Linux CIFS filesystem development
 help / color / mirror / Atom feed
From: Andrew Bartlett <abartlet-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
To: Martin Wilck <martin.wilck-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
Cc: "linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
	<linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	"samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org"
	<samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org>,
	Martin Wilck <mwilck-KvP5wT2u2U0@public.gmane.org>
Subject: Re: [RFC/PATCH] cifs.upcall: use kernel.provided principal name if available
Date: Thu, 08 Sep 2011 23:23:05 +1000	[thread overview]
Message-ID: <1315488187.541.16.camel@obed> (raw)
In-Reply-To: <4E68BF73.2090707-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>

On Thu, 2011-09-08 at 15:13 +0200, Martin Wilck wrote:
> On 09/08/2011 03:01 PM, Andrew Bartlett wrote:
> 
> > Try 
> > [libdefaults]
> >  rdns = false
> > 
> > in your krb5.conf
> 
> Doesn't work, sorry. Actually, it doesn't seem to make any difference in
> my setup. In my scenario, cifs.upcall would be able to infer the correct
> SPN with the following algorithm:
> 
>  - get the IP address using DNS
>  - get the "real" server FQDN using RDNS
>  - use "cifs/<hostname portion of the "real" FQDN>" as SPN
> 
> Thus RDNS might indeed be beneficial here (but "rdns = true" makes no
> difference, either).
> 
> OTOH, from the security point of view, this algorithm might not be more
> secure than the server-provided SPN, because the attack scenario assumes
> that DNS and/or general network packet transmission is already hijacked.
> 
> The question remains: what are the windows clients doing to overcome
> this situation?

They use only the name, as typed.  Windows never uses reverse DNS, as it
is rare on Windows networks.

The AD KDC answers to short, long and alias names for a server, removing
the need for the client to 'guess' what the right name it.  The SPN
should simply be cifs/<name as originally specified>.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

  parent reply	other threads:[~2011-09-08 13:23 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-06 15:21 [RFC/PATCH] cifs: add server-provided principal name in upcall Martin Wilck
     [not found] ` <1315322512-10652-1-git-send-email-martin.wilck-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-06 15:26   ` [RFC/PATCH] cifs.upcall: use kernel.provided principal name if available Martin Wilck
     [not found]     ` <1315322794-10725-1-git-send-email-martin.wilck-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-06 16:10       ` Jeff Layton
     [not found]         ` <4E673D6F.90606@ts.fujitsu.com>
2011-09-07 13:03           ` Jeff Layton
2011-09-07 21:42             ` Andrew Bartlett
2011-09-08  7:23               ` Martin Wilck
     [not found]                 ` <4E686D69.9090503-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-08  7:39                   ` Andrew Bartlett
2011-09-08 12:53                     ` Martin Wilck
     [not found]                       ` <4E68BACD.2020403-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-08 12:59                         ` simo
2011-09-08 13:01                         ` Andrew Bartlett
2011-09-08 13:13                           ` Martin Wilck
     [not found]                             ` <4E68BF73.2090707-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-08 13:23                               ` simo
2011-09-08 13:23                               ` Andrew Bartlett [this message]
2011-09-08 14:54                                 ` Jeff Layton
     [not found]                                 ` <4E68EEAE.2090102@ts.fujitsu.com>
     [not found]                                   ` <4E68EEAE.2090102-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-09 13:37                                     ` Jeff Layton
2011-09-12  9:01                                       ` Martin Wilck
     [not found]                                         ` <4E6DCA86.8020707-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-12 13:41                                           ` Jeff Layton
     [not found]                                             ` <20110912094114.4e7f2b8e-4QP7MXygkU+dMjc06nkz3ljfA9RmPOcC@public.gmane.org>
2011-09-12 14:00                                               ` simo
2011-09-12 23:23                                           ` Andrew Bartlett
2011-09-13 11:01                                             ` Martin Wilck
2011-09-08 13:31                               ` Jeff Layton
2011-09-07 22:18       ` Steve French
2011-09-06 16:16   ` [RFC/PATCH] cifs: add server-provided principal name in upcall Jeff Layton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1315488187.541.16.camel@obed \
    --to=abartlet-eunubhrolfbytjvyw6ydsg@public.gmane.org \
    --cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=martin.wilck-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org \
    --cc=mwilck-KvP5wT2u2U0@public.gmane.org \
    --cc=samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox