[PATCH] Add support for using server supplied principal (mic option)

Love Hörnquist Åstrand lha at kth.se
Mon Aug 25 01:38:54 GMT 2008


25 aug 2008 kl. 02.25 skrev Jeff Layton:

> Everything I've read does say that windows clients don't use the
> contents of the MIC field. The idea was that this would be useful for
> allowing kerberos auth in situations where clients and servers have
> differing ideas about the hostname of the server (either broken DNS or
> maybe trying to mount a CNAME).

Semi modern windows servers doesn't put a hostname there, so it wont  
be much use either.

Windows just assume if you can look up the name, the same name will be  
in the SPN in the ldap.

> I'll confess though that I haven't thought through the security
> implications fully here. Obviously, we don't want to do this if it's
> dangerous...
>
> So that I understand correctly, what exactly is the risk of using the
> server-provided principal?

You try to connect to host/my.secrets.com at GOOD.COM, but since the host  
announces
host/will.fake.your.data.secrets.com at GOOD.COM you'll use that instead  
and never notice that you talk to wrong host.

Love




More information about the samba-technical mailing list