SPNEGO in Samba - Longhorn Server interop issues...

Todd Stecher todd.stecher at isilon.com
Tue Jul 3 23:10:30 GMT 2007


When Windows shipped, there were no other SPNEGO implementations to  
test against, and so Windows really didn't match SPNEGO RFC 2478  
100%.  Eventually, Larry, Paul "Mr. CIFS" Leach, & company at  
Microsoft made an effort to clean this mess up, and revisit the  
standard so that everyone could play well together.  The end result  
is RFC 4178, which supersedes 2478.

As such, in early versions of Windows SPNEGO, there were some "extra"  
fields added to the negTokenInit message which are being deprecated  
in Vista, Longhorn Server, and eventually service packs for older  
platforms.  The most significant of these fields is the principal  
name - there is really no place in either standard which allows the  
return of a principal in negTokenInit messages.  This is being  
corrected for in Vista and Longhorn server by continuing to add the  
field, but instead of a "real" principal, it now contains  
"not_defined_in_RFC4178 at please_ignore".

 From a security standpoint, allowing the server to specify its  
service principal is a "bad idea" - I'm OK with this change, but it  
means we'll need to fix up some Samba code, and we'll need to start  
using / generating real service principal names in order to get  
Kerberos authentication.  Currently, we try to get a service ticket  
to the @please_ignore realm!!!

Volker made a fix in cliconnect.c (http://lists.samba.org/archive/ 
samba-cvs/2006-October/071344.html) to partially address this.   
However, this does not address issues when operating against Longhorn  
Server (Windows 2008 server?).  I'm sorting through the issues, but  
the first error occurs when trying to join a Samba server to the  
domain - the code in ads_sasl_spnego_bind() uses this principal to  
attempt to get a Kerberos ticket to the ldap head.

I'm sure this is the first layer of the onion (there are encoding  
issues in the old Microsoft implementation as well), but there'll be  
more - before I get too deep, is this work already being done  
elsewhere???  If not, I should be able to get fairly solid Longhorn  
Server interop moving forward in the next week, and will submit a patch.


Thanks,
Todd




Todd Stecher | Windows Interop Dev
Isilon Systems    P +1-206-315-7500     F  +1-206-315-7501
www.isilon.com    D +1-206-315-7638    M +1-425-205-1180





More information about the samba-technical mailing list