samba 4 TP3 and Windows SSPI

Andrew Bartlett abartlet at
Thu Nov 9 23:37:56 GMT 2006

On Thu, 2006-11-09 at 17:33 +0300, Joshua Masiko wrote:
> DsWriteAccountSpn allows you to de-couple the way the client connects from
> the account the server is running under
> it basically maps a service principal name to the server account such that
> in InitializeSecurityContext the client can specify the SPN as the target
> without knowing the account under which the server is running. Details are
> on MSDN online.

Looks like a mere matter of implementation, we appear to have figured
out the IDL. 

> Which brings me to another problem.
> When running the server under any domain account other than
> localsystem(e.gjoshua) InitializeSecurityContext fails. A look at the
> Samba log shows
> Kerberos: Principal may not act as server -- joshua at YOUR.REALM
> Runnning the server under the localsystem account works since it uses the
> machine account and one can use DOMAIN\machinename$ as the target in
> InitializeSecurityContext.

Very interesting.  That is an additional restriction that I added, to
prevent offline attacks against user passwords.

If you add a service principal name, it will work, but perhaps this is
why Microsoft still allows this by default.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list