[PATCH] Add support for using server supplied principal (mic
Love Hörnquist Åstrand
lha at kth.se
Mon Aug 25 01:38:54 GMT 2008
25 aug 2008 kl. 02.25 skrev Jeff Layton:
> Everything I've read does say that windows clients don't use the
> contents of the MIC field. The idea was that this would be useful for
> allowing kerberos auth in situations where clients and servers have
> differing ideas about the hostname of the server (either broken DNS or
> maybe trying to mount a CNAME).
Semi modern windows servers doesn't put a hostname there, so it wont
be much use either.
Windows just assume if you can look up the name, the same name will be
in the SPN in the ldap.
> I'll confess though that I haven't thought through the security
> implications fully here. Obviously, we don't want to do this if it's
> So that I understand correctly, what exactly is the risk of using the
> server-provided principal?
You try to connect to host/my.secrets.com at GOOD.COM, but since the host
host/will.fake.your.data.secrets.com at GOOD.COM you'll use that instead
and never notice that you talk to wrong host.
More information about the samba-technical