samba 4 TP3 and Windows SSPI
Todd Stecher
todd.stecher at isilon.com
Thu Nov 9 23:42:13 GMT 2006
On Nov 9, 2006, at 3:37 PM, Andrew Bartlett wrote:
>
>> Which brings me to another problem.
>> When running the server under any domain account other than
>> localsystem(e.gjoshua) InitializeSecurityContext fails. A look at the
>> Samba log shows
>> Kerberos: Principal may not act as server -- joshua at YOUR.REALM
>>
>> Runnning the server under the localsystem account works since it
>> uses the
>> machine account and one can use DOMAIN\machinename$ as the target in
>> InitializeSecurityContext.
>
> Very interesting. That is an additional restriction that I added, to
> prevent offline attacks against user passwords.
>
> If you add a service principal name, it will work, but perhaps this is
> why Microsoft still allows this by default.
If you are running W2003 in forest native mode, I believe you can no
longer target a UPN as part of an SSPI request (security fix for the
cracking issue you mention, Andrew). It is also configurable in the
registry.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/
> ~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Red Hat Inc. http://redhat.com
Todd Stecher | Windows Interop Dev
Isilon Systems P +1-206-315-7500 F +1-206-315-7501
www.isilon.com D +1-206-315-7638 M +1-425-205-1180
More information about the samba-technical
mailing list