[Freeipa-users] samba share access win xp
Simo Sorce
ssorce at redhat.com
Fri Jun 5 17:59:27 UTC 2009
On Fri, 2009-06-05 at 18:22 +0200, Oliver Kaspar wrote:
> Hi Simo,
>
> Windows seems to use different notations, the same PC asks for cifs/SAMBA.example.org at EXAMPLE.ORG
> or samba.EXAMPLE.ORG at EXAMPLE.ORG or Samba at EXAMPLE.ORG@EXAMPLE.ORG,
> is there no workaround for that problem?
Well this is one of the differences between Windows KDC implementation
and a "to specs" KDC implementation.
Windows KDCs have a much more lax canonicalisation engine and can
recognize many forms as aliases of the same principal.
We are working on implementing some of this in FreeIPA and MIT 1.7
already allows aliases.
Unfortunately I can't see nothing easy that can be done as a workaround
right now. We would at the very least have to try to patch the KDC ldap
driver to try to be smarter, but I am not sure it will give the desired
results in the MIT 1.6.3 code base.
An option could be to allow windows to use NTLM auth againt samba when
krb auth fails.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list