From: Matthieu Patou <mat@samba.org>
To: Jeff Layton <jlayton@samba.org>,
linux-cifs@vger.kernel.org,
samba-technical <samba-technical@lists.samba.org>
Subject: Re: [PATCH 0/3] cifs.upcall: attempt to use AD-style service principals
Date: Tue, 15 Nov 2011 12:18:52 +0100 [thread overview]
Message-ID: <4EC24A9C.7080301@samba.org> (raw)
On 14/11/2011 02:17, Jeff Layton wrote:
> We've had a request recently to allow cifs.upcall to use AD-style
> service principals. While trying to nail down what they need, I asked
> Simo his opinion on how best to pick a service principal for a given
> hostname. His suggestion was:
>
> INPUT: fooo
> TRY in order:
> FOOO$@REALM
> cifs/fooo.<guessed domain ?>@REALM
> host/fooo.<guessed domain ?>@REALM
>
> INPUT: bar.example.com
> TRY in order:
> cifs/bar.example.com@REALM
> BAR$@REALM
> host/bar.example.com@REALM
>
> This patchset attempts to embody that logic.
>
> Suggestions welcome. Those reviewing it, please pay particular attention
> to the scheme for guessing a domain name. I want to make certain that
> we're not opening up any security holes with that scheme.
Jeff, you have to pay attention to DFS volumes.
IE. if I want to mount //mydomain.corp/sysvol you will never get a
ticket for cifs/mydomain.corp@REALM instead you need to locate with
trans2 calls (for smb1, I don't remember the name for smb2) the domain
controlers (DC) that could provide you the share.
For sysvol it's still quite simple but you can have other DFS volume
that are not stored on DC, would be great to have DFS awareness in the
cifs client.
Matthieu
--
Matthieu Patou
Samba Team
http://samba.org
next reply other threads:[~2011-11-15 11:18 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-15 11:18 Matthieu Patou [this message]
[not found] ` <4EC24A9C.7080301-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2011-11-15 13:46 ` [PATCH 0/3] cifs.upcall: attempt to use AD-style service principals Jeff Layton
-- strict thread matches above, loose matches on Subject: below --
2011-11-14 1:17 Jeff Layton
[not found] ` <1321233448-13548-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2011-11-14 2:28 ` Andrew Bartlett
2011-11-14 3:12 ` simo
[not found] ` <1321240351.3953.803.camel-akOVU7JyYd8WIfilqQrPtNi2O/JbrIOy@public.gmane.org>
2011-11-14 14:44 ` Jeff Layton
[not found] ` <20111114094449.66a35717-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2011-11-14 22:45 ` Andrew Bartlett
2011-11-14 23:04 ` simo
[not found] ` <1321311883.3953.886.camel-akOVU7JyYd8WIfilqQrPtNi2O/JbrIOy@public.gmane.org>
2011-11-15 1:10 ` Andrew Bartlett
2011-11-15 14:15 ` Jeff Layton
[not found] ` <20111115091510.167a9435-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2011-11-15 21:37 ` Andrew Bartlett
2011-11-16 16:08 ` simo
[not found] ` <1321459686.3953.1053.camel-akOVU7JyYd8WIfilqQrPtNi2O/JbrIOy@public.gmane.org>
2011-11-17 10:16 ` Andrew Bartlett
2011-11-17 13:12 ` Jeff Layton
[not found] ` <20111117081256.5801f389-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2011-11-18 0:47 ` Andrew Bartlett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EC24A9C.7080301@samba.org \
--to=mat@samba.org \
--cc=jlayton@samba.org \
--cc=linux-cifs@vger.kernel.org \
--cc=samba-technical@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.