samba 4 TP3 and Windows SSPI

[Joshua Masiko]

Good to know u've figured out the IDL.
Is there any documentation on the GENSEC API?
My aim is to have some howtos for app devlopers so they can test out the TPs
as you
release them. I think there are many more people out there who would be
interested in
testing app development without necessarily wanting to mess with samba
internals
I believe samba now has quite a few interfaces that people can target
(SSPI,GSSAPI,GENSEC,LDAP,EJS,ADSI??)

On 11/10/06, Andrew Bartlett <abartlet at samba.org> wrote:
>
> On Thu, 2006-11-09 at 15:42 -0800, Todd Stecher wrote:
> > On Nov 9, 2006, at 3:37 PM, Andrew Bartlett wrote:
> >
> >
> > >
> > >> Which brings me to another problem.
> > >> When running the server under any domain account other than
> > >> localsystem(e.gjoshua) InitializeSecurityContext fails. A look at the
> > >> Samba log shows
> > >> Kerberos: Principal may not act as server -- joshua at YOUR.REALM
> > >>
> > >> Runnning the server under the localsystem account works since it
> > >> uses the
> > >> machine account and one can use DOMAIN\machinename$ as the target in
> > >> InitializeSecurityContext.
> > >
> > > Very interesting.  That is an additional restriction that I added, to
> > > prevent offline attacks against user passwords.
> > >
> > > If you add a service principal name, it will work, but perhaps this is
> > > why Microsoft still allows this by default.
> >
> > If you are running W2003 in forest native mode, I believe you can no
> > longer target a UPN as part of an SSPI request (security fix for the
> > cracking issue you mention, Andrew).  It is also configurable in the
> > registry.
>
> On that basis I'll keep our defaults, which can be overridden with a
> smb.conf parameter (kdc:require spn for service = no).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Red Hat Inc.                  http://redhat.com
>
>
>