Authentication through transitive trusts
Steve Langasek
vorlon at netexpress.net
Thu Jul 17 23:21:12 GMT 2003
On Thu, Jul 17, 2003 at 03:42:15PM -0700, Richard Sharpe wrote:
> On Thu, 17 Jul 2003, Richard Sharpe wrote:
> > > > Here you go. Similar setup:
> > > >
> > > > 10.0.0.204 - "WIN1" - Windows 2000 (SP4) AD Server, domain WIN1DOM
> > > >
> > > > 10.0.0.189 - "KJCWINXP" - Windows XP Pro Client, a member of WIN1DOM
> > > >
> > > > It shows KJCWINXP connecting to the "Program Files" share on WIN1. It looks
> > > > like it negotiated "MS KRB5" protocol.
> > >
> > > OK, apart from the long-file name bit that I mentioned before, here is/are
> > > some further difference(s) between Samba and Win2K ...
> > >
> > > 1. Win2K offers an additional OID in the NegProt Response:
> > > 1.2.840.113554.2.2.3, which looks strange as it is a
> > > sub-oid of KRB5. Ethereal does not know of it ATM.
> > >
> > > 2. In the session setup&X, the MechType offers MS KRB5, KRB5, and
> > > NTLMSSP, in that order.
> > Clearly, however, the AD-enabled client must be making the decision based
> > solely on the NegProt response ...
> OK, further differences:
> 1. Windows sends back a session key of 0 in the NegProt response, Samba
> does not.
> 2. Windows sets security bits to include signatures, Samba does not.
> 3. Windows returns the OIDs in the negTokenInit mechType with MS KRB5
> first, while Samba has KRB5 first.
Hmm, I thought I had traces here showing the proper KRB5 OID first; and
IIRC, Win2K3 doesn't offer the broken OID at all in SPNEGO. So
hopefully this last is not the cause...
--
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030717/15b76ff6/attachment.bin
More information about the samba-technical
mailing list