[cifs-protocol] [REG:110121757101459] RE: Questions about Validated-SPN validated write

Hongwei Sun hongweis at microsoft.com
Mon Dec 27 17:08:41 MST 2010 

Ndaya,

>Does Validated-SPN validated write allow an account to set an object's SPN to the following values:
>HOST/samAccountName (without the "$")
>HOST/dnsDomainName
>if the object is a regular computer object and NOT a DC?

ANS:    Since they are  two part SPNs,  they should be allowed  to be written to the  ServicePrincipleName attribute based on Validated-SPN access right , as per MS-DRSR 5.5 (for DRS) and MS-ADTS 3.1.1.5.3.1.1.4 (for LDAP).   If you look closely at the algorithm  you referenced,  it is the same as the AccessCheckWriteToSpnAttribute in DRSR.   It means that the SPN is a correct two-part SPN  , OR SPN is a correct three-part SPN and the object is a DC's domain controller object.   It basically allows the three part SPN only on Domain Controllers.

>In addition, I did the following test:
>Gave Validated-SPN right to a user on a regular computer object, and got CONSTRAINT_VIOLATION when setting its servicePrincipalName with the above described values.
>Gave Validated-SPN right to a user on a DC object, and these values were set successfully.
ANS:    I did the similar testing to set the servicePrincipleName to the two part SPN on a non-DC computer object and I don't see any error.  If I set a three part SPN on non-DC computer object , then I receive a CONSTRAINT_VIOLATION error.   There is no error if I set either form of the SPN on a DC object.   The result matches the logic in the documents.   I used  one account that doesn't have  RIGHT_DS_WRITE_PROPERTY right, but has only RIGHT_DS_WRITE_PROPERTY_EXTENDED right with Object type set to ServicePrincipleName.    I got the same result when I use an admin account that has all the rights.   Could you share more information about your testing ?

>Is the behavior of setting servicePrincipalName supposed to be different between LDAP and DRS?

ANS:   Yes, it should the same , see the answer above.  The DRSR replication routine will use the same logic as LDAP modify operation  to modify the object attribute, so the object access control logic is the same.   The  AccessCheckAttr (5.2 MS-DRSR) just refers to the related sections in MS-ADTS.

>Does servicePrincipalName modification depend on things other then the syntax restrictions described in MS-DRSR and MS-ADTS?

ANS:    Besides the constraint as a validate write (3.1.1.5.3.1.1.4 MS-ADTS),  it should also meet the constraint for being a modify operation as in 3.1.1.5.3.2 MS-ADTS.

>If an object does not have Validated-SPN on Principal-Self, should the account still be allowed to set the above values via DRS?
ANS:  Any SID substitution for Principal Self should be performed before any access checking behavior (5.1.3.3.  MS-ADTS),  thus the real user SID will not have Validated-SPN right if the Principal Self doesn't have it.    It should not be allowed to set servicePrincipleName via either DRSR or LDAP since this is a mandatory requirement for the requester to have a Validated-SPN right.

Please let me know if this makes sense and if you have more questions.

Thanks!

Hongwei


From: cifs-protocol-bounces at cifs.org [mailto:cifs-protocol-bounces at cifs.org] On Behalf Of Nadezhda Ivanova
Sent: Friday, December 17, 2010 5:08 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: [cifs-protocol] Questions about Validated-SPN validated write

Hello,
Does Validated-SPN validated write allow an account to set an object's SPN to the following values:
HOST/samAccountName (without the "$")
HOST/dnsDomainName
if the object is a regular computer object and NOT a DC?

The algorithm described in MS-DRSR 5.5 AccessCheckWriteToSpnAttribute seems to indicate that yes, this should be allowed. Ot the other hand, MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName leads me to believe that the object being a DC is mandatory constraint: "The SPN is a syntactically correct two-part SPN, or it is a syntactically correct three-part SPN (see
Mutual Authentication (section 5.1.1.4)) and the object is a DC's domain controller object (see
sections7.1.1.3.1 and 7.1.1.3.2). "

In addition, I did the following test:
Gave Validated-SPN right to a user on a regular computer object, and got CONSTRAINT_VIOLATION when setting its servicePrincipalName with the above described values.
Gave Validated-SPN right to a user on a DC object, and these values were set successfully.

So my questions are:
Is the behaviour of setting servicePrincipalName supposed to be different between LDAP and DRS?
Does servicePrincipalName modification depend on things other then the syntax restrictions described in MS-DRSR and MS-ADTS?
If an object does not have Validated-SPN on Principal-Self, should the account still be allowed to set the above values via DRS?

Best Regards,
Nadezhda Ivanova
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20101228/fe8c78b0/attachment.html>

More information about the cifs-protocol mailing list