[Bug 539791] Re: mount.cifs cannot mount a DFS share when using Kerberos authentication

[Thierry Carrez]

>From https://bugzilla.samba.org/show_bug.cgi?id=7257#c12 :

Ok, I think I see what's happening. The server in this case is sending a
principal name back to the client in the Negotiate Protocol response. smbclient
is using that to get a ticket name.

Note that this is really bad behavior by both the server and client. The
client, in particular since you're essentially trusting the server to tell you
what service principal to use. This allows an attacker to potentially spoof DNS
and redirect the connection to a server that he/she controls.

Not trusting that info was a conscious decision. You can read the thread from a
couple of years ago here:

http://lists.samba.org/archive/linux-cifs-client/2008-August/003348.html

The correct solution is to fix it so that your KDC holds service principals for
all possible hostnames.

...now, that said, I'm not 100% opposed to patches that turn on this behavior
as an option. I'm not interested in doing that work, but if you or someone else
wants to take it on, I'd be willing to help review them.


** Changed in: samba (Ubuntu)
   Importance: Medium => Low

** Changed in: samba (Ubuntu)
       Status: Confirmed => Triaged

-- 
mount.cifs cannot mount a DFS share when using Kerberos authentication
https://bugs.launchpad.net/bugs/539791
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in ubuntu.