[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mechglue

To: Michael B Allen <mba2000@ioplex.com>
Subject: Re: Mechglue
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 24 Oct 2005 06:52:36 +1000
Cc: heimdal-discuss@sics.se
In-Reply-To: <20051023130537.34c7a96d.mba2000@ioplex.com>
References: <20051022225555.6a90d017.mba2000@ioplex.com> <1130071317.2723.108.camel@localhost.localdomain> <20051023130537.34c7a96d.mba2000@ioplex.com>
Sender: owner-heimdal-discuss@sics.se

On Sun, 2005-10-23 at 13:05 -0400, Michael B Allen wrote:
> On Sun, 23 Oct 2005 22:41:57 +1000
> Andrew Bartlett <abartlet@samba.org> wrote:
> 
> > On Sat, 2005-10-22 at 22:55 -0400, Michael B Allen wrote:
> > 
> > > 3) This one's a little CIFS specific but the
> > > spnego/accept_sec_context.c:send_supported_mechs function sends
> > > the quark$@FOO.NET style name in negHints but I see Samba returns
> > > cifs/quark.foo.net@FOO.NET. What is the difference between these service
> > > principal types? Is the first NetBIOS based (port 139 only) and the
> > > other DNS based (port 445 only)?
> > 
> > Samba3 did send the previous form, matching windows until very recently,
> > when I changed it, because only samba clients read that feild, I thought
> > it gave better behaviour on the network.  I didn't intend it to get into
> > the release, but once it was in it was decided it wasn't doing any harm.
> > 
> > Samba4 again matches windows and sends the former form, but does not use
> > that value in the client.
> 
> Oops, I was using that to create the target_name for GSSAPI
> init_sec_context. Are you *SURE* clients don't use it? Then I wonder
> what purpose it serves.

My understanding is that it is useful, and insecure.  One of the things
that makes kerberos fairly secure is that the KDC controls what hosts
may be contacted:  A host outside your network cannot ask to be
authenticated to with kerberos, expecting a ticket of a trusted host
inside your network, as your KDC won't know the name.  

When using this target_name, the client bypasses this, any any host can
ask to be sent tickets intended for any other host.  On a practical
standpoint, this value may not always be available and I wanted
consistent behaviour cross-protocol.

(Sidebar:  I can get the same value out of LDAP, by doing a SASL bind
with an empty first blob...).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part

Follow-Ups:
- Re: Mechglue
  - From: Michael B Allen <mba2000@ioplex.com>

References:
- Mechglue
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Mechglue
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Mechglue
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: Re: Mechglue
Next by Date: Re: Mechglue
Prev by thread: Re: Mechglue
Next by thread: Re: Mechglue
Index(es):
- Date
- Thread