn" fails? We should never ask for a machine$ name. It is always the wrong thing to do, because it will only exist on AD servers, which already do the mapping between cifs/foo and foo$ internally. We should also not map between cifs/ and host/ - cifs/ is a separate service, just as nfs/ and http/ are. > Over the years, we've seen a lot of confused users on the list who are > not sure what name they need to put in the host portion of the UNC to > get their krb5 mount to work. This scheme seems like it'll make that a > bit more forgiving. I certainly understand the need to make krb5 more forgiving, and certainly if the KDC indicates that cifs/foo does not exist, then guessing the DNS domain and asking for cifs/foo.<guessed domain> is reasonable. > If the wrong guesses just end up slowing down the upcall, then I'm ok > with that. If they potentially open a security hole then that's another > matter entirely. That's my main question here -- are we opening up any > vulnerabilities with this scheme? Each time you second-guess the name, you open up a small security hole, because you potentially allow a connection that was to be to a trusted host to be impersonated by less trusted member of the same kerberos realm. For that reason, any client-side canonicalisation should be strictly limited. Furthermore, you may do more than just slow down the upcall - if you connect to the right server with the wrong ticket (because you guessed wrong - cifs vs host etc), the only way to find out is if the server gives you a LOGON_FAILURE error, and I think this will be even harder to debug. I do want kerberos to be easier to use, and to 'just work' more often. I care passionately that Kerberos should be both secure and 'just work' - falling back to NTLM is an even worse fate. I just want to ensure we do not become the source of new expected behaviour patterns for non-AD domains (such as looking up foo$ or host/foo for cifs shares), as once we start, it will be very hard to undo. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
