On Tue, 2011-11-15 at 09:15 -0500, Jeff Layton wrote:
> Ok, based on the comments so far, how does this sound for a potential
> scheme:
>
> INPUT: foo
> TRY:
> FOO$
> cifs/foo.[guessed domain]
>
> INPUT: foo.example.com
> TRY:
> cifs/foo.example.com
>
> To summarize, for shortnames, we'd try SHORTNAME$ first. If that fails,
> then guess a domain name, append the value to the hostname, and prepend
> it with "cifs/".
No, we should never use FOO$ (this is AD only, and equivalent to
cifs/foo), so we should instead simply do:
INPUT: foo
TRY:
cifs/foo
cifs/foo.[guessed domain]
INPUT: foo.example.com
TRY:
cifs/foo.example.com
I would prefer that the kerberos client library actually did this (as
then it would 'just work' for all other kerberos applications), but
sadly the behaviour here is not always what you expect, and can use
reverse DNS (which is an even worse fate). See the rdns option in
krb5.conf (which I typically turn off).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
