From: Andrew Bartlett <abartlet-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
To: simo <idra-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
Cc: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>,
linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org
Subject: Re: [PATCH 0/3] cifs.upcall: attempt to use AD-style service principals
Date: Thu, 17 Nov 2011 21:16:40 +1100 [thread overview]
Message-ID: <1321525044.20295.11.camel@ruth> (raw)
In-Reply-To: <1321459686.3953.1053.camel-akOVU7JyYd8WIfilqQrPtNi2O/JbrIOy@public.gmane.org>
On Wed, 2011-11-16 at 11:08 -0500, simo wrote:
> On Wed, 2011-11-16 at 08:37 +1100, Andrew Bartlett wrote:
> > On Tue, 2011-11-15 at 09:15 -0500, Jeff Layton wrote:
> >
> > > Ok, based on the comments so far, how does this sound for a potential
> > > scheme:
> > >
> > > INPUT: foo
> > > TRY:
> > > FOO$
> > > cifs/foo.[guessed domain]
> > >
> > > INPUT: foo.example.com
> > > TRY:
> > > cifs/foo.example.com
> > >
> > > To summarize, for shortnames, we'd try SHORTNAME$ first. If that fails,
> > > then guess a domain name, append the value to the hostname, and prepend
> > > it with "cifs/".
> >
> > No, we should never use FOO$ (this is AD only, and equivalent to
> > cifs/foo), so we should instead simply do:
> >
> > INPUT: foo
> > TRY:
> > cifs/foo
>
> This ^^^^ is also AD-only, so what's the point of objecting to one or
> another ?
> At least when you see FOO$@REALM, admins know it is an AD only thing.
The reason that we should not translate between foo and foo$ on the
client side is that a server may have multiple service principal names.
A host with multiple names will have only one machine account in AD, and
we have no way to know that this particular name is that of the machine
account.
Also, while requests for cifs/foo will cause a lookup of host/foo and
foo$ on the server side, this is a server-side fallback, not an absolute
rule. If an account has the more specific form as a
servicePrincipalName, then implicit mappings are not needed. We cannot
on a client make assumptions about how the administrator has configured
their domain.
Finally, cifs/foo is a perfectly valid and reasonable kerberos service
principal name, and the name that other cifs clients such as Samba 3.6,
and Windows will use, and so we should ensure constancy with those
clients to reduce the administrator burden in the non-AD case.
Indeed, it is this final reason why this process is futile. The correct
fix is to ensure that the non-AD KDC has principal entries for each
aliases (cifs/foo and cifs/foo.domain) by which the server can be
resolved.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
next prev parent reply other threads:[~2011-11-17 10:16 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-14 1:17 [PATCH 0/3] cifs.upcall: attempt to use AD-style service principals Jeff Layton
[not found] ` <1321233448-13548-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2011-11-14 1:17 ` [PATCH 1/3] cifs.upcall: move to an on-stack princ buffer Jeff Layton
2011-11-14 1:17 ` [PATCH 2/3] cifs.upcall: move to Simo's suggested algorithm for picking a principal Jeff Layton
2011-11-14 1:17 ` [PATCH 3/3] cifs.upcall: try and guess the domain name on unqualified names Jeff Layton
2011-11-14 2:28 ` [PATCH 0/3] cifs.upcall: attempt to use AD-style service principals Andrew Bartlett
2011-11-14 3:12 ` simo
[not found] ` <1321240351.3953.803.camel-akOVU7JyYd8WIfilqQrPtNi2O/JbrIOy@public.gmane.org>
2011-11-14 14:44 ` Jeff Layton
[not found] ` <20111114094449.66a35717-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2011-11-14 22:45 ` Andrew Bartlett
2011-11-14 23:04 ` simo
[not found] ` <1321311883.3953.886.camel-akOVU7JyYd8WIfilqQrPtNi2O/JbrIOy@public.gmane.org>
2011-11-15 1:10 ` Andrew Bartlett
2011-11-15 14:15 ` Jeff Layton
[not found] ` <20111115091510.167a9435-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2011-11-15 21:37 ` Andrew Bartlett
2011-11-16 16:08 ` simo
[not found] ` <1321459686.3953.1053.camel-akOVU7JyYd8WIfilqQrPtNi2O/JbrIOy@public.gmane.org>
2011-11-17 10:16 ` Andrew Bartlett [this message]
2011-11-17 13:12 ` Jeff Layton
[not found] ` <20111117081256.5801f389-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2011-11-18 0:47 ` Andrew Bartlett
-- strict thread matches above, loose matches on Subject: below --
2011-11-15 11:18 Matthieu Patou
[not found] ` <4EC24A9C.7080301-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2011-11-15 13:46 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1321525044.20295.11.camel@ruth \
--to=abartlet-eunubhrolfbytjvyw6ydsg@public.gmane.org \
--cc=idra-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org \
--cc=jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.