samba 4 TP3 and Windows SSPI
Andrew Bartlett
abartlet at samba.org
Fri Nov 10 00:52:17 GMT 2006
On Thu, 2006-11-09 at 15:42 -0800, Todd Stecher wrote:
> On Nov 9, 2006, at 3:37 PM, Andrew Bartlett wrote:
>
>
> >
> >> Which brings me to another problem.
> >> When running the server under any domain account other than
> >> localsystem(e.gjoshua) InitializeSecurityContext fails. A look at the
> >> Samba log shows
> >> Kerberos: Principal may not act as server -- joshua at YOUR.REALM
> >>
> >> Runnning the server under the localsystem account works since it
> >> uses the
> >> machine account and one can use DOMAIN\machinename$ as the target in
> >> InitializeSecurityContext.
> >
> > Very interesting. That is an additional restriction that I added, to
> > prevent offline attacks against user passwords.
> >
> > If you add a service principal name, it will work, but perhaps this is
> > why Microsoft still allows this by default.
>
> If you are running W2003 in forest native mode, I believe you can no
> longer target a UPN as part of an SSPI request (security fix for the
> cracking issue you mention, Andrew). It is also configurable in the
> registry.
On that basis I'll keep our defaults, which can be overridden with a
smb.conf parameter (kdc:require spn for service = no).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061110/1a4489a4/attachment.bin
More information about the samba-technical
mailing list