SPNEGO in Samba - Longhorn Server interop issues...

Love Hörnquist Åstrand lha at kth.se
Wed Jul 4 08:15:31 GMT 2007


4 jul 2007 kl. 01.10 skrev Todd Stecher:

> When Windows shipped, there were no other SPNEGO implementations to  
> test against, and so Windows really didn't match SPNEGO RFC 2478  
> 100%.  Eventually, Larry, Paul "Mr. CIFS" Leach, & company at  
> Microsoft made an effort to clean this mess up, and revisit the  
> standard so that everyone could play well together.  The end result  
> is RFC 4178, which supersedes 2478.
>
> As such, in early versions of Windows SPNEGO, there were some  
> "extra" fields added to the negTokenInit message which are being  
> deprecated in Vista, Longhorn Server, and eventually service packs  
> for older platforms.  The most significant of these fields is the  
> principal name - there is really no place in either standard which  
> allows the return of a principal in negTokenInit messages.  This is  
> being corrected for in Vista and Longhorn server by continuing to  
> add the field, but instead of a "real" principal, it now contains  
> "not_defined_in_RFC4178 at please_ignore".
>
> From a security standpoint, allowing the server to specify its  
> service principal is a "bad idea" - I'm OK with this change, but it  
> means we'll need to fix up some Samba code, and we'll need to start  
> using / generating real service principal names in order to get  
> Kerberos authentication.  Currently, we try to get a service ticket  
> to the @please_ignore realm!!!
>
> Volker made a fix in cliconnect.c (http://lists.samba.org/archive/ 
> samba-cvs/2006-October/071344.html) to partially address this.   
> However, this does not address issues when operating against  
> Longhorn Server (Windows 2008 server?).  I'm sorting through the  
> issues, but the first error occurs when trying to join a Samba  
> server to the domain - the code in ads_sasl_spnego_bind() uses this  
> principal to attempt to get a Kerberos ticket to the ldap head.
>
> I'm sure this is the first layer of the onion (there are encoding  
> issues in the old Microsoft implementation as well), but there'll  
> be more - before I get too deep, is this work already being done  
> elsewhere???  If not, I should be able to get fairly solid Longhorn  
> Server interop moving forward in the next week, and will submit a  
> patch.

We have an implementation RFC4178 in Heimdal, its farly easy to test  
it with LH with gssmaggot/gssmaster (or using heimdal's gssmask/ 
gssmaestro).

Love




More information about the samba-technical mailing list