Re: [PATCH 0/3] cifs.upcall: attempt to use AD-style service principals

linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Andrew Bartlett <abartlet-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
To: Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
Cc: simo <idra-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>,
	linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org
Subject: Re: [PATCH 0/3] cifs.upcall: attempt to use AD-style service principals
Date: Wed, 16 Nov 2011 08:37:24 +1100	[thread overview]
Message-ID: <1321393046.5973.76.camel@ruth> (raw)
In-Reply-To: <20111115091510.167a9435-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>

On Tue, 2011-11-15 at 09:15 -0500, Jeff Layton wrote:

> Ok, based on the comments so far, how does this sound for a potential
> scheme:
> 
> 	INPUT: foo
> 	TRY:
> 	    FOO$
> 	    cifs/foo.[guessed domain]
> 
>	INPUT: foo.example.com
> 	TRY:
> 	    cifs/foo.example.com
> 
> To summarize, for shortnames, we'd try SHORTNAME$ first. If that fails,
> then guess a domain name, append the value to the hostname, and prepend
> it with "cifs/".

No, we should never use FOO$ (this is AD only, and equivalent to
cifs/foo), so we should instead simply do:

INPUT: foo
TRY:
    cifs/foo
    cifs/foo.[guessed domain]

INPUT: foo.example.com
TRY:
    cifs/foo.example.com

I would prefer that the kerberos client library actually did this (as
then it would 'just work' for all other kerberos applications), but
sadly the behaviour here is not always what you expect, and can use
reverse DNS (which is an even worse fate).  See the rdns option in
krb5.conf (which I typically turn off). 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

next prev parent reply	other threads:[~2011-11-15 21:37 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-11-14  1:17 [PATCH 0/3] cifs.upcall: attempt to use AD-style service principals Jeff Layton
     [not found] ` <1321233448-13548-1-git-send-email-jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2011-11-14  1:17   ` [PATCH 1/3] cifs.upcall: move to an on-stack princ buffer Jeff Layton
2011-11-14  1:17   ` [PATCH 2/3] cifs.upcall: move to Simo's suggested algorithm for picking a principal Jeff Layton
2011-11-14  1:17   ` [PATCH 3/3] cifs.upcall: try and guess the domain name on unqualified names Jeff Layton
2011-11-14  2:28   ` [PATCH 0/3] cifs.upcall: attempt to use AD-style service principals Andrew Bartlett
2011-11-14  3:12     ` simo
     [not found]       ` <1321240351.3953.803.camel-akOVU7JyYd8WIfilqQrPtNi2O/JbrIOy@public.gmane.org>
2011-11-14 14:44         ` Jeff Layton
     [not found]           ` <20111114094449.66a35717-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2011-11-14 22:45             ` Andrew Bartlett
2011-11-14 23:04               ` simo
     [not found]                 ` <1321311883.3953.886.camel-akOVU7JyYd8WIfilqQrPtNi2O/JbrIOy@public.gmane.org>
2011-11-15  1:10                   ` Andrew Bartlett
2011-11-15 14:15                     ` Jeff Layton
     [not found]                       ` <20111115091510.167a9435-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2011-11-15 21:37                         ` Andrew Bartlett [this message]
2011-11-16 16:08                           ` simo
     [not found]                             ` <1321459686.3953.1053.camel-akOVU7JyYd8WIfilqQrPtNi2O/JbrIOy@public.gmane.org>
2011-11-17 10:16                               ` Andrew Bartlett
2011-11-17 13:12                                 ` Jeff Layton
     [not found]                                   ` <20111117081256.5801f389-9yPaYZwiELC+kQycOl6kW4xkIHaj4LzF@public.gmane.org>
2011-11-18  0:47                                     ` Andrew Bartlett
  -- strict thread matches above, loose matches on Subject: below --
2011-11-15 11:18 Matthieu Patou
     [not found] ` <4EC24A9C.7080301-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>
2011-11-15 13:46   ` Jeff Layton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1321393046.5973.76.camel@ruth \
    --to=abartlet-eunubhrolfbytjvyw6ydsg@public.gmane.org \
    --cc=idra-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org \
    --cc=jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org \
    --cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).