SPNEGO in Samba - Longhorn Server interop issues...
Todd Stecher
todd.stecher at isilon.com
Tue Jul 3 23:10:30 GMT 2007
When Windows shipped, there were no other SPNEGO implementations to
test against, and so Windows really didn't match SPNEGO RFC 2478
100%. Eventually, Larry, Paul "Mr. CIFS" Leach, & company at
Microsoft made an effort to clean this mess up, and revisit the
standard so that everyone could play well together. The end result
is RFC 4178, which supersedes 2478.
As such, in early versions of Windows SPNEGO, there were some "extra"
fields added to the negTokenInit message which are being deprecated
in Vista, Longhorn Server, and eventually service packs for older
platforms. The most significant of these fields is the principal
name - there is really no place in either standard which allows the
return of a principal in negTokenInit messages. This is being
corrected for in Vista and Longhorn server by continuing to add the
field, but instead of a "real" principal, it now contains
"not_defined_in_RFC4178 at please_ignore".
From a security standpoint, allowing the server to specify its
service principal is a "bad idea" - I'm OK with this change, but it
means we'll need to fix up some Samba code, and we'll need to start
using / generating real service principal names in order to get
Kerberos authentication. Currently, we try to get a service ticket
to the @please_ignore realm!!!
Volker made a fix in cliconnect.c (http://lists.samba.org/archive/
samba-cvs/2006-October/071344.html) to partially address this.
However, this does not address issues when operating against Longhorn
Server (Windows 2008 server?). I'm sorting through the issues, but
the first error occurs when trying to join a Samba server to the
domain - the code in ads_sasl_spnego_bind() uses this principal to
attempt to get a Kerberos ticket to the ldap head.
I'm sure this is the first layer of the onion (there are encoding
issues in the old Microsoft implementation as well), but there'll be
more - before I get too deep, is this work already being done
elsewhere??? If not, I should be able to get fairly solid Longhorn
Server interop moving forward in the next week, and will submit a patch.
Thanks,
Todd
Todd Stecher | Windows Interop Dev
Isilon Systems P +1-206-315-7500 F +1-206-315-7501
www.isilon.com D +1-206-315-7638 M +1-425-205-1180
More information about the samba-technical
mailing list