kvno failed with recent samba4

Andrew Bartlett abartlet at samba.org
Sun Feb 8 06:51:40 GMT 2009

On Sat, 2009-02-07 at 10:20 -0500, Love Hörnquist Åstrand wrote:
> 7 feb 2009 kl. 08:34 skrev Matthieu Patou:
> > In fact my question was more: why the same command works quietly  
> > against
> > a Windows 2003 AD and fail against a fairly recent samba4.
> Diffrent default settings ?

Correct.  Samba4 does not allow this by default.  I think adding a
servicePrincipalName might be the fix (or if is not, that is what I'll
make the trigger).  Allowing this by default allows offline attacks on a
user's password otherwise.

> > And sorry to ask a stupid question but how should I try the service  
> > name
> > with ldap/, I tried sevral ones without success.
> ldap/<hostname.of.ad.server> should do it, or <hostname>$@REALM should  
> also work.

Certainly this should work for any user account.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090208/2b880fd2/attachment.bin

More information about the samba-technical mailing list