samba 4 TP3 and Windows SSPI
geniedren at gmail.com
Fri Nov 10 08:22:58 GMT 2006
Good to know u've figured out the IDL.
Is there any documentation on the GENSEC API?
My aim is to have some howtos for app devlopers so they can test out the TPs
release them. I think there are many more people out there who would be
testing app development without necessarily wanting to mess with samba
I believe samba now has quite a few interfaces that people can target
On 11/10/06, Andrew Bartlett <abartlet at samba.org> wrote:
> On Thu, 2006-11-09 at 15:42 -0800, Todd Stecher wrote:
> > On Nov 9, 2006, at 3:37 PM, Andrew Bartlett wrote:
> > >
> > >> Which brings me to another problem.
> > >> When running the server under any domain account other than
> > >> localsystem(e.gjoshua) InitializeSecurityContext fails. A look at the
> > >> Samba log shows
> > >> Kerberos: Principal may not act as server -- joshua at YOUR.REALM
> > >>
> > >> Runnning the server under the localsystem account works since it
> > >> uses the
> > >> machine account and one can use DOMAIN\machinename$ as the target in
> > >> InitializeSecurityContext.
> > >
> > > Very interesting. That is an additional restriction that I added, to
> > > prevent offline attacks against user passwords.
> > >
> > > If you add a service principal name, it will work, but perhaps this is
> > > why Microsoft still allows this by default.
> > If you are running W2003 in forest native mode, I believe you can no
> > longer target a UPN as part of an SSPI request (security fix for the
> > cracking issue you mention, Andrew). It is also configurable in the
> > registry.
> On that basis I'll keep our defaults, which can be overridden with a
> smb.conf parameter (kdc:require spn for service = no).
> Andrew Bartlett
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Red Hat Inc. http://redhat.com
More information about the samba-technical