[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mechglue

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: Mechglue
From: Michael B Allen <mba2000@ioplex.com>
Date: Sun, 23 Oct 2005 22:58:46 -0400
Cc: heimdal-discuss@sics.se
In-Reply-To: <1130100756.2723.114.camel@localhost.localdomain>
References: <20051022225555.6a90d017.mba2000@ioplex.com><1130071317.2723.108.camel@localhost.localdomain><20051023130537.34c7a96d.mba2000@ioplex.com><1130100756.2723.114.camel@localhost.localdomain>
Sender: owner-heimdal-discuss@sics.se

On Mon, 24 Oct 2005 06:52:36 +1000
Andrew Bartlett <abartlet@samba.org> wrote:

> On Sun, 2005-10-23 at 13:05 -0400, Michael B Allen wrote:
> > On Sun, 23 Oct 2005 22:41:57 +1000
> > Andrew Bartlett <abartlet@samba.org> wrote:
> > 
> > > On Sat, 2005-10-22 at 22:55 -0400, Michael B Allen wrote:
> > > 
> > > > 3) This one's a little CIFS specific but the
> > > > spnego/accept_sec_context.c:send_supported_mechs function sends
> > > > the quark$@FOO.NET style name in negHints but I see Samba returns
> > > > cifs/quark.foo.net@FOO.NET. What is the difference between these service
> > > > principal types? Is the first NetBIOS based (port 139 only) and the
> > > > other DNS based (port 445 only)?
> > > 
> > > Samba3 did send the previous form, matching windows until very recently,
> > > when I changed it, because only samba clients read that feild, I thought
> > > it gave better behaviour on the network.  I didn't intend it to get into
> > > the release, but once it was in it was decided it wasn't doing any harm.
> > > 
> > > Samba4 again matches windows and sends the former form, but does not use
> > > that value in the client.
> > 
> > Oops, I was using that to create the target_name for GSSAPI
> > init_sec_context. Are you *SURE* clients don't use it? Then I wonder
> > what purpose it serves.
> 
> My understanding is that it is useful, and insecure.  One of the things
> that makes kerberos fairly secure is that the KDC controls what hosts
> may be contacted:  A host outside your network cannot ask to be
> authenticated to with kerberos, expecting a ticket of a trusted host
> inside your network, as your KDC won't know the name.  

Mmm, so, for example, if I connect to a machine called "extdata" that is
not a member of my Kerberos realm (or a trusted realm) and it malicously
replies with this negHints field set to the name of a machine that IS
in my Kerberos realm, then I will inadvertantly send a token that it
can then try to crack in some way?

> When using this target_name, the client bypasses this, any any host can
> ask to be sent tickets intended for any other host.  On a practical
> standpoint, this value may not always be available and I wanted
> consistent behaviour cross-protocol.

Then perhaps we should just leave it out altogether?

Otherwise, what is the proper SPN to be used with target_name? Is it
always the first label of the DNS name + '$' + '@' + 'REALM'?

Also, when Samba started using cifs/<fqdn>@REALM, did users have to
suddently start using these Samba-ized SPNs with their Windows KDCs
and keytabs?

Mike

Follow-Ups:
- Re: Mechglue
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- Mechglue
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Mechglue
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Mechglue
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Mechglue
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: Mechglue
Next by Date: Re: Mechglue
Prev by thread: Re: Mechglue
Next by thread: Re: Mechglue
Index(es):
- Date
- Thread