The Samba-Bugzilla – Attachment 6595 Details for
Bug 8243
Missing release note information for 3.6.0
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
WHATSNEW patch
0001-s3-improve-WHATSNEW-around-kerberos-changes.patch (text/plain), 2.07 KB, created by
Andrew Bartlett
on 2011-06-17 07:00:04 UTC
(
hide
)
Description:
WHATSNEW patch
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2011-06-17 07:00:04 UTC
Size:
2.07 KB
patch
obsolete
>>From bd8d845304dd25d5bd1dc3b627a3710e1b27b20f Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 14 Jun 2011 21:51:36 +1000 >Subject: [PATCH] s3: improve WHATSNEW around kerberos changes > >--- > WHATSNEW.txt | 19 ++++++++++--------- > 1 files changed, 10 insertions(+), 9 deletions(-) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index c3c514c..813d5b3 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -30,15 +30,16 @@ released in-kernel CIFS client. To re-enable the poorer NTLM encryption > set '--option=clientusentlmv2auth=no' on your smbclient command line, or > set 'client ntlmv2 auth = no' in your smb.conf > >-The impact of 'client use spnego principal = no' is that we may be able >-to use Kerberos to communicate with a server less often in smbclient, >-winbind and other Samba client tools. We may fall back to NTLMSSP in >-more situations where we would previously rely on the insecure >-indication from the 'NegProt' CIFS packet. This mostly occursed when >-connecting to a name alias not recorded as a servicePrincipalName for >-the server. This indication is not available from Windows 2008 or later >-in any case, and is not used by modern Windows clients, so this makes >-Samba's behaviour consistent with other clients and against all servers. >+The impact of 'client use spnego principal = no' is that Samba will >+use CIFS/hostname to obtain a kerberos ticket, acting more like >+Windows when using Kerberos against a CIFS server in smbclient, >+winbind and other Samba client tools. This will change which servers >+we will successfully negotiate kerberos connections to. This is due >+to Samba no longer trusting a server-provided hint which is not >+available from Windows 2008 or later. For correct operation with all >+clients, all aliases for a server should be recorded as a as a >+servicePrincipalName on the server's record in AD. (For this reason, >+this behavior change and parameter was also made in Samba 3.5.9) > > The impact of 'send spnego principal = no' is to match Windows 2008 and > not to send this principal, making existing clients give more consistent >-- >1.7.5.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6595">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review?
(
gd
)
Actions:
View
Attachments on
bug 8243
: 6595