[cifs-protocol] Questions about Validated-SPN validated write
doms at microsoft.com
Fri Dec 17 08:38:56 MST 2010
Someone from our team will follow-up with you shortly in regards to your questions.
From: didrash at gmail.com [mailto:didrash at gmail.com] On Behalf Of Nadezhda Ivanova
Sent: Friday, December 17, 2010 6:08 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: Questions about Validated-SPN validated write
Does Validated-SPN validated write allow an account to set an object's SPN to the following values:
HOST/samAccountName (without the "$")
if the object is a regular computer object and NOT a DC?
The algorithm described in MS-DRSR 5.5 AccessCheckWriteToSpnAttribute seems to indicate that yes, this should be allowed. Ot the other hand, MS-ADTS 188.8.131.52.184.108.40.206 servicePrincipalName leads me to believe that the object being a DC is mandatory constraint: "The SPN is a syntactically correct two-part SPN, or it is a syntactically correct three-part SPN (see
Mutual Authentication (section 220.127.116.11)) and the object is a DC's domain controller object (see
sections18.104.22.168.1 and 22.214.171.124.2). "
In addition, I did the following test:
Gave Validated-SPN right to a user on a regular computer object, and got CONSTRAINT_VIOLATION when setting its servicePrincipalName with the above described values.
Gave Validated-SPN right to a user on a DC object, and these values were set successfully.
So my questions are:
Is the behaviour of setting servicePrincipalName supposed to be different between LDAP and DRS?
Does servicePrincipalName modification depend on things other then the syntax restrictions described in MS-DRSR and MS-ADTS?
If an object does not have Validated-SPN on Principal-Self, should the account still be allowed to set the above values via DRS?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cifs-protocol