SPNEGO in Samba - Longhorn Server interop issues...
Love Hörnquist Åstrand
lha at kth.se
Wed Jul 4 08:15:31 GMT 2007
4 jul 2007 kl. 01.10 skrev Todd Stecher:
> When Windows shipped, there were no other SPNEGO implementations to
> test against, and so Windows really didn't match SPNEGO RFC 2478
> 100%. Eventually, Larry, Paul "Mr. CIFS" Leach, & company at
> Microsoft made an effort to clean this mess up, and revisit the
> standard so that everyone could play well together. The end result
> is RFC 4178, which supersedes 2478.
>
> As such, in early versions of Windows SPNEGO, there were some
> "extra" fields added to the negTokenInit message which are being
> deprecated in Vista, Longhorn Server, and eventually service packs
> for older platforms. The most significant of these fields is the
> principal name - there is really no place in either standard which
> allows the return of a principal in negTokenInit messages. This is
> being corrected for in Vista and Longhorn server by continuing to
> add the field, but instead of a "real" principal, it now contains
> "not_defined_in_RFC4178 at please_ignore".
>
> From a security standpoint, allowing the server to specify its
> service principal is a "bad idea" - I'm OK with this change, but it
> means we'll need to fix up some Samba code, and we'll need to start
> using / generating real service principal names in order to get
> Kerberos authentication. Currently, we try to get a service ticket
> to the @please_ignore realm!!!
>
> Volker made a fix in cliconnect.c (http://lists.samba.org/archive/
> samba-cvs/2006-October/071344.html) to partially address this.
> However, this does not address issues when operating against
> Longhorn Server (Windows 2008 server?). I'm sorting through the
> issues, but the first error occurs when trying to join a Samba
> server to the domain - the code in ads_sasl_spnego_bind() uses this
> principal to attempt to get a Kerberos ticket to the ldap head.
>
> I'm sure this is the first layer of the onion (there are encoding
> issues in the old Microsoft implementation as well), but there'll
> be more - before I get too deep, is this work already being done
> elsewhere??? If not, I should be able to get fairly solid Longhorn
> Server interop moving forward in the next week, and will submit a
> patch.
We have an implementation RFC4178 in Heimdal, its farly easy to test
it with LH with gssmaggot/gssmaster (or using heimdal's gssmask/
gssmaestro).
Love
More information about the samba-technical
mailing list