On Sun, 2005-10-23 at 22:58 -0400, Michael B Allen wrote: > On Mon, 24 Oct 2005 06:52:36 +1000 > Andrew Bartlett <abartlet@samba.org> wrote: > > > On Sun, 2005-10-23 at 13:05 -0400, Michael B Allen wrote: > > > On Sun, 23 Oct 2005 22:41:57 +1000 > > > Andrew Bartlett <abartlet@samba.org> wrote: > > > > > > > On Sat, 2005-10-22 at 22:55 -0400, Michael B Allen wrote: > > > > > > > > > 3) This one's a little CIFS specific but the > > > > > spnego/accept_sec_context.c:send_supported_mechs function sends > > > > > the quark$@FOO.NET style name in negHints but I see Samba returns > > > > > cifs/quark.foo.net@FOO.NET. What is the difference between these service > > > > > principal types? Is the first NetBIOS based (port 139 only) and the > > > > > other DNS based (port 445 only)? > > > > > > > > Samba3 did send the previous form, matching windows until very recently, > > > > when I changed it, because only samba clients read that feild, I thought > > > > it gave better behaviour on the network. I didn't intend it to get into > > > > the release, but once it was in it was decided it wasn't doing any harm. > > > > > > > > Samba4 again matches windows and sends the former form, but does not use > > > > that value in the client. > > > > > > Oops, I was using that to create the target_name for GSSAPI > > > init_sec_context. Are you *SURE* clients don't use it? Then I wonder > > > what purpose it serves. > > > > My understanding is that it is useful, and insecure. One of the things > > that makes kerberos fairly secure is that the KDC controls what hosts > > may be contacted: A host outside your network cannot ask to be > > authenticated to with kerberos, expecting a ticket of a trusted host > > inside your network, as your KDC won't know the name. > > Mmm, so, for example, if I connect to a machine called "extdata" that is > not a member of my Kerberos realm (or a trusted realm) and it malicously > replies with this negHints field set to the name of a machine that IS > in my Kerberos realm, then I will inadvertantly send a token that it > can then try to crack in some way? Yep. > > When using this target_name, the client bypasses this, any any host can > > ask to be sent tickets intended for any other host. On a practical > > standpoint, this value may not always be available and I wanted > > consistent behaviour cross-protocol. > > Then perhaps we should just leave it out altogether? > > Otherwise, what is the proper SPN to be used with target_name? Is it > always the first label of the DNS name + '$' + '@' + 'REALM'? It is the machine account name, which Samba knows from when it joined the domain, and must be a valid principal in the KDC, which is why I changed it (because it is unlikely to be in a MIT KDC). > Also, when Samba started using cifs/<fqdn>@REALM, did users have to > suddently start using these Samba-ized SPNs with their Windows KDCs > and keytabs? Windows clients were already connecting with that name, it just made Samba clients use it too. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part