samba 4 TP3 and Windows SSPI

Todd Stecher todd.stecher at
Thu Nov 9 23:42:13 GMT 2006

On Nov 9, 2006, at 3:37 PM, Andrew Bartlett wrote:

>> Which brings me to another problem.
>> When running the server under any domain account other than
>> localsystem(e.gjoshua) InitializeSecurityContext fails. A look at the
>> Samba log shows
>> Kerberos: Principal may not act as server -- joshua at YOUR.REALM
>> Runnning the server under the localsystem account works since it  
>> uses the
>> machine account and one can use DOMAIN\machinename$ as the target in
>> InitializeSecurityContext.
> Very interesting.  That is an additional restriction that I added, to
> prevent offline attacks against user passwords.
> If you add a service principal name, it will work, but perhaps this is
> why Microsoft still allows this by default.

If you are running W2003 in forest native mode, I believe you can no  
longer target a UPN as part of an SSPI request (security fix for the  
cracking issue you mention, Andrew).  It is also configurable in the  

> Andrew Bartlett
> -- 
> Andrew Bartlett                       
> ~abartlet/
> Authentication Developer, Samba Team 
> Samba Developer, Red Hat Inc.        

Todd Stecher | Windows Interop Dev
Isilon Systems    P +1-206-315-7500     F  +1-206-315-7501    D +1-206-315-7638    M +1-425-205-1180

More information about the samba-technical mailing list