SPNEGO in Samba - Longhorn Server interop issues... - KRB5.CONF
eddietse
eddietse0 at gmail.com
Mon Jul 23 12:34:23 GMT 2007
How about use the the servicePricipalName attribute from Active Directory for
the target HOST.
Todd Stecher-4 wrote:
>
> Sorry this is taking so long - I'm multitasking.
>
> I have this all working (against NT4, W2000, 2003, 2008), but our
> implementation has taken a dependency to start adding the default
> realm to krb5.conf when making outbound CIFS request from a Samba
> server (e.g. RPC).
>
> This is because before these changes we used to rely on the principal
> returned in the spnego negtokeninit message (which had the form host/
> machinename.domain.com at domain.com). However, now the principals
> we're passing into the kerberos libraries are of the form host/
> machinename.domain.com (no info after the @ sign). This means it has
> to fall back on the default realm value provided in krb5.conf for
> realm location.
>
> Is it fairly normal for people to add in the default realm into
> krb5.conf when running in ADS mode? Any suggestions on a "better"
> way to divine the service's realm, if its not available in the SPNEGO
> message?
>
> Thanks,
> Todd
>
>
>
>
>
> On Jul 10, 2007, at 3:48 PM, Todd Stecher wrote:
>
>> Wanon & Andrew pointed me at a fix for this - join is now working,
>> as is basic functionality. Patch forthcoming...
>>
>>
>> On Jul 10, 2007, at 2:48 PM, Todd Stecher wrote:
>>
>>> I'm guessing this is a description of the policy - problem is, its
>>> "disabled" in the UI:
>>>
>>>
>>>
>>> Domain member: Require strong (Windows 2000 or later) session key
>>>
>>> This security setting determines whether 128-bit key strength is
>>> required for encrypted secure channel data.
>>>
>>> When a computer joins a domain, a computer account is created.
>>> After that, when the system starts, it uses the computer account
>>> password to create a secure channel with a domain controller
>>> within the domain. This secure channel is used to perform
>>> operations such as NTLM passthrough authentication, LSA SID/name
>>> Lookup, and so on.
>>>
>>> Depending on what version of Windows is running on the domain
>>> controller that the domain member is communicating with and the
>>> settings of the parameters:
>>>
>>> Domain member: Digitally encrypt or sign secure channel data (always)
>>> Domain member: Digitally encrypt secure channel data (when possible)
>>> Some or all of the information that is transmitted over the secure
>>> channel will be encrypted. This policy setting determines whether
>>> or not 128-bit key strength is required for the secure channel
>>> information that is encrypted.
>>>
>>> If this setting is enabled, then the secure channel will not be
>>> established unless 128-bit encryption can be performed. If this
>>> setting is disabled, then the key strength is negotiated with the
>>> domain controller.
>>>
>>> Default: Disabled.
>>>
>>> Important
>>>
>>> In order to take advantage of this policy on member workstations
>>> and servers, all domain controllers that constitute the member's
>>> domain must be running Windows 2000 or later.
>>> In order to take advantage of this policy on domain controllers,
>>> all domain controllers in the same domain as well as all trusted
>>> domains must run Windows 2000 or later.
>>>
>>>
>>> I seem to recall one patch where 128 bit secure channel was
>>> supported...
>>>
>>>
>>>
>>> On Jul 10, 2007, at 2:39 PM, Todd Stecher wrote:
>>>
>>>> OK - I have the SPNEGO problems worked out, and join mostly
>>>> works, but it appears as if the secure channel we emit is
>>>> unacceptable to Longhorn server in its default state:
>>>>
>>>> From netlogon.log on the Longhorn DC:
>>>>
>>>>
>>>> 07/10 14:01:39 [MAILSLOT] Ping response 'Sam Logon Response
>>>> Ex' (null) to \\W2009-1 Site: Default-First-Site-Name on UDP LDAP
>>>> 07/10 14:01:39 [SESSION] NetrServerAuthenticate entered: W2009-1
>>>> on account W2009-1$ (Negot: 400701ff)
>>>> 07/10 14:01:39 [SESSION] NetrServerAuthenticate3: the client
>>>> W2009-1$ is asking for NT4 crypto and this server disallows it.
>>>> 07/10 14:01:39 [MISC] Eventlog: 5722 (1) "W2009-1" "W2009-1$"
>>>> 0xc0000388 d0706242 73ca0006 205b4f26 3a297e85 Bbp....s&O[ .~):
>>>> 07/10 14:01:39 [MISC] Didn't log event since it was already logged.
>>>>
>>>>
>>>> Err - are the details of Windows 2000+ secure channel support
>>>> emerged from your collective investigations? I'm certain there's
>>>> a policy to change this restriction, but changing security
>>>> policies is not usually something domain admins want to do.
>>>> Who's our resident secure channel expert?
>>>>
>>>> (I'll do some independent investigation over coffee and
>>>> basketball w/ my favorite netlogon developer - but he may not be
>>>> super helpful given the proprietary nature of the protocol, as
>>>> well as the fact that its damn hard to figure out).
>>>>
>>>> Todd
>>>>
>>>>
>>>>
>>>> On Jul 3, 2007, at 4:16 PM, Jeremy Allison wrote:
>>>>
>>>>> On Tue, Jul 03, 2007 at 04:10:30PM -0700, Todd Stecher wrote:
>>>>>>
>>>>>> I'm sure this is the first layer of the onion (there are encoding
>>>>>> issues in the old Microsoft implementation as well), but
>>>>>> there'll be
>>>>>> more - before I get too deep, is this work already being done
>>>>>> elsewhere??? If not, I should be able to get fairly solid
>>>>>> Longhorn
>>>>>> Server interop moving forward in the next week, and will submit
>>>>>> a patch.
>>>>>
>>>>> Not to my knowledge ("work already being done elsewhere"). I'd
>>>>> appreciate a patch and I'll definately review it asap.
>>>>>
>>>>> Thanks !
>>>>>
>>>>> Jeremy.
>>>>
>>>> Todd Stecher | Windows Interop Dev
>>>> Isilon Systems P +1-206-315-7500 F +1-206-315-7501
>>>> www.isilon.com D +1-206-315-7638 M +1-425-205-1180
>>>>
>>>>
>>>>
>>>
>>> Todd Stecher | Windows Interop Dev
>>> Isilon Systems P +1-206-315-7500 F +1-206-315-7501
>>> www.isilon.com D +1-206-315-7638 M +1-425-205-1180
>>>
>>>
>>>
>>
>> Todd Stecher | Windows Interop Dev
>> Isilon Systems P +1-206-315-7500 F +1-206-315-7501
>> www.isilon.com D +1-206-315-7638 M +1-425-205-1180
>>
>>
>>
>
> Todd Stecher | Windows Interop Dev
> Isilon Systems P +1-206-315-7500 F +1-206-315-7501
> www.isilon.com D +1-206-315-7638 M +1-425-205-1180
>
>
>
>
>
--
View this message in context: http://www.nabble.com/SPNEGO-in-Samba---Longhorn-Server-interop-issues...-tf4021562.html#a11742731
Sent from the Samba - samba-technical mailing list archive at Nabble.com.
More information about the samba-technical
mailing list